Google Analytics, a tool that provides website traffic statistics, is under fire from critics in Europe for violating the GDPR. The Cnil has just given formal notice to a first French site manager.
It’s a first. The Commission Nationale Informatique et Liberté (Cnil) has issued a formal notice against a French website manager for its use of Google Analytics and illegal data transfers to the United States in violation of Articles 44 and following of the GDPR. The data constable did not reveal the identity of the manager, who now has one month to comply.
At the origin of this formal notice, the Cnil received several complaints from the association NOYB (My Privacy Is None of Your Business) of the Austrian Max Schrems concerning the transfer to the United States of data collected during visits to websites using Google Analytics. A total of 101 complaints were lodged by the association in the 27 Member States of the European Union. After analysis, the Cnil considered that these transfers are illegal and imposed on the mysterious French website manager to comply with the GDPR and, if necessary, to no longer use this tool under current conditions.
“The Cnil, in cooperation with its European counterparts, analyzed the conditions under which the data collected as part of the use of Google Analytics was transferred to the United States and what were the risks incurred for the persons concerned”the statement said. “In particular, it is a question of collectively drawing the consequences of the Schrems II judgment of the Court of Justice of the European Union (CJEU) of July 16, 2020 which invalidated the Privacy Shield. The CJEU had highlighted the risk that the American intelligence services could access personal data transferred to the United States if the transfers were not properly supervised”.
Other managers targeted by the CNIL
The authority considers that the transfer of data to the United States, permitted by Google Analytics, does not offer appropriate security guarantees. The additional measures taken by Google to regulate data transfers as part of the Google Analytics functionality do not “are not sufficient to exclude the possibility of access by the American intelligence services to this data” and it does exist “a risk for users of the French site who use this tool and whose data is exported”.
We also learn that other formal notice procedures have been initiated by the CNIL against site managers using Google Analytics. The investigation by the various European authorities also extends to other tools used by sites and which give rise to the transfer of data from European Internet users to the United States, such as the Facebook Connect button, for example. Corrective measures in this regard could be adopted soon.
In mid-January, the Austrian data protection authority also gave voice, believing there too that the use of Google Analytics violated the GDPR. She had pointed to an Austrian website relating to the field of health. Other decisions could come from the various European regulators who have considered the 101 complaints filed by Max Schrems and NOYB.