Comment on the CNIL statement for the use of Google Analytics
Published: Jun 8th 2022 | 5 min read
The French Data Protection Authority, the CNIL issued a statement in its FAQ on how to use Google Analytics to comply with the General Data Protection Regulation (2016/679 GDPR).
The original issue, why local authorities in Austria, France and Liechtenstein banned the use of Google Analytics (even in the anonymous mode) was related to unauthorized transfer of personal data outside of the EU. Google responded to this shortcoming with a solution that the collection servers will be located close to the location of the measured IP address*. According to CNIL this is not sufficient and therefore they issued a list of rules under which Google Analytics can be used in the EU.
According to a statement made by the French authority, even this procedure (if it would work, which it doesn't seem to, see image above) is insufficient, and therefore they created a set of explicit rules that must be met to ensure the use of Google Analytics** complies with the GDPR regulation and ensure that no personal data is sent outside the EU.
The Authority's recommendation is therefore not to send data to Google Analytics directly, but to use an intermediary system to cleanse the data before sending it to GA. A so-called proxy server. Below are listed rules required by the authority, including my personal comment.
To comply with GDPR, this proxy must provide the following functionality
IP addresses must not be sent to servers belonging to the measurement tool.
The device identifier (visitorId, in GA's case _ga cookies) and any user identifier must be replaced.
Information about what page the user came to the site from must be deleted.
All parameters in the URL must be deleted when the page is submitted.
Additional techniques that will lead to enrichment of the data collected must not be used. For example, fingerprinting, user agent detection, etc.
No other cross site identifiers should be sent.
No other data that will lead to the identification of the subject.
Finally, the authority requires that the proxy server must run in an environment that ensures that collected not redacted data, are not in reach of the measurement platform and further to ensure that the proxy server itself is not running outside of the EU. So this is perfectly logical, perhaps to prevent someone from thinking of running the Proxy server in AWS, Azure, Heroku or any other cloud environment in a data center located in the US. The Google Cloud itself, regardless of location, is out of the question because it is not technically possible to gurantee Gooogle will not be able to link the data. The proxy must therefore run in EU lcoated datacenter or on internal servers.
My knowledge of French is at such a level that this layman's translation can be considered only as my personal atempt to bring the rules to other non french speaking audience. For those interested to read it in french, here is the original.
I have tried to be as objective as possible, but the fact that our product portfolio includes a product mHub Cloud which is such proxy, it is possible that, albeit unintentionally, my view is influenced.
*Google Analytics - Regional data collection
**CNIL refers to Google Analytics, but of course this also applies to other web analytics platforms where there is a risk of data transfer outside the EU.