Following its decision earlier this year to ban the use of Google Analytics for the processing of personal data from France in the absence of additional safeguards, the French data protection authority (CNIL) published a set of questions and answers on the use of Google Analytics by French data controllers.
CNIL reiterated that the existence of the Standard Contractual Clauses with Google is not, in itself, an adequate safeguard as required by the GDPR for the transfer of personal data to the United States. CNIL further clarified that even in the absence of actual transfer of data to the U.S., the use of solutions offered by companies not subject to European jurisdictions is likely to pose difficulties.
Encryption of the data before it is transferred can be a sufficient safeguard only where the encryption keys are kept under the exclusive control of the French data exporter or other entities established in a territory offering an adequate level of protection. In addition, consent of the data subjects can only suffice for one-time transfers.
CNIL stressed that only a technical solution involving a proxy server that severs any direct contact between the French Internet user's terminal and the Google Analytics’ servers, would be adequate. Alternatively, CNIL suggested using other EU-based audience measurement tools from a list of tools approved by CNIL.
CLICK HERE to read CNIL’s Q&A regarding Google Analytics (in French).