Could this be the end for Google Analytics, this service from the American giant integrated by many website managers to measure their traffic?
If the answer is no, the CNIL (National Commission for Computing and Liberties) has however just thrown a stone into the pond by putting on notice this Thursday a website – with the identity not communicated – to put within a deadline of one month “in accordance with this processing with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not entail a transfer outside the EU”.
Entry by the Noyb association (None of Your Business) concerning compliance with the GDPR (General Data Protection Regulation) during the transfer across the Atlantic of data collected via the tool developed by Google, the CNIL thus comes, with this strong decision, to put a damper on a very large part of the online advertising ecosystem. Why ? Because publishers’ advertising revenues are very often based on site audience figures provided by Google Analytics.
European offensive
The French policeman of personal data is not the only one to point the finger not only at the Google tool, but also, and above all, at the transfer of data to the United States. The CNIL indeed indicates that it is accompanied by the other European gendarmes of personal data, seized in all of a total of 101 complaints filed by Noyb in the 27 Member States of the EU and three other European countries.
“In the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection under the GDPR) concerning transfers to the United States, the transfer of data can only take place if guarantees are planned for this flow in particular”, argues the CNIL.
“However, this is not the case”, decides the Authority. And even if “Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of access by American intelligence services to this data”, concludes the Authority, for whom “there is therefore a risk for users of the French site who use this tool and whose data is exported”.
Google Analytics not alone concerned
Race results: “the CNIL finds that the data of Internet users is thus transferred to the United States in violation of articles 44 and following of the RGPD”. The manager of the site at the origin of his referral now has one month to comply with the GDPR. A notice that should set a precedent and lead many sites to review their use of Google Analytics.
For the threat to be even clearer, the CNIL also specifies that “other formal notice procedures have been initiated against site managers using Google Analytics”. For the Authority, it is above all a question of ensuring compliance with the GDPR for the transfer of data from European citizens to the United States. A transfer imposed across the Atlantic by the Cloud Act, this federal law adopted in 2018 allowing US authorities to access data on servers, regardless of their location, as long as the target company is American or has links economic with the United States.
As a result, since the Schrems II judgment, named after the founder of the Noyb association, the Court of Justice of the European Union (CJEU) in July 2020 broke the Privacy Shield agreement which governed the transfer of data to the States United since 2016.
If Google Analytics is a juggernaut of analysis and audience measurement tools on the web, the CNIL recommends anonymization of the data from these tools “thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers”. The Google platform is therefore not alone in the dock, which includes “other tools used by sites and which give rise to the transfer of data from European Internet users to the United States”. So many services that could be the subject of “corrective measures on this subject that may be adopted soon”, specifies the CNIL.