Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.
The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.
The US fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-US citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse.
Whereas the EU’s GDPR demands that data protection travels with citizens’ information as a stipulation of legal export.
France’s CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 — after the bloc’s top court invalidated the EU-US Privacy Shield agreement on data transfers.
Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty.
While it has taken EU regulators some time to act on illegal data transfers — despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka ‘Schrems II) — decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics.
In France, the CNIL has ordered the website which was the target of one of noyb’s complaints to comply with the GDPR — and “if necessary, to stop using this service under the current conditions” — giving it a deadline of one month to comply.
As in Austria, the CNIL’s assessment of Google’s claimed supplementary measures (which it had argued ensured EU citizens’ data which was taken, via Google Analytics, to the US was adequately protected) found them to be inadequate.
“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” the CNIL writes in a press release announcing the decision.
“There is therefore a risk for French website users who use this service and whose data is exported.”
The CNIL does leave open the door to continued use of Google Analytics — but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. (And the Austrian decision against Google Analytics last month took a broad interpretation of what constitutes personal data in this context, finding that an IP address could be enough given how it may be combined with other bits of data held by Google to identify a site user.)
The French regulator is also very emphatic that under “current conditions” use of Google Analytics is non-compliant — and may therefore need to cease in order for the site in question to comply with the GDPR.
The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach.
Additionally, it says it’s launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.
The decision on this complaint has clear implications for any website based in France that’s currently using Google Analytics — or, indeed, any other tools that transfer personal data to the US without adequate supplementary measures — at least in the near term.
For one thing, the CNIL’s decision notes it has made “other” compliance orders to website operators using Google Analytics (again without naming any sites).
While, given joint working by EU regulators on these 101 strategic complaints, the ramifications likely scale EU-wide.
The CNIL also warns that its investigation — along with the parallel probes being undertaken by fellow EU regulators — extends to “other tools used by sites that result in the transfer of data of European Internet users to the United States”, adding: “Corrective measures in this respect may be adopted in the near future.”
So all US-based tools that are transferring personal data are facing regulatory risk.