TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | CNIL is latest authority to rule Google Analytics violates GDPR Related reading: The Austrian Google Analytics decision: The race is on



Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision.

The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to set off a wave of decisions from other authorities.

In its decision, the CNIL said data collection and transfers to the United States using Google Analytics “are illegal,” violating Article 44 of the GDPR. The CNIL ordered an unidentified French website manager to bring its processing into compliance with the GDPR within one month and stop using the service under current conditions, if necessary.

The CNIL said transfers to the United States “are currently not sufficiently regulated” and the absence of an EU-U.S. adequacy decision presents “a risk for French website users who use this service and whose data is exported.” The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”

The CNIL said its investigation “also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States,” adding, “Corrective measures in this respect may be adopted in the near future.”

In addition to noting its investigation goes further than Google Analytics, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said the CNIL makes it clear its decision reflects a collective analysis by European DPAs.

“The risks U.S. businesses face in Europe are escalating rapidly, while their workable compliance options plummet,” Fennessy said. “A diplomatic solution cannot come quickly enough.”

NOYB’s Max Schrems, who believes other authorities will “decide similarly” to the French and Austrian DPAs, agreed.

“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems said in a written statement. “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

But at this point, Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, said it feels as if the “situation is becoming somewhat farcical.” He said, “it seems bizarre” that data protection authorities are concerned about the transfer of analytics data when there is much more sensitive information flowing back and forth across the Atlantic, and around the world.

“Take emails sent between EU and U.S. organizations, for example, these are unencrypted communications that could contain highly sensitive data about the sender or third parties mentioned in the communication,” he said. “Billions of emails are sent on a daily basis, and yet no one is seriously suggesting we shut down email communications. So why so much excitement about transfers of analytics data?”  

With “regulatory incongruities,” Lee said, “it’s difficult to dispel the notion that there is a certain level of EU protectionism at play against U.S. tech companies.”

He noted there will be a lot of attention paid to reports that the EU and U.S. are nearing a replacement Privacy Shield agreement, and said many companies are “sincerely hoping that this time around it will be "Schrems"-proof.

Google has not yet issued a response to the CNIL’s decision, but in a previous statement on Austria’s ruling, President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a Privacy Shield successor agreement.

“We urge quick action to restore a practical framework that both protects privacy and promotes prosperity,” he said.

In the meantime, Europcar Mobility Group Data Protection and Compliance Officer Aurélie Banck, CIPP/E, CIPM, FIP, noted organizations or websites using Google Analytics should pay attention to compliance.

“So, if we have to fix the data transfer issue, select another service provider other than Google Analytics,” she said adding, “It seems to be difficult to use an American service provider.”

Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said the decision does not give practitioners reasoning to use when trying to assess how to configure services or which services to use moving forward.

“In the absence of detailed reasoning, it is difficult for companies to analyze the services that they use and see whether they can be differentiated from the facts of these cases. Does the decision apply across the board to all possible Google Analytics implementations? Regardless of the type of data processed? Regardless of other considerations? What about other services,” she said.

Further, Kagan said EU controllers, in many cases, are left without an alternative to a U.S. service, and neither EU controllers or U.S. providers “have any control over the issue which is at the crux of this matter — namely, the access by U.S. authorities.”

“This is an issue which is above our collective paygrades and is in the hands of the European Commission and the U.S. State Department to find a satisfactory solution for redress, hopefully soon,” she said.

Photo by Markus Winkler on Unsplash

Credits: 1

Submit for CPEs


If you want to comment on this post, you need to login.

  • comment Alex Wall • Feb 10, 2022
    It seems as though France's CNIL indicated in 2020 that anonymized visitor metrics enabled by Google Analytics could be managed in compliance with the law.  It is dismaying to see this news, particularly for marketing teams who are simply trying to generally understand how well their websites are attracting engagement and not link that information to personal profiles.  I hope the powers that be can work out an agreement.
  • comment Dennis Arnold-Grade • May 12, 2022
    @Alex Wall: I understand it being very dismaying for marketers. But, it is also important to see the field of marketing as what it is in this context: an ill-advised practise that does not give the consumer any advantage and in most cases only diminishes the individual's human and fundamental EU-rights, and therefore must be seen as being anti-privacy in and of itself (from the current state of it). If privacy is the goal here, the discipline of marketing will need to detach itself from tracking, surveilling, etc and operate with privacy by design and default (or, data protection by design and default). 
    Within privacy, there is no "simply trying to generally understand how well their websites are attracting engagement", if this means breaching/violating the privacy of others. Just like a shop-owner does not have the right to see ID of any person coming in to his shop, websites shouldn't look at their site as something they have the right to surveil in regards to who comes in and out. 
    If I would be you, I would stop looking for foreign cases that may or may not have understood the problem correctly, and may or may not have made a judgment that is in line with EDPB, EUCJ, etc, but instead concentrate on looking at Privacy-Enhancing Technology, in order to make sure to legally have a steady stream of data coming your marketing-department's way once again.