France’s data protection watchdog, the CNIL, has issued updated guidance on use of Google Analytics following a decision earlier this year that found a local website’s use of the tool to be in breach of European Union law. It has also confirmed that it has since issued formal notices to…
France’s data protection watchdog, the CNIL, has issued updated guidance on use of Google Analytics following a decision earlier this year that found a local website’s use of the tool to be in breach of European Union law.
It has also confirmed that it has since issued formal notices to other organizations to bring their use of Google Analytics into compliance.
The legal issue — which does not just affect use of the popular analytics tool in France but across the entire EU — hinges on user data being transferred to the US for processing by Google — an export of personal data that lacks adequate legal protections in the wake of a 2020 decision by Europe’s top court that invalidated a flagship data transfer agreement (aka, the EU-US Privacy Shield) over the risk of unlawful access to Europeans’ data by US intelligence agencies.
Since then, the EU and the US announced (in March) a political deal on a replacement transfer mechanism.
But, as the CNIL notes, their joint statement is not a legal framework and cannot be relied upon by users of US cloud services that take Europeans’ data over the pond for processing ahead of an actual replacement deal being formally adopted by the EU — which the Commission has suggested may not happen until the end of the year. (It will also almost certainly face fresh legal challenges to test whether the deal is just as flawed as the earlier ones, as data protection experts suspect.)
So the bottom line is EU websites can either make changes to their use of Google Analytics or risk regulatory enforcement — which could include an order to amend their processes and a financial penalty for being in breach. And it’s likely that the risk of fines for non-compliance is stepping up now that regulatory guidance on the issue is getting more detailed because it means there are fewer plausible excuses for not having made the necessary changes.
“All data controllers using Google Analytics in a similar way to [already notified] organizations must now consider this use as illegal under the GDPR. They must therefore turn to a service provider offering sufficient guarantees of conformity,” the CNIL warns in the guidance [which we’ve translated from French with machine translation].
Any sites that get a formal notice from the regulator about their use of Google Analytics are given one month to comply — with the possibility of a further month’s extension.France’s data watchdog warns over illegal use of Google Analytics View Story