The CNIL announces the formal notice of a French site manager for its use of Google Analytics. For the personal data constable, data transfers to the United States are illegal.
Here is a decision that could mark a before and after in the protection of personal data. The National Commission for Computing and Liberties (CNIL) announces the formal notice of a website publisher using the Google Analytics tool. In its press release, the French policeman of personal data qualifies as “illegal” the transfers of data to the United States.
What is Google Analytics?
To fully understand the stakes of this case, we must first take an interest in Google Analytics. Often compared to an octopus, Google has many services and Analytics is a free website audience analysis tool. As the CNIL explains, it provides traffic statistics and can be integrated by website managers, such as online sales sites. Very popular, the Google solution assigns a unique identifier to each visitor in order to measure the frequentation of a site by Internet users. Google Analytics offers many parameters and information, to the point of seducing millions of websites.
For the French personal data policeman, the problem comes from this unique identifier and the data associated with it. This personal data is directly transferred by Google to the United States, a country that does not offer protection comparable to the European GDPR. Seized by several complaints from the NOYB association concerning this transfer, the CNIL decided to look into the question. In cooperation with its European counterparts, it “analyzed the conditions under which the data collected through the use of Google Analytics was transferred to the United States and what were the risks incurred for the persons concerned”.
Entry by the CNIL, in cooperation with its European counterparts, analyzed the conditions under which collected by Google Analytics are transferred to the United States and considers such transfers to be illegal 👉 https://t.co/4YWv9snEpY
— CNIL (@CNIL)
Uh… who is the NOYB association?
Before looking at the CNIL’s conclusions, a word about the None of Your Business (NOYB) association. Founded by Austrian activist, she campaigns for the protection of private data. The association has filed some 101 complaints in the 27 member countries of the European Union, with local CNILs, against 101 managers of 101 data controllers who would transfer personal data to the United States. It was his complaints that prompted the authorities to carry out analyses.
The findings of the CNIL
The CNIL explains that transfers to the United States are not sufficiently supervised. According to her, there is a risk that the American intelligence services will access the data of French Internet users, via Google Analytics. “While Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data” says the Commission.
To reach these conclusions, the personal data policeman relies on the “Schrems II” judgment which invalidated the Privacy Shield in 2020. Concretely, there is no agreement concerning the protection of personal data between the EU and USA. The giant Google therefore does not respect the GDPR.
The CNIL’s announcement follows that of the Austrian data protection authority. In January, the “Austrian CNIL” (the Datenschutzbehörde or DSB), considered that Google Analytics did not comply with the GDPR. The Netherlands has also taken up this subject and it is now the CNIL’s turn to position itself. Google’s activities are also in the sights of German regulators.
What’s next? Is Google Analytics under threat in Europe?
With this formal notice, the site manager has one month to comply with the GDPR. Several solutions are possible, such as no longer using Google Analytics (under current conditions) or opting for an equivalent tool that does not lead to transfers outside the EU.
Behind this decision hides above all the desire to make Google react. As we indicated in January, the Californian firm will have to take measures to comply with European regulations. Otherwise, there is a risk for Google to see its Analytics tool become persona non grata in Europe.
Finally, the CNIL warns that its investigation “also extends to other tools used by sites and which give rise to the transfer of data from European Internet users to the United States”. She assures that “corrective measures in this regard could be adopted soon”. According to information from Le Monde, the Facebook Connect tool would be particularly in the sights.