The French Data Protection Authority (CNIL) ordered three French websites to stop using the analytical audience site Google Analytics deemed to violate the General Data Protection Regulation (GDPR). The decision came to light, weeks after a similar groundbreaking decision by the Austrian Data Protection Authority. The websites have 30 days to comply or risk hefty fines up to €20 million, or 4% of the annual turnover.
Google Analytics allows you to track how many people go to your website by integrating it. For each visitor, a unique identifier is assigned. Google transfers this identifier (which is personal data) and the corresponding data to the United States.
CNIL received several complaints from NOYB about the transfer of data collected from their site visitors via Google Analytics to the United States. Max Schrems, chair of the European Center for Digital Rights (NOYB), sent these complaints to several data protection authorities (DPAs), including the Austrian and French DPAs, in 2020.
It’s no secret that many websites use Google Analytics to learn more about their audiences. With privacy laws tightening, especially across Europe, and the GDPR still being sorted out, there will be an increase in services flouting GDPR. A concern in a global economy is the potential for separate products for the EU and the U.S.
Interesting Read: 6 Data Privacy Trends To Look Out For In 2022!
Insufficient Measures under Schrems II
In the course of its evaluation, the CNIL reviewed the consequences of the Schrems II decision of the Court of Justice of the European Union on 16 July 2020, which rendered the Privacy Shield invalid. According to the Court of Justice of the European Union (CJEU), the personal information transferred to the United States could be accessed by American intelligence services if the transfers are not properly regulated.
DPA’s have concluded that transfers to the United States are currently not adequately regulated. As a matter of fact, it says that in the absence of an adequate decision, the transfer of data cannot take place without securing appropriate guarantees for this flow specifically.
However, soon it was found that this was not the case. In fact, Google has adopted additional measures to regulate data transfers when it comes to the Google Analytics functionality, but they are not sufficient to ensure data confidentiality. Therefore, French website users are exposed to risk if they use this service and their data is exported.
As a result, the first decision was issued by the Austrian DPA earlier in January, followed by the decision by CNIL in early February.
Is Europe banning Google Analytics?
The CNIL notes that as a result, the data of Internet users is transferred to the USA in violation of Article 44 GDPR. Therefore, the CNIL ordered the website manager to bring this processing in line with GDPR, so that either Google Analytics will not be used (under current conditions) or a new tool will be used that does not involve a transfer outside the EU.
The CNIL recommends that website measurement and analysis tools should only be used to produce anonymous statistics, thus absolving the controller of any consent requirements if the transfer is legal. It has launched an evaluation program to determine which solutions are exempt from consent. The French data protection authority has also issued other orders to website operators using Google Analytics. Max Schrems said,
“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”
The CNIL is widely regarded as Europe’s regulatory powerhouse. The Dutch regulator has already stated that it will follow in the footsteps of the CNIL. DPAs in Germany, Spain, Portugal, and Poland are expected to make similar decisions in the coming months, cracking down on illegal personal data transfer between the US and the EU.
Interesting Read: Amazon Blocks Google FLoC – Here’s Everything You Need To Know!