Cookies in the European spotlight

The cookie rejection mechanism: Google and Facebook

The American entities Google and Facebook have been hit hard by the CNIL (Commission Nationale de l'Informatique et des Libertés), which announced resolutions and sanctions on 7 January 2022 against Google LLC and Google Ireland Limited as well as against Facebook Ireland Limited for non-compliance with article 82 of the French Data Protection Act; CNIL imposed penalties of 150 and 60 million euros, respectively, as it had determined that the first layers of information regarding the use of cookies on the entities’ websites did not have a mechanism that would allow users to refuse the use of cookies in a way that is just as easy as the mechanism used for accepting their use.

In both cases, the supervisory authority notes that the first layers of information on the sites www.google.fr, www.youtube.com, and www.facebook.com offer an option for easily accepting cookies but not for rejecting them.

Also along this vein, the Spanish Data Protection Agency (AEPD) has already made its own announcement in resolution no. PS/00032/2020, sanctioning an entity for not having a mechanism for rejecting cookies in the first layer of information that required a single action like the one provided for their acceptance. This meant an extension of the guidelines provided in the guide on the use of cookies published months earlier.

The IAB TFC standard: contrary to the GDPR

A few weeks later, the Belgian Data Protection Authority (DPA) concluded that the Transparency and Consent Framework (TFC) standard does not comply with the provisions of the GDPR and imposed a fine of 250,000 euros on the IAB association.

TCF is a mechanism used to manage user preferences regarding the installation of data storage and retrieval devices (cookies) that are used by real-time bidding companies, among others, to display advertising to users, thereby creating a sort of "chain of consent".

The news has resonated strongly in the industry, since the IAB system is used by many website publishers in Europe, who are now wondering whether the standards of appropriateness as dictated by the association are still valid with respect to their own consent mechanisms.

It should be noted, however,  that in this case the DPA is not focused on data processing performed by site publishers on users' personal data, but on the processing activity involved in the recording, storing and sharing of consent preferences by the IAB itself, on the understanding that the IAB also acts as a data controller.

The DPA, applying a broad interpretation of the concept of data controller, considers publishers and advertising technology providers – including IAB – to be jointly responsible for processing relating to the collection and dissemination of users' preferences and the processing of their personal data, on the understanding that if any of the actors involved plays a decisive role in the dissemination of such personal data, it should be considered a data controller.

In addition, the resolution concludes that the mechanism does not comply with the GDPR for the following reasons:

1. Incorrect basis of legitimisation of processing for the chain of consent, whereby the concept of legitimate interest does not apply, at least not under the current approach.
2. Lack of (clear) information provided to data subjects by the CMP since it is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF.
3. Absence of appropriate technical and organisational measures.
4. Absence of a register of processing activities, of a DPO and of the appointment of a DPO.

Google Analytics: subject of analysis in terms of international transfers 

With respect to browser trackers, the spotlight in recent weeks has been on the analysis and measurement tool – or cookie – developed by Google. This is because the tool has been the subject of various rulings based on the CJEU’s declaration that the Privacy Shield is invalid.

Several supervisory authorities have therefore ruled that use of the tool results in international transfers of personal data that are not in line with the requirements of Articles 46 and 48 of the GDPR.

Along these lines, we will assess the state of affairs on the basis of the main resolutions and pronouncements that have been issued on the matter:

European Data Protection Supervisor (EDPS):

On 5 January, the EDPS reprimanded the European Parliament for non-compliance with Articles 4(1)(a), 4(2), 14 and 15 of Regulation 2018/1775 and other provisions of the ePrivacy Directive regarding the layers of information pertaining to the use of cookies enabled on the official website.

Among other issues brought to light – including the content of the information banners – the supervisor established that the website installed Google Analytics and Stripes analysis and measurement cookies on visitors' devices that result in international data transfers without taking any further steps to ensure that a level of protection is maintained that is equivalent to that established by the GDPR itself.

On that note, the EDPS offers a reminder that following the invalidation of the Privacy Shield, standard contractual clauses are not sufficient for guaranteeing data security in the destination country of a data transfer carried out by the aforementioned tools, i.e. in the USA.

Austria: Resolution by the Datenschutzbehörde of 13 January 2022

On 13 January 2022, the Austrian Data Protection Authority ("Datenschutzbehörde" or "DSB") ruled that the use of Google Analytics does not comply with Chapter V of the GDPR (Transfers of personal data to third countries or international organisations).

This is the first decision on the 101 complaints filed by NOYB (European Center for Digital Rights) following the CJEU ruling, also known as "Schrems II".

This ruling may have caused some uproar in certain quarters, but is ultimately in line with the decision issued by the European Data Protection Supervisor (EDPS) weeks earlier, stating that the use of Google Analytics does not comply with the Schrems II ruling, nor with the requirements of the GDPR regarding data transfers.

What has changed is that it is no longer an isolated pronouncement resulting from Mr Schrems' complaints, but an issue that is being analysed and sanctioned by the various supervisory authorities.

According to NOYB, similar decisions are expected in other EU Member States, as regulators have cooperated on these cases in an "working group". It appears that the Austrian DSB's decision is the first to be issued.

France: CNIL speaks out

After receiving several complaints from NOYB and in collaboration with the other European supervisory authorities, the CNIL analysed the conditions under which data are transferred to the United States via the Google Analytics tool and the risks that such transfers may entail.

In its analysis, the CNIL indicates that Google Analytics is a functionality that can be integrated by website operators, such as online retailers, to measure the number of visits made by internet users. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.

Following this analysis, it concluded that transfers to the United States can only be made when adequate safeguards  are in place and clarified that, although Google has put additional measures in place to secure transfers, these are not sufficient to exclude the possibility of US intelligence services gaining access to personal data, which creates a risk for users accessing websites through this tool.

The French authority, also taking the Schrems II ruling into account, therefore concluded that the transfer of data to the United States constitutes a breach of Articles 44 et seq. of the GDPR,  and gave the website administrator a period of one month to comply with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not result in the transfer of data outside the EU.

It also declared that this pronouncement applies to any type of tool used by websites that result in international transfers of data.

Norway: recommendation from the Authority

The matter of international data transfers made in connection with the use of Google Analytics has also been reviewed by the Norwegian Data Protection Authority, which recommends that data controllers explore alternatives to the use of Google Analytics, with additional emphasis on the fact that browsing while the user is logged in to their Google account allows the analytical data obtained through cookies to be linked to the Google account.

Forthcoming decisions

Since 2020, the European Data Protection Board (EDPB) has had a "101 Taskforce" in place to analyse the implications of the complaints lodged by NOYB with the European supervisory authorities.

At the EDPB meeting on 22 February, the 101 Taskforce is expected to discuss the situation regarding the use of Google Analytics in the wake of the pronouncements mentioned in this briefing. This could result in the adoption of a common approach at European level for supervisory authorities.

Recommendations

With respect to the use of Google Analytics cookies, the companies should therefore take the corresponding provisions into consideration regarding the adequacy of international transfers on the basis of such use, i.e. update and/or adopt new contractual clauses. If these are insufficient for guaranteeing the absence of interference by a government, or if the provider is unable to guarantee that it can comply with the measures specified, it must perform an analysis or impact assessment of the transfer that it intends to perform.

An analysis of this nature should assess the privacy risks of the data transfer while taking into account the local laws and the regulatory framework for data protection of the destination country, the transfer’s compatibility with the European Essential Safeguards and, in particular, the specific circumstances of the transfer (such as content and duration, the nature of the data to be transferred, the recipient, the purpose of the processing) as well as any safeguards implemented in addition to the clauses (including relevant technical and organisational safeguards).