French data privacy regulator says Google Analytics breaches GDPR

10 Feb 2022

Image: © pe3check/Stock.adobe.com

The French watchdog said it is investigating other website tools that transfer EU data to the US and it may add ‘corrective measures’ if they breach GDPR rules.

France’s privacy regulator has concluded today (10 February) that data transfers to the US via Google Analytics breach GDPR rules and has ordered a French website manager to stop using the service under certain conditions.

This is the latest in a line of challenges regarding the transfer of personal data from Europe to the US. Last month, the Austrian data protection authority found that the use of Google Analytics by an Austrian website did not comply with EU data protection law.

The French watchdog, CNIL, said it received several complaints from digital rights group NOYB regarding data transfers to the US collected during visits to websites that use Google Analytics.

Google Analytics is a tool designed to monitor website traffic. For example, it can be used to generate reports on visitor numbers, browser parameters and which device they are using. It does this by placing a cookie – a small piece of code – on the user’s device, which assigns a unique identification number.

CNIL, in cooperation with European counterparts, analysed the conditions under which the data collected from EU users through Google Analytics is transferred to the US.

According to the Schrems II ruling in July 2020, transfers of personal data from the EU to the US can only take place if there is a sufficient level of protection. CNIL said the EU Court of Justice previously highlighted the risk that US intelligence services could access personal data transferred from the EU if transfers are not properly regulated.

“Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” CNIL said in a statement.

“There is therefore a risk for French website users who use this service and whose data is exported.”

CNIL has ordered a French website manager to bring the processing  of user data into compliance with GDPR. The website manager may have to stop using Google Analytics, or use a tool that does not involve a data transfer outside the EU. CNIL has given the website operator one month to comply.

Last month, the European Parliament was reprimanded by an EU privacy watchdog for violating GDPR on its internal Covid-19 testing website through the transfer of data to the US via cookies from Google Analytics and Stripe. This was one of the first decisions implementing the Schrems II ruling, possibly setting a precedent for EU-US data transfer cases.

CNIL said 101 complaints have been filed by NOYB in the 27 EU member states and three other European Economic Area states against 101 data controllers allegedly transferring personal data to the US.

The French watchdog said its investigation extends to other tools used by sites that result in the transfer of data from the EU to the US, adding that more corrective measures “may be adopted in the near future”.

Schrems II struck down Privacy Shield, a data privacy tool that allowed for the transfer of European data to US companies, and a successor arrangement has yet to be finalised. Meta said last week that it would “likely be unable to offer” some of its major services if a new framework is not drawn up.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com