GDPR: the CNIL gives Google Analytics formal notice

The French data protection authority follows the decision taken by its Austrian counterpart a month earlier.
The National Commission for Computing and Liberties (CNIL) bangs its fist on the table. The data protection authority gave Google formal notice on February 10 for the transfer of European data to the United States from its Google Analytics service, after a complaint from the Noyb association. The American giant has one month to comply or to suspend its service.

Analytics, for those who don’t know, is a free Google service used by many websites, including Tech Review, to analyze its audience. It provides information such as the number of unique visitors, in particular in real-time, the number of pages viewed, which ones are viewed, the average duration of visits, the origin of visitors, etc.

To perform these measurements, Google assigns a unique and anonymous identifier to each visitor. According to the CNIL, this identifier can allow Google to find the identity of visitors by cross-checking the data available to the group, so it constitutes personal data. The problem is that this data is transferred to the United States.

Article 44 of the General Data Protection Regulation, the famous GDPR, prohibits the transfer of European personal data to a country that does not provide equivalent protection to the regulations of the Old Continent.

The CNIL recognizes that measures have been taken by Google to protect the transfer of European data, but the authority considers that “ these are not sufficient to exclude the possibility of access by American intelligence services to this data ”.
Since the Schrems II judgment, named after the founder of the Noyb association, the Court of Justice of the European Union (CJEU) in July 2020 broke the Privacy Shield agreement governing the transfer of data to the United States from 2016. It was deemed insufficient to protect European data from American information, due to local law, the Cloud Act.

The European CNILs work hand in hand

Noyb, which specializes in data protection issues, hastened to file 101 complaints in the 27 EU Member States and 3 countries of the European Economic Area.

The Datenschutzbehörde (DSB), the equivalent of the CNIL in Austria, made a similar decision to the French authority on January 13, it was followed by the Dutch authority the same month. Other authorities could follow, the CNIL explaining that it worked “ in cooperation with its European counterparts ”.

Google Analytics could theoretically disappear in Europe. The notice from the data protection authority offers one of these options for Mountain View to comply with the GDPR. If necessary by ceasing to use the Google Analytics functionality (under the current conditions ) or by using a tool that does not result in a transfer outside the EU ”.
Google has not yet reacted, but the French decision being very close to its Austrian counterpart, we can expect a similar response. Google initially considered that the measures were taken to “ guarantee practical and effective data protection according to any reasonable standard ”. The American giant also claims to have never received requests from American intelligence.

The problem of EU-US data transfer

The most interesting bit comes later, on January 19, via a blog post. Google asks the European and American authorities to find a solution. European and American companies expect the European Commission and the American Department of Commerce to quickly finalize an agreement succeeding the Privacy Shield and making it possible to solve these problems.
Google is not shy about pressing with the United States and the European Union. We urge swift action to restore a practical framework that protects the privacy and promotes prosperity.

Google’s position is very similar to that of Meta at the beginning of February when the group raised the prospect of leaving the European continent in a document intended for the policeman of the American stock market. Mark Zuckerberg’s company has defended itself from any threat. A term used by the media, including Century Digital, against European authorities.

For Meta, this is a description of the reality of its situation since the Privacy Shield made the transfer of European data to the United States liable to fall under the scope of the GDPR.

Meta, like Google, is above all seeking to put pressure on the EU and the United States to find an agreement governing the transfer of data between the two. The two American giants are gradually being caught up with by European data protection authorities.

This would be the third such agreement and so far all have been overturned by the CJEU. Because it was not protective enough. This explains why the ongoing negotiations are dragging on. Europeans want a level of protection worthy of the GDPR if only for legal issues, the United States does not want to give up its Cloud Act.

In the meantime, Meta, Google, and others could, for example, locate European data in Europe or find tips for protecting data that must cross the Atlantic, but that does not seem to be on the agenda.


Leave a Comment