Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision.
The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to set off a wave of decisions from other authorities.
In its decision, the CNIL said data collection and transfers to the United States using Google Analytics “are illegal,” violating Article 44 of the GDPR. The CNIL ordered an unidentified French website manager to bring its processing into compliance with the GDPR within one month and stop using the service under current conditions, if necessary.
The CNIL said transfers to the United States “are currently not sufficiently regulated” and the absence of an EU-U.S. adequacy decision presents “a risk for French website users who use this service and whose data is exported.” The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”
The CNIL said its investigation “also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States,” adding, “Corrective measures in this respect may be adopted in the near future.”
In addition to noting its investigation goes further than Google Analytics, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said the CNIL makes it clear its decision reflects a collective analysis by European DPAs.
“The risks U.S. businesses face in Europe are escalating rapidly, while their workable compliance options plummet,” Fennessy said. “A diplomatic solution cannot come quickly enough.”
NOYB’s Max Schrems, who believes other authorities will “decide similarly” to the French and Austrian DPAs, agreed.
“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems said in a written statement. “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”
But at this point, Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, said it feels as if the “situation is becoming somewhat farcical.” He said, “it seems bizarre” that data protection authorities are concerned about the transfer of analytics data when there is much more sensitive information flowing back and forth across the Atlantic, and around the world.
“Take emails sent between EU and U.S. organizations, for example, these are unencrypted communications that could contain highly sensitive data about the sender or third parties mentioned in the communication,” he said. “Billions of emails are sent on a daily basis, and yet no one is seriously suggesting we shut down email communications. So why so much excitement about transfers of analytics data?”
With “regulatory incongruities,” Lee said, “it’s difficult to dispel the notion that there is a certain level of EU protectionism at play against U.S. tech companies.”
He noted there will be a lot of attention paid to reports that the EU and U.S. are nearing a replacement Privacy Shield agreement, and said many companies are “sincerely hoping that this time around it will be "Schrems"-proof.
Google has not yet issued a response to the CNIL’s decision, but in a previous statement on Austria’s ruling, President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a Privacy Shield successor agreement.
“We urge quick action to restore a practical framework that both protects privacy and promotes prosperity,” he said.
In the meantime, Europcar Mobility Group Data Protection and Compliance Officer Aurélie Banck, CIPP/E, CIPM, FIP, noted organizations or websites using Google Analytics should pay attention to compliance.
“So, if we have to fix the data transfer issue, select another service provider other than Google Analytics,” she said adding, “It seems to be difficult to use an American service provider.”
Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said the decision does not give practitioners reasoning to use when trying to assess how to configure services or which services to use moving forward.
“In the absence of detailed reasoning, it is difficult for companies to analyze the services that they use and see whether they can be differentiated from the facts of these cases. Does the decision apply across the board to all possible Google Analytics implementations? Regardless of the type of data processed? Regardless of other considerations? What about other services,” she said.
Further, Kagan said EU controllers, in many cases, are left without an alternative to a U.S. service, and neither EU controllers or U.S. providers “have any control over the issue which is at the crux of this matter — namely, the access by U.S. authorities.”
“This is an issue which is above our collective paygrades and is in the hands of the European Commission and the U.S. State Department to find a satisfactory solution for redress, hopefully soon,” she said.
Photo by Markus Winkler on Unsplash