The French Data Protection Agency (CNIL) came out swinging last week: The use of Google Analytics is in conflict with GDPR regulation.
In their press release, the CNIL concluded that transfers to the United States are not sufficiently regulated. They refer to the coordinated effort among EU countries to collectively draw consequences of the "Schrems II" judgement of the court of Justice of the European Government. It comes a few weeks after a similar statement from the DSB (the Austrian watchdog).
It's the second EU country to openly acknowledge the breach of article 44 of the GDPR agreement by Google. We believe others will be likely to follow suit.
CNIL: Google Analytics is in conflict with GDPR regulation
While it has taken some time for regulators to act (the investigation is dating back to August 2020), the momentum seems to be in full force now. After the DSB published its statement last month, the CNIL broke the news last week.
In our earlier post (in English), in which we cover the DSB's decision to invalidate the use of Google Analytics, we analyze the root cause of these reactions.
In short, the EU GPDR laws demand data protection for its citizens. The US however fails to adhere to these guidelines. They do not provide any non-US citizens with any way to know how their data is being processed or (mis)used. As a reaction to this, the CNIL responds that data transfers can only take place if appropriate guarantees are provided, which is not the case at the moment.
What will the future hold
The second domino has fallen. France became the second EU country to openly invalidate the use of Google Analytics. In their statement, The CNIL talked about a coordinated effort of multiple EU countries. In the coming months, we would expect more EU countries to follow suit.
Although Google has adopted measures to better regulate data transfers, this hasn't been sufficient as they still don't exclude the accessibility of this data for US intelligence services
So far it is unknown if The CNIL has fined the website operator in question. Although it did state an ultimatum. The website operator has one month to comply with data protection laws or find an alternative web analytics provider. In the meantime, the CNIL is working on a list of recommendations to replace Google Analytics with compliant alternatives, like Simple Analytics.
Futureproofing your business is key to every business on the planet. Adopting a privacy-first solution for your web analytics is one of those actions you will need to take to future-proof your business (especially when you are an EU company). Give us a try to future-proof your business.