Google Analytics: the CNIL explains its formal notices


Sylvain Guillet

June 12, 2022 at 3:00 p.m.

4

Google Analytics

On February 10, the National Commission for Computing and Liberties (CNIL) sent a first formal notice to the manager of a website – who remains anonymous – because of his alleged illegal use of Google Analytics.

As a reminder, Google Analytics is a tool accessible free of charge by companies present online. The interface provides access to detailed statistics on the traffic of a website. To do this, Google collects data from each Internet user by assigning them a unique identifier. Problem: user data is transferred and then stored in the United States, where it would be insufficiently protected. This goes against the rules of the GDPR – the regulation that frames the processing of data at European level. This is what recently prompted the CNIL to send formal notices to several organizations based in France. Today, she explains on her website the reasons that led her to make these decisions.

A hundred complaints all over Europe

It is likely that this affair did not see the light of day without the action of an association, NOYB (None Of Your Business), who has been campaigning for the defense of privacy in Europe since 2017. Initially created by Max Schrems, an Austrian lawyer, it has become very active in the European Union.

In August 2020, NOYB filed 101 complaints with the European data protection authorities – in particular the CNIL – due to the use of Google Analytics by certain companies.

One month to comply

In its first formal notice of February 10, made public, the CNIL justifies its decision by considering that ” the measures put in place by Google are not sufficient to exclude the possibility of access to the data of European residents “. This therefore goes against the rules of the GDPR. As a result, the data of these Internet users are considered to be illegally transferred through Google Analytics.

However, companies given formal notice have a period of one month (renewable) to comply. If the organization does not respond to the letter within the time allowed or if its actions still do not meet the requirements of the formal notice, a sanction procedure may be initiated against it.

On the same subject :
GDPR: the CNIL gives formal notice to 22 municipalities and urges them to have a DPO

Source : CNIL



Source link -99