Google does not sufficiently guarantee it protects European’s data gathered via Google Analytics, France’s data watchdog CNIL announced on Thursday (10 February). With Austria having recently issued a similar decision, the days of Google Analytics in Europe could be numbered. EURACTIV France reports.
Used by millions of companies throughout Europe, Google Analytics is a feature used to check statistics on website performance, mainly used for marketing purposes. Users are assigned a unique identifier, and data on behaviour, demographics, and acquisition methods are then transferred to the US.
But the French data protection authority said this is illegal, echoing Austria’s data protection authority who came to the same conclusion a month ago.
Given the absence of a US-EU agreement on the matter, the additional measures taken by Google to regulate such transfers “are not sufficient to exclude the possibility of access to this data by US intelligence services,” France’s independent body ruled.
This announcement follows the EU Court of Justice’s conclusion in July 2020 that the so-called “Privacy Shield” – an agreement between the EU and the US on data processing – violated the EU’s high data protection standards as there is a risk US intelligence services could access personal data transferred across the Atlantic.
Since then, there have been discussions on a new deal between the EU and the US, but no progress has been made public.
“The current decisions regarding Google Analytics are likely to increase the pressure on the US to make concessions on data protection for EU citizens,” said Stefan Hessel, a lawyer specialising in digital issues at the reuschlaw consultancy.
The decision comes in response to 101 complaints filed by noyb with all EU data protection authorities. Noyb was founded in 2017 by data activist Max Schrems who was also behind the July 2020 ruling.
“This is only the beginning,” Romain Robert, programme director at noyb, told EURACTIV. “All the other member countries will follow suit,” he added.
The CNIL stresses that its analysis was carried out “in cooperation with its European counterparts” in its press release.
More recently, the InterHop collective – which brings together activists for open source software and self-managed use of health data at the local level – urged the CNIL to take up this issue.
“We are patiently awaiting the outcome of the formal notices issued by the CNIL in the field of health,” a spokesperson for the organisation told EURACTIV in reaction to the CNIL’s announcement. “For the managers of sites processing personal data in a health context, their regulatory and above all ethical responsibilities are at stake,” he added.
A month’s notice
Based on Article 44 of the General Data Protection Regulation (GDPR), which regulates data transfers to third countries, the CNIL gave a website manager whose identity has not been disclosed a one-month notice to comply.
It is “important to raise awareness among as many data controllers as possible who would use the tool, without it being useful to mention the name of a particular controller,” a CNIL spokesperson told EURACTIV.
However, according to information obtained by EURACTIV, the company in question is an online retailer – which as per noyb’s complaint, could either be Leroy Merlin, Decathlon France, Auchan or Sephora.
The CNIL also said it is looking into the use of Facebook Connect, which “is the subject of complaints that have been referred to the CNIL and are currently being investigated”.
Google told EURACTIV it had no particular comment as the notice was not directly addressed to its services.
[Edited by Luca Bertuzzi/ Alice Taylor]