France joins Austria in declaring Google Analytics illegal – EURACTIV.com
Google does not offer sufficient guarantees for the protection of data collected via Google Analytics in Europe, the French data protection authority CNIL announced on Thursday (February 10). With Austria recently making a similar decision, the days of Google Analytics in Europe may be numbered. EURACTIV France reports.
Used by millions of companies across Europe, Google Analytics is used to review statistics about website performance, mainly used for marketing purposes. A unique identifier is assigned to users, and behavioral, demographic, and acquisition method data is then transmitted to the United States.
However, the French data protection authority declared this illegal, joining the Austrian data protection authority in coming to the same conclusion a month ago.
Since there is no agreement between the US and the EU on this matter, the additional measures that Google has to take to regulate the transfers are “not sufficient to prevent access to this data possibility by US intelligence agencies,” the judge said independent French authority.
This announcement follows the EU Court of Justice’s conclusion in July 2020 that the data transfer agreement between the US and the EU – dubbed the “Privacy Shield” – violates the EU’s high data protection standards. One of the key sticking points is the ability of US intelligence agencies to access personal data that is being sent across the Atlantic.
Since then there have been talks of a new deal between the EU and the US, but no progress has been announced.
“The current decisions on Google Analytics are likely to increase the pressure on the US to make concessions on data protection for EU citizens,” said Stefan Hessel, a lawyer specializing in digital matters at the consulting firm reuschlaw.
The decision comes in response to the 101 complaints filed by the NGO noyb with all EU data protection authorities. Noyb was founded in 2017 by data activist Max Schrems, who was also behind the July 2020 ruling.
“This is just the beginning,” Romain Robert, program director at noyb, told EURACTIV. “All other member states will follow this example,” he added.
In its press release, the CNIL emphasizes that its analysis was carried out “in collaboration with its European colleagues”.
Recently, the InterHop collective asked the CNIL to address this issue. InterHop is a coalition of activists for open source software and the self-governing use of health data on a local level.
“We are patiently awaiting the outcome of the formal communications issued by the CNIL in the health field,” a spokesman for the organization told EURACTIV in response to the agency’s announcement.
“For the website operators that process personal data in the health sector, their legal and, above all, ethical responsibilities are at stake,” he added.
Implementation period of one month
On the basis of Article 44 of the General Data Protection Regulation (GDPR), which regulates the transfer of data to third countries, the CNIL has set a one-month implementation deadline for a website operator whose identity has not been disclosed.
It is “important to raise awareness of as many data controllers as possible who would use this tool – without it being useful to identify the controller,” a CNIL spokesman told EURACTIV.
The CNIL also said it was investigating the use of Facebook Connect, which “is the subject of complaints that have been forwarded to the CNIL and are currently being investigated”.
Google tells EURACTIV that it does not want to comment on the matter.
[Bearbeitet von Luca Bertuzzi/Alice Taylor]