France’s data regulator concludes Google Analytics violates GDPR

The authorities Data regulators in Austria conclude that Google Analytics violates the GDPR a month ago, and now French women have joined this verdict. The CNIL, the French data regulator, has concluded that a local, unidentified website’s use of Google Analytics does not comply with the European Union’s GDPR. Specifically, the CNIL ensures that this use violates article 44 of said regulations, which deals with transfers of personal data outside the territory of the EU to countries that do not have equivalent basic privacy protections, such as the United States.

The French CNIL has so far investigated only one of 101 complaints filed by privacy activist group noyb in August 2020, after the EU High Court invalidated the Privacy Shield agreement on data transfers between the United States and the European Union. And it has already accepted the complaint in this case, which could lead to more similar or identical conclusions.

The website that received the complaint has received, from the CNIL, the order to comply with the RGPD, and, «if necessary, stop using this service under the current conditions«. He has one month to fulfill his mandate. Y “Although Google has taken additional measures to regulate data transfers in the context of Google Analytics functions, they are not sufficient to exclude the accessibility of this data to the intelligence services of the United States. Therefore, there is a risk for French web users who use this service and whose data is exported«.

With this, the CNIL leaves the door to continue using Google Analytics, but only if substantial changes are applied that would ensure that they are only transferred «anonymous statistical data«. Right now, according to the French regulator, the use of Google Analytics does not comply with the regulations, and needs to cease for the website in question to be GDPR compliant. The entity also suggests that other analytical tools that do not involve transfers outside the EU be used to end the problem.

In addition, the CNIL has launched an evaluation program to determine what measure of a website’s audience and which analysis services may be exempt from the need to obtain user consent, suggesting that the CNIL could issue rules in the future. that recommend alternatives to Google Analytics that comply with the GDPR.

In the meantime, the decision made on this complaint has iImplications for any website in France that uses Google Analytics, or any other tool that transfers personal data without taking additional steps to the United States. At least in the short term. In addition, the entity warns that its research applies to «other tools used by websites that may result in the transfer of data from European Internet users to the United States«.

Related Articles

Leave a Reply

Your email address will not be published.