French privacy regulator finds using Google Analytics can breach GDPR
France’s privacy regulator has found instances where using Google Analytics is not compliant with the European Union’s General Data Protection Regulation (GDPR).
Through an investigation into unnamed local website’s data practices, the Commission nationale de l’informatique et des libertés (CNIL) found that the website’s use of Google Analytics was in violation of the GDPR. The French regulator said using the tool breached Article 44, which bans personal data transfers from within the bloc to “third-party countries” that do not have equivalent privacy protections in place.
Among the countries that fail to meet this threshold is the US as it does not provide non-US citizens with the means to know how their data is acquired or used. US laws also do not provide non-US citizens with the ability for recourse when their data is misused.
The regulator’s investigation into the unnamed local website was done in conjunction with looking into 100 other complaints that were filed to privacy advocacy group Noyb shortly after the European Court of Justice struck down the EU-US Privacy Shield agreement in 2020.
The complaints were filed to Noyb, whose founder, Max Schrems, was the one who initiated proceedings to invalidate the Privacy Shield agreement.
With this finding, the CNIL has ordered the unnamed local website to comply with the GDPR. In doling out this order, the regulator said, if necessary, the website would have to stop using Google Analytics under the current conditions.
The website will have one month to comply with the order.
“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” CNIL said in a statement.
“There is therefore a risk for French website users who use this service and whose data is exported.”
The CNIL clarified, however, that there may be some instances where use of Google Analytics does meet GDPR requirements such as ensuring the tool is only used to produce anonymous statistical data. CNIL explained that using Google Analytics in this way would create a consent exemption so long as the data is not transferred illegally.
In addition to issuing the order, CNIL said it would launch an evaluation to determine which audience measurement and ad tools are exempt from consent.
The French GDPR interpretation follows Google urging lawmakers in the US and Europe to establish new rules for a secure data transfer framework last month. In expressing its concern, Google called for more transparency on how to interpret the GDPR, with its global affairs president Kent Walker claiming the lack of a data transfer framework would lead to a lack of legal stability.
Other US tech giants, like Meta, have similarly not taken favourably to the lack of an EU-US data transfer framework. In light of the current lack of one, Meta “threatened” to pull its services out of Europe in its annual filing to the US Securities Exchange Commission. The tech giant subsequently walked back on its comments, however, after the “threat” made headlines on various outlets and received criticism from European politicians.
“Meta is not wanting or ‘threatening’ to leave Europe and any reporting that implies we do is simply not true. Much like 70 other EU and US companies, we are identifying a business risk resulting from uncertainty around international data transfers,” said Markus Reinisch, Meta Europe public policy VP.