According to the French DPA (CNIL), interrupting the connection between the user’s terminal and the analytics tool server is required to comply with GDPR lawson data transfer when using Google Analytics. This was noted in the opinion issued on July 20, 2022.
Background
On February 10, 2022, the CNIL issued a compliance order to many organizations utilizing Google Analytics due to unauthorized data transfers to the US as provided for by the Austrian and Italian DPA rulings.
In these decisions, the CNIL and other EU data protection authorities concluded that the usage of Google Analytics resulted in transfers to the United States that were not appropriately regulated.
As was mentioned in the CNIL Q&A, using Google Analytics under the GDPR requires more than just the straightforward adoption of standard contractual clauses.
According to the latest release from the French DPA,
Using a properly configured proxy can be an operational solution to limit the risks to individuals.
About processing IP addresses on US servers
While CNIL has said that “simply changing the processing settings of the IP address is not sufficient to meet the Court of Justice of the European Union (CJEU) requirements, especially as these continue to be transferred to the US.”
With reference to the possibility of using encryption techniques, the CNIL stated that “encrypting” the identifier produced by Google Analytics or swapping it out for one produced by the site operator. However, due primarily to Google’s ongoing processing of IP addresses, this offers little to no further protection against the potential re-identification of data subjects.
According to CNIL, simply making changes to how you process IP addresses – a form of personal data under the GDPR – is not enough to meet their standards.
This problem can only be solved by methods that allow disconnecting the connection between the terminal and the server.
How do I set up a valid Proxy Server?
The CNIL has said that using a proxy server to prevent any direct communication between an Internet user’s terminal and the analytics tool is one potential approach.
According to the CNIL, this is what you must do in order for the proxy to be considered valid:
- the IP address is not transferred to the analytics tool’s servers. If a location is sent to the measuring tool’s servers, it must be carried out by the proxy server;
- the replacement of the user identifier by the proxy server. To ensure effective pseudonymization, the algorithm performing the replacement should ensure a sufficient level of collision (i.e., a sufficient probability that two different identifiers will give an identical result after a hash) and include a time-varying component;
- the site’s removal of external referrer information;
- the removal of any parameters present in the gathered URLs (including URL parameters permitting internal site routing and UTMs);
- the reprocessing of data that can be used to create a fingerprint, like user agents, to remove the most uncommon configurations that can result in re-identification;
- the absence of collecting lasting or cross-site identifiers (such as CRM IDs or unique IDs);
- the removal of any additional information that might permit re-identification.
The proxy server must also be hosted in a country that offers protections equal to those of the GDPR in order to prevent the data it processes from being sent outside the European Economic Area.
As with anything privacy-related, it is recommended that you conduct an analysis on this issue, put the necessary safeguards in place in the event that you choose to use this kind of solution, and ensure that these safeguards are maintained over time in light of changes.
This piece is part of an ongoing series about the latest decisions on Google Analytics. Want to know more? See our other related guides here:
