The French Data Protection Agency (CNIL) came out swinging last week: The use of Google Analytics is in conflict with GDPR regulation.
In their press release, the CNIL concluded that transfers to the United States are not sufficiently regulated. They refer to the coordinated effort among EU countries to collectively draw consequences of the "Schrems II" judgement of the court of Justice of the European Government. It comes a few weeks after a similar statement from the DSB (the Austrian watchdog).
It's the second EU country to openly acknowledge the breach of article 44 of the GDPR agreement by Google. We believe others will likely follow suit.
- CNIL: Google Analytics is in conflict with the GDPR
- What will the future hold?
- Simple Analytics
CNIL: Google Analytics is in conflict with the GDPR
While it has taken some time for regulators to act (the investigation dates back to August 2020), the momentum seems to be in full force now. After the DSB published its statement last month, the CNIL broke the news last week.
In our earlier post (in English), in which we cover the DSB's decision to invalidate the use of Google Analytics, we analyze the root cause of these reactions.
In short, the EU GPDR laws demand data protection for its citizens. The US however fails to adhere to these guidelines. They do not provide any non-US citizens with any way to know how their data is being processed or (mis)used. As a reaction to this, the CNIL responds that data transfers can only take place if appropriate guarantees are provided, which is not the case at the moment.
What will the future hold?
The second domino has fallen. France became the second EU country to openly invalidate the use of Google Analytics. In their statement, The CNIL talked about a coordinated effort of multiple EU countries. In the coming months, we would expect more EU countries to follow suit.
Although Google has adopted measures to better regulate data transfers, this hasn't been sufficient as they still don't exclude the accessibility of this data for US intelligence services
So far it is unknown if The CNIL has fined the website operator in question. Although it did state an ultimatum. The website operator has one month to comply with data protection laws or find an alternative web analytics provider. In the meantime, the CNIL is working on a list of recommendations to replace Google Analytics with compliant alternatives, like Simple Analytics.
A lot has happened after the decision:
- the Italian GPDP and Finnish Ombudsman also ruled against the use of Google Analytics. The CNIL and the GPDP are both influential DPAs, so others may follow their example
- the Norwegian Datatylsinet is likely to rule against Google Analytics in a still-pending case
- the Danish DPA essentially embraced the same approach in a press release on the use of Google Analytics
- Meta was ordered to suspend US data transfers for Facebook in a high-profile case involving all European privacy authorities. They were also fined for €1.2 billion (not a typo!)
- a new framework for EU-US data transfers is on the way. The new framework is still problematic in some respects and will surely face challenge in Court. We’re looking at yet another Schrems ruling and it’s hard say how il will play out.
Futureproofing your business is key to every business on the planet. Adopting a privacy-first solution for your web analytics is one of those actions you will need to take to future-proof your business (especially when you are an EU company). Give us a try to future-proof your business.