According to France’s data authority CNIL, Google does not adequately guarantee that data obtained via Google Analytics is protected (10 February). With Austria just making a similar choice, Google Analytics’ days in Europe may be numbered. EURACTIV France has the story.
Google Analytics is a service used by millions of firms across Europe to examine information on website performance, primarily for marketing purposes. Users are given a unique identifier, and information about their behaviour, demographics, and acquisition techniques is sent to the United States.
However, the French data protection authority has stated that this is illegal, echoing the conclusion reached by Austria’s data protection authority a month ago.
Given the lack of a US-EU agreement on the subject, France’s independent authority determined that Google’s additional steps to regulate such transfers “are not sufficient to rule out the possibility of access to this data by US intelligence services.”
The EU Court of Justice ruled in July 2020 that the so-called “Privacy Shield” – a data-processing agreement between the EU and the US – violates the EU’s high data-protection standards because there is a possibility that US intelligence services could access personal data transported over the Atlantic. Since then, there have been talks between the EU and the US over a new deal, but little progress has been made public.
“The new rulings surrounding Google Analytics are likely to raise the pressure on the US to make data privacy concessions for EU individuals,” said Stefan Hessel, a lawyer at the reuschlaw consultancy who specialises in digital issues. The ruling follows noyb’s filing of 101 complaints with all EU data protection agencies. Max Schrems, a data campaigner who was also behind the July 2020 judgement, started Noyb in 2017. Romain Robert, program director at noyb, told EURACTIV, “This is merely the beginning.” He went on to say, “All of the other member countries will follow suit.” In a news statement, the CNIL emphasises that its investigation was done “in collaboration with its European counterparts.”
The InterHop collective, which brings together activists for open source software and self-managed health data use at the local level, recently encouraged the CNIL to take up this matter.
In response to the CNIL’s notification, a spokesman for the organization told EURACTIV, “We are patiently awaiting the outcome of the formal notices given by the CNIL in the sector of health.” “The regulatory and, above all, ethical duties of site managers processing personal data in a health context are at stake,” he continued.