In a decision handed down on Thursday, February 10, the personal data policeman gives formal notice to a French site manager for his use of the popular audience measurement tool.
The decision of the French National Commission for Computing and Liberties (Cnil) risks shaking the ecosystem of digital services. This Thursday, February 10, the tricolor gendarme estimated that the transfer of data from Google Analytics by European sites to the United States is illegal. The CNIL has given formal notice to a manager of a French website, whose identity has not been revealed, because of his use of the popular Google tool. Every day, tens of millions of websites around the world rely on Google Analytics to measure their audience and user behavior.
“The Cnil notes that the data of Internet users collected by Google Analytics is transferred to the United States in violation of articles 44 and following of the GDPR [règlement général sur la protection des données européen], reports the personal data constable. It therefore gives formal notice to the site manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under current conditions) or by using a tool that does not lead to transfer outside the EU. The site manager in question has a period of one month to comply”.
The Cnil also specifies that it has initiated other formal notice procedures against several site managers using Google Analytics.
A European effort
A few months ago, the French Cnil, like its European counterparts, was seized by the European association My Privacy Is None of Your Business (NOYB), led by activist Max Schrems. A total of 101 complaints have been lodged by NOYB in the 27 EU member states against 101 sites that use Google Analytics.
The CNIL bases its decision on the judgment “Schrems IIof the Court of Justice of the European Union, dated July 16, 2020. The latter made any transfer of personal data from Europe to the United States problematic under European law. “The Court of Justice of the EU had highlighted the risk that the American intelligence services could access the personal data transferred to the United States, if the transfers were not properly framedspecifies the Cnil. While Google has adopted additional measures to regulate data transfers within the framework of the Google Analytics functionality, these are not sufficient to exclude the possibility of such access.
A first Austrian conviction
The standoff between GAFAM and the European authorities, whose requirements in terms of personal data are getting tougher, continues to intensify. A month before the decision of the French Cnil, its Austrian counterpart, the Datenschutzbehörde (DSB), also seized by NOYB, had been the first to issue a firm decision targeting Google Analytics users. She estimated on January 13 that a national site specializing in the field of health did not comply with the GDPR, because it used this service.
According to the DSB, the data, although anonymized, could easily be recombined to identify individual Internet users, in particular by the American intelligence services.
“By visiting a site using Google Analytics, a unique number is assigned to the user’s web browser. (…) It is possible to combine this number with other information, such as the IP address or other data from the browser. This combination can create a unique identifier that can be assigned to the browser user,” detailed the DSB.
Explanations which had caused a wave of amazement among several industrialists in the European area, and fueled the anger of Kent Walker, global head of public affairs at Google. He warned about “the cascading consequences of decisions similar to those of the DSB“. “People are increasingly dependent on data transfers for online shopping, travel, delivery, even telecommuting, customer relationship management or security operations”he said, assuring that “hundreds of billions of euros” were in play.
Towards a domino effect?
If the decisions made are a formal notice to site owners, it is Google that is indeed in the sights of regulators. “This serves as a big wake-up call for the platform to bring itself into compliance.”explains Me Sonia Cissé, lawyer specializing in new technologies and data protection law at Linklaters.
Managers of sites flagged by the European authorities have a period of one month to stop using Google Analytics, and switch to a similar tool which does not entail a transfer outside the EU. For its part, Google therefore has the possibility of making changes that will meet European requirements.
“There could be a real domino effect in the Google Analytics affair. European States are committed to a common effort, with the declared desire to harmonize standards», Analyzes Me Sonia Cissé. In addition, Facebook Connect, the Facebook tool that allows users to use their account on the social network to connect to a third-party site, is the subject of certain complaints from NOYB.