French privacy watchdog: Google Analytics breaches GDPR

Google does not give consumers adequate information about what happens to their data and how it is used, the regulator says

French data protection watchdog the CNIL (Commission Nationale de l'Informatique et des Libertés) has said that the use of Google Analytics can 'sometimes' breach the EU's GDPR, as data transfers to the USA are not appropriately regulated.

The ruling follows an investigation into the data practices of an unnamed French website, where the regulator found that the site's use of Google Analytics violated the General Data Protection Regulation.

According to the CNIL, using Google Analytics breached Article 44 of the GPPR, which bans transfers of users' personal data from within the EU to 'third-party' countries that do not have sufficient privacy protections in place. The USA counts as one of these countries, as its protections focus on its own citizens.

Google fails to give consumers adequate information about what happens to their data and how it is used, said the CNIL, and also doesn't provide adequate routes for remedy if they believe their data has been exploited.

'Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,' the regulator said.

'There is therefore a risk for French website users who use this service and whose data is exported.'

The CNIL had been examining one of the 101 complaints lodged by European privacy advocacy organisation NOYB in August 2020, following a ruling by the EU's top court that declared the EU-US Privacy Shield data-transfer pact as illegal.

The CNIL said Privacy Shield, which came into force in August 2016, was a 'self-certification system' for companies based in the USA.

The European Commission originally judged Privacy Shield to be a suitable protection for transferring personal data from European companies to the US. However, due to a lack of compliance, it reversed that ruling in 2020.

Since August 2020, NOYB has filed 101 complaints in 27 EU member states and three EU Economic Area states against data controllers allegedly transferring personal data to the US.

As part of its order, the CNIL has ordered the offending website to comply with the GDPR by either ceasing its use of Google Analytics or adopting an alternative monitoring service that does not send data outside the EU.

The CNIL also clarified that there may be some instances where the use of Google Analytics complies with GDPR rules, such as when the service is exclusively used to generate anonymised statistical data.

The ruling follows a similar decision by Austria last month.

The Austrian data protection authority, Österreichische Datenschutzbehörde, said that a German website had contravened the GDPR because its use of Google Analytics meant it was transferring personal data to the US for processing without sufficient protection.

The watchdog found that Google had not implemented sufficient measures to encrypt and anonymise the data collected through Analytics.

Following the decision, Google urged US and EU authorities to get a move on in finalising a replacement for Privacy Shield.

"If a theoretical risk of data access were enough to block data flows, that would pose a risk for many publishers and small businesses who use the web, and highlight the lack of legal stability for international data flows facing the entire European and American business ecosystem," Kent Walker, president global affairs and chief legal officer at Google and Alphabet, wrote in a blog post.

Last week, Meta Platforms, Facebook's parent company, also warned that it may have to pull many of its products and services, including Facebook and Instagram, from the European market if the company is no longer able to transfer European users' data to the United States (although with more than 300 million users in the EU, we consider this an empty threat).

Meta blamed evolving laws and regulations from European courts, regulators and legislative bodies, which it said are impacting the firm's 'critical operations'.