After having been ruled incompatible with EU law by Austria’s data watchdog two weeks ago, Google Analytics is now under fire in France, whose own data watchdog has been asked to check whether the tool goes against EU law. EURACTIV France reports.
In a letter sent on 28 January, French non-profit Interhop – which brings together activists for open source software and self-managed use of health data at the local level – has criticised key e-health players like Recare, Alan, KelDoc ou Maiiafor for using Google Analytics.
On 13 January, Austria’s data protection watchdog ruled that the use of the tool went against EU data protection law after Google acknowledged during the procedure that “all data collected by Google Analytics […] are hosted (i.e. stored and further processed) in the United States.”
‘Sensitive’ health data
The processing of personal data on US soil, particularly those related to health, which is classified as “sensitive” by the EU’s General Data Protection Regulation, is illegal unless additional guarantees are taken since the “Schrems II” ruling of July 2020.
This decision by the EU Court of Justice, named after the Austrian activist Max Schrems, invalidated the so-called “Privacy Shield”, an agreement between the two blocs that framed the free movement of personal data between the EU and the US.
According to the court, Washington did not offer an equivalent level of protection for the privacy of EU citizens because the US security services can access such data no matter where it is stored.
This was confirmed by France’s highest administrative court, known as the Conseil d’Etat, in October 2020, in the context of another procedure concerning the much-criticised Health Data Hub. It could not be ruled out that the US intelligence services might want to consult these data, the court ruled.
Compatibility with Schrems II
“E-health actors must ensure that they are not subject, in whole or in part, to injunctions from third-party courts or administrative authorities obliging them to transfer data to them,” Interhop wrote in its letter to the CNIL.
The non-profit also called on the French data watchdog to analyse the consequences of the so-called “Schrems II” case law on Google Analytics and to put an end to any data processing that might prove to be illegal.
The invalidation of the Privacy Shield also recently resulted in the European Data Protection Supervisor (EDPS) sanctioning the European Parliament for using a Google Analytics cookie on their internal COVID-19 testing site.
The end of Google Analytics?
Although the noose around Google Analytics appears to be tightening, Google Analytics Director Russel Ketchum still held out hope that this will not be the end of the tool in Europe.
In response to the decision of Austria’s data protection watchdog, Ketchum said in a blog post that the company applies a series of measures to ensure the conditions imposed by the EU’s General Data Protection Regulation (GDPR) and the EU Court to access data transfers outside the EU are met.
In addition to the standard contractual clauses which are necessary in case the transfer of data from the EU to a third country is not equally protected, Google also offers “industry-leading data encryption” and “physical security in our data centres and robust policies for handling government requests for user information”, Ketchum added.
“Our infrastructure and encryption are designed to protect data, and keep it safe from government access,” he stressed.
It now remains to be seen whether the CNIL even wishes to look into the matter and whether it agrees with Google.
A possible instruction from the French privacy watchdog could further inspire other EU authorities to take up the issue and ensure the decision taken by Austria’s data authority will not remain an isolated case.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]