French data protection authority says Google Analytics is in violation of GDPR
The French national data protection authority, CNIL, issued a formal notice to managers of an unnamed local website today arguing that its use of Google Analytics is in violation of the European Union’s General Data Protection Regulation, following a similar decision by Austria last month.
The root of the issue stems from the website’s use of Google Analytics, which functions as a tool for managers to track content performance and page visits. CNIL said the tool’s use and transfer of personal data to the U.S. fails to abide by landmark European regulations because the U.S. was deemed to not have equivalent privacy protections.
European regulators including CNIL have been investigating such complaints over the last two years, following a decision by the EU’s top court that invalidated the U.S.’s “Privacy Shield” agreement on data transfers. NOYB, the European Center for Digital Rights, reported 101 complaints in 27 member states of the EU and 3 states in the European Economic Area against data controllers who conduct the transatlantic transfers.
Privacy Shield, which went into effect in August of 2016, was a “self-certification mechanism for companies established in the United States of America,” according to CNIL.
Originally, the Privacy Shield was considered by the European Commission to be a sufficient safeguard for transferring personal data from European entities to the United States. However, in 2020 the adequacy decision was reversed due to no longer meeting standards.
An equivalency test was used to compare European and U.S. regulations which immediately established the U.S.’s failure to protect the data of non-U.S. citizens. European citizens would remain unaware that their data is being used and how it is being used, and they cannot be compensated for any misuse of data, CNIL found.
CNIL concluded that Google Analytics does not provide adequate supervision or regulation, and the risks for French users of the tool are too great.
“Indeed, if Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data,” CNIL said.
The unnamed site manager has been given a month to update its operations to be in compliance with GDPR. If the tool cannot meet regulations, CNIL suggests transitioning away from the current state of Google Analytics and replacing it with a different tool that does not transmit the data.
The privacy watchdog does not call for a ban of Google Analytics, but rather suggests revisions that follow the guidelines. “Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers,” the watchdog said.