France’s privacy watchdog latest to find Google Analytics breaches GDPR

Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.

The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.

The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse.

Whereas the EU’s GDPR demands that data protection travels with citizens’ information as a stipulation of legal export.

France’s CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 — after the bloc’s top court invalidated the EU-U.S. Privacy Shield agreement on data transfers.

Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty.

While it has taken EU regulators some time to act on illegal data transfers — despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka ‘Schrems II) — decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics.

In France, the CNIL has ordered the website which was the target of one of noyb’s complaints to comply with the GDPR — and “if necessary, to stop using this service under the current conditions” — giving it a deadline of one month to comply.

As in Austria, the CNIL’s assessment of Google’s claimed supplementary measures (which it had argued ensured EU citizens’ data which was taken, via Google Analytics, to the U.S. was adequately protected) found them to be inadequate.

“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL writes in a press release announcing the decision.

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL does leave open the door to continued use of Google Analytics — but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. (And the Austrian decision against Google Analytics last month took a broad interpretation of what constitutes personal data in this context, finding that an IP address could be enough given how it may be combined with other bits of data held by Google to identify a site user.)

The French regulator is also very emphatic that under “current conditions” use of Google Analytics is non-compliant — and may therefore need to cease in order for the site in question to comply with the GDPR.

The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach.

Additionally, it says it’s launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.

The decision on this complaint has clear implications for any website based in France that’s currently using Google Analytics — or, indeed, any other tools that transfer personal data to the U.S. without adequate supplementary measures — at least in the near term.

For one thing, the CNIL’s decision notes it has made “other” compliance orders to website operators using Google Analytics (again without naming any sites).

While, given joint working by EU regulators on these 101 strategic complaints, the ramifications likely scale EU-wide.

The CNIL also warns that its investigation — along with the parallel probes being undertaken by fellow EU regulators — extends to “other tools used by sites that result in the transfer of data of European Internet users to the United States”, adding: “Corrective measures in this respect may be adopted in the near future.”

So all U.S.-based tools that are transferring personal data are facing regulatory risk.

We’ve asked the CNIL which other tools it’s looking at and will update this report with any response.

Update: The regulator told us the use of Facebook Connect by French site managers “has also been the subject of complaints to the CNIL, which are currently being investigated”.

Google was also contacted for comment on the CNIL’s decision and how it plans to respond but at the time of writing it had not responded.

Commenting on the French watchdog’s slapdown in a statement, noyb’s founder and honorary chair, Max Schrems, said: “It’s interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarly.”

Privacy Shield v3 to the rescue?

One factor that could change the situation is a new agreement between the EU and U.S. on data transfers.

Negotiations between the European Commission and U.S. counterparts are ongoing in an attempt to plug the data transfer gap as happened after the CJEU struck down Safe Harbor in 2015 (aka Schrems I), meaning it was fairly quickly replaced by Privacy Shield, until that too was soon invalidated.

This pattern of complaints leading to (quicker) strike downs makes a ‘quick fix’ impossible — even if the enforcements now landing against mainstream tools like Google Analytics will certainly concentrate minds in Brussels and Washington, increasing political and economic urgency to find a way to solve this issue.

The Commission has said it’s keen for a replacement data transfer agreement with the U.S. However it has also warned repeatedly that any such deal must be robust to future legal challenge — meaning it must substantially addressing the CJEU’s concerns. And without broad reform of U.S. surveillance practices that looks difficult.

Still, in recent weeks, reports have suggested the EU and U.S. are nearing agreement on a new data transfer arrangement — potentially as soon as this month, according to reporting by Politico, which also suggested the two sides could unveil a new accord in May at an upcoming meeting of the Trade and Tech Council.

Details of how exactly the U.S. and EU will be able to square the data transfer (il)legality circle are scant, though.

Per Politico, one redress mechanism that is being discussed would allow EU citizens to directly (or via their national governments) submit complaints to an independent judicial body if they believe U.S. national security agencies have unlawfully handled their personal information.

But that still leaves plenty of questions. Not least how a EU citizen could know to complain in the first place, given the lack of notification of U.S. surveillance intercepts.

The U.S. also still does not have a federal privacy law similar to the EU’s GDPR, meaning its own citizens lack comprehensive protections for their information — illustrating quite how far apart the two jurisdictions remain on this issue.

And while some U.S. states — such as California — have taken matters into their own hands in recent years, passing laws to provide residents with some legal rights wrapping their information, privacy protections for U.S. citizens remain, at best, a patchwork. Given that, it may be tricky for the Biden administration to provide greater rights for non-U.S. citizens to complain about U.S. surveillance vs what the country provides to its own citizens.

Commercial pressure is building on this issue though.

Just this week Facebook/Meta felt moved to publish a blog post — rejecting reporting of its financial filing that claimed its disclosures amounted to a threaten to pull its service out of Europe as a result of the data transfer uncertainty.

“We want to see the fundamental rights of EU users protected, and we want the internet to continue to operate as it was intended: without friction, in compliance with applicable laws — but not confined by national borders,” the tech giant wrote, urging progress on a new deal.

Meta does have its own very pressing cause to press for a fresh ‘fix’, though, given that its business is subject to a very long-standing data transfers complaint — and it’s now over a year since its lead EU data regulator, the Irish Data Protection Commission, promised to swiftly resolve that complaint.

By contrast, EU-based platforms that can localize and legally firewall user data in the bloc, where it’s shielded by the GDPR, have reasons to be cheerful.

To wit: Last month — in the wake of the Austrian ruling — one Poland-based Google Analytics competitor, Piwik Pro, told us that Schrems II was one of the main concerns raised by organisations contacting it to seek a Google Analytics alternative.

“Just two weeks after the Noyb’s 101 complaints list was published we’ve acquired as a customer one the major banks listed there,” said CEO Maciej ZawadziÅ„ski. “Interest in our product and services is directly affected by all the developments in the privacy & compliance space. The Schrems II ruling was big for us last year, just like the Austrian DPA’s ruling is fairly big now.

“We predict that in 2022 local EU data storage that eliminates offshore data transfers completely will be an important selling point.”

ZawadziÅ„ski added that the company had opened an EU located data center to host and process client data for this reason, noting: “The data center is managed by an EU company and neither we nor any of our suppliers is subject to the [U.S.] Cloud Act.”

Schrems also predicts a splintering of digital services and dedicated EU product provision — unless or until the U.S. reforms its approach to privacy. “In the long run we either need proper protections in the U.S., or we will end up with separate products for the U.S. and the EU. I would personally prefer better protections in the U.S., but this is up to the U.S. legislator — not to anyone in Europe,” he added in a statement.

This report was updated with additional comment