Following the invalidation of the EU-US Privacy Shield, and a number of complaints filed with the CNIL by Max Schrems’ organisation NOYB, the French regulator ruled that the use of Google Analytics resulted in unlawful data transfers to the United States.
In that light, the French regulator has now provided its view that the use of a well-configured proxy server can provide an adequate operational solution to prevent such unlawful data transfers. It should be noted, however, that given the relatively costly and complex nature of implementing such measures, a more suitable alternative for many organisations may simply be to avoid analytics solutions that transfer personal data outside of Europe.
Firstly, the CNIL guidance reiterates the measures that it considers to be insufficient in this context, namely:
- the simple implementation of standard contractual clauses;
- a basic modification of the settings within Google Analytics (or any other similar audience measurement tool); and
- any other solution that keeps in place a direct contact (e.g. by way of an HTTPS connection) between the user’s computer terminal and servers in the United States.
It is clear from the CNIL’s guidance that it is necessary to ensure that any information transmitted does not, in any way, allow the re-identification of an individual, even taking into account any means available to public authorities who may wish to access the data of an identifiable individual.
As a result, the use of a proxy server is one of the few ways to ensure limited transfers of data to the United States. Such a proxy server would need to, in the CNIL’s view, guarantee:
- no transfer of IP addresses to the servers of the analytics tool;
- the replacement of a user’s identifiers by the proxy server;
- the deletion of any referring site information or any parameter contained in URLs;
- the removal of anything that can enable the generation of identifiable 'fingerprints' (e.g. user agents);
- no collection of cross-site or other identifiers (such as unique advertising identifiers (IDFAs)); and
- the deletion of any other data that could lead to re-identification.
In addition, the CNIL have also stated that any proxy server would need to be hosted under adequate conditions (i.e. conditions guaranteeing that the data the proxy will have to process will not be transferred to a country that does not provide a level of data protection essentially equivalent to that provided in the European Economic Area).
The CNIL’s new guidance, which includes a diagrammatic explanation of a proxy solution, is available here (in French).
This summary was published as part of aosphere's Rulefinder Data Privacy. Nothing in this summary is intended to provide legal or other professional advice: aosphere does not accept responsibility for loss which may arise from reliance on this summary.
What is Rulefinder Data Privacy?
Rulefinder Data Privacy is a user friendly database of global data privacy law and regulation sourced from leading privacy counsel across the globe and curated by aosphere’s team of senior data privacy professionals. Learn more here.