CNIL or ‘Commission nationale de l’informatique et des libertés’, French data protection authority found Google Analytics to breach privacy laws. They found Google Analytics to breach the rules under Europe’s General Data Protection Regulation (GDPR).
A similar occurrence was reported in Austria a month back. The data of the European netizens was reportedly sent to the US. The CNIL listed these data transfers as illegal, taking into account the massive French traffic on the website.
Google Analytics was in breach of GDPR’s Article 44 which provisions transfer of personal data as unlawful. Transfer of such data was to what is considered ‘third countries’ which do not possess equivalent privacy protections.
Despite not being one of third-countries, US fails the critical equivalence analysis. This was on basis of having swept tracking laws which do not give citizens outside of America any way to know if their data is being misused. European Union’s protection board has demanded the constancy of user’s data protection irrespective of their status.
Though several investigations are in order due to the numerous complaints received, uncertainty prevails for its resolution. It has been as long as 18 months (August 2020), since the beginning of the inflow of data transfers.
The CNIL has taken steps to deal with the situation. In France, they have ordered the website to comply with the rules of GDPR or “if necessary, to stop using this service under the current conditions,” with a deadline.
Similarly, in Austria, the CNIL had assessed the supplementary measure claimed by Google to have taken up. They found the measures to be highly inadequate and not enough to protect the users’ privacy.
A tweet on Google Analytics’ breach:
<blockquote class=”twitter-tweet”><p lang=”en” dir=”ltr”>One of THE European DPA powerhouses now also taking a position on <a href=”https://twitter.com/hashtag/GoogelAnalytics?src=hash&ref_src=twsrc%5Etfw”>#GoogelAnalytics</a> and our <a href=”https://twitter.com/NOYBeu?ref_src=twsrc%5Etfw”>@NOYBeu</a> complaints.. <a href=”https://t.co/tx01ZjVFY9″>https://t.co/tx01ZjVFY9</a></p>— Max Schrems 🇪🇺 (@maxschrems) <a href=”https://twitter.com/maxschrems/status/1491707891249778691?ref_src=twsrc%5Etfw”>February 10, 2022</a></blockquote> <script async src=”https://platform.twitter.com/widgets.js” charset=”utf-8″></script>
The CNIL suggested the use of an alternative to Google Analytics. An analytics tools, which would not transfer details outside the limits of the EU.
Google Analytics’ use by the clients have not been left to choice. Only with appropriate changes can they be used, for their current conditions do not comply with the regulations.
The CNIL warned that it has included other tools used by websites to check privacy compliance. Hence, many of these tools originated in the US are facing a risk of being exposed of their data transfer.
Noyb’s Founder, Max Schrems commented, “Its interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarly.”
Google did not respond to any request made by CNIL to make a statement on the situation.