France’s privacy watchdog latest to find Google Analytics breaches GDPR


Photo illustration of the logo of freemium web analytics service Google Analytics is displayed on a smartphone.
Image Credits: Thomas Trutschel / Getty Images

Use of Google Analytics has now been found to breach European Union privacy laws in France — after a similar decision was reached in Austria last month.

The French data protection watchdog, the CNIL, said today that an unnamed local website’s use of Google Analytics is non-compliant with the bloc’s General Data Protection Regulation (GDPR) — breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections.

The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it’s being used or to seek redress for any misuse.

Whereas the EU’s GDPR demands that data protection travels with citizens’ information as a stipulation of legal export.

France’s CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 — after the bloc’s top court invalidated the EU-U.S. Privacy Shield agreement on data transfers.

Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty.

While it has taken EU regulators some time to act on illegal data transfers — despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka ‘Schrems II) — decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics.

European parliament found to have broken EU rules on data transfers and cookie consents

In France, the CNIL has ordered the website which was the target of one of noyb’s complaints to comply with the GDPR — and “if necessary, to stop using this service under the current conditions” — giving it a deadline of one month to comply.

As in Austria, the CNIL’s assessment of Google’s claimed supplementary measures (which it had argued ensured EU citizens’ data which was taken, via Google Analytics, to the U.S. was adequately protected) found them to be inadequate.

“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL writes in a press release announcing the decision.

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL does leave open the door to continued use of Google Analytics — but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. (And the Austrian decision against Google Analytics last month took a broad interpretation of what constitutes personal data in this context, finding that an IP address could be enough given how it may be combined with other bits of data held by Google to identify a site user.)

The French regulator is also very emphatic that under “current conditions” use of Google Analytics is non-compliant — and may therefore need to cease in order for the site in question to comply with the GDPR.

The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach.

Additionally, it says it’s launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.

The decision on this complaint has clear implications for any website based in France that’s currently using Google Analytics — or, indeed, any other tools that transfer personal data to the U.S. without adequate supplementary measures — at least in the near term.

For one thing, the CNIL’s decision notes it has made “other” compliance orders to website operators using Google Analytics (again without naming any sites).

While, given joint working by EU regulators on these 101 strategic complaints, the ramifications likely scale EU-wide.

The CNIL also warns that its investigation — along with the parallel probes being undertaken by fellow EU regulators — extends to “other tools used by sites that result in the transfer of data of European Internet users to the United States”, adding: “Corrective measures in this respect may be adopted in the near future.”

So all U.S.-based tools that are transferring personal data are facing regulatory risk.

We’ve asked the CNIL which other tools it’s looking at and will update this report with any response.

Update: The regulator told us the use of Facebook Connect by French site managers “has also been the subject of complaints to the CNIL, which are currently being investigated”.

Google was also contacted for comment on the CNIL’s decision and how it plans to respond but at the time of writing it had not responded.

Commenting on the French watchdog’s slapdown in a statement, noyb’s founder and honorary chair, Max Schrems, said: “It’s interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarly.”

Privacy Shield v3 to the rescue?

One factor that could change the situation is a new agreement between the EU and U.S. on data transfers.

Negotiations between the European Commission and U.S. counterparts are ongoing in an attempt to plug the data transfer gap as happened after the CJEU struck down Safe Harbor in 2015 (aka Schrems I), meaning it was fairly quickly replaced by Privacy Shield, until that too was soon invalidated.

This pattern of complaints leading to (quicker) strike downs makes a ‘quick fix’ impossible — even if the enforcements now landing against mainstream tools like Google Analytics will certainly concentrate minds in Brussels and Washington, increasing political and economic urgency to find a way to solve this issue.

The Commission has said it’s keen for a replacement data transfer agreement with the U.S. However it has also warned repeatedly that any such deal must be robust to future legal challenge — meaning it must substantially addressing the CJEU’s concerns. And without broad reform of U.S. surveillance practices that looks difficult.

No quick fix for transatlantic data transfers, says EC

Still, in recent weeks, reports have suggested the EU and U.S. are nearing agreement on a new data transfer arrangement — potentially as soon as this month, according to reporting by Politico, which also suggested the two sides could unveil a new accord in May at an upcoming meeting of the Trade and Tech Council.

Details of how exactly the U.S. and EU will be able to square the data transfer (il)legality circle are scant, though.

Per Politico, one redress mechanism that is being discussed would allow EU citizens to directly (or via their national governments) submit complaints to an independent judicial body if they believe U.S. national security agencies have unlawfully handled their personal information.

But that still leaves plenty of questions. Not least how a EU citizen could know to complain in the first place, given the lack of notification of U.S. surveillance intercepts.

The U.S. also still does not have a federal privacy law similar to the EU’s GDPR, meaning its own citizens lack comprehensive protections for their information — illustrating quite how far apart the two jurisdictions remain on this issue.

And while some U.S. states — such as California — have taken matters into their own hands in recent years, passing laws to provide residents with some legal rights wrapping their information, privacy protections for U.S. citizens remain, at best, a patchwork. Given that, it may be tricky for the Biden administration to provide greater rights for non-U.S. citizens to complain about U.S. surveillance vs what the country provides to its own citizens.

Commercial pressure is building on this issue though.

Just this week Facebook/Meta felt moved to publish a blog post — rejecting reporting of its financial filing that claimed its disclosures amounted to a threaten to pull its service out of Europe as a result of the data transfer uncertainty.

“We want to see the fundamental rights of EU users protected, and we want the internet to continue to operate as it was intended: without friction, in compliance with applicable laws — but not confined by national borders,” the tech giant wrote, urging progress on a new deal.

Meta does have its own very pressing cause to press for a fresh ‘fix’, though, given that its business is subject to a very long-standing data transfers complaint — and it’s now over a year since its lead EU data regulator, the Irish Data Protection Commission, promised to swiftly resolve that complaint.

By contrast, EU-based platforms that can localize and legally firewall user data in the bloc, where it’s shielded by the GDPR, have reasons to be cheerful.

To wit: Last month — in the wake of the Austrian ruling — one Poland-based Google Analytics competitor, Piwik Pro, told us that Schrems II was one of the main concerns raised by organisations contacting it to seek a Google Analytics alternative.

“Just two weeks after the Noyb’s 101 complaints list was published we’ve acquired as a customer one the major banks listed there,” said CEO Maciej Zawadziński. “Interest in our product and services is directly affected by all the developments in the privacy & compliance space. The Schrems II ruling was big for us last year, just like the Austrian DPA’s ruling is fairly big now.

“We predict that in 2022 local EU data storage that eliminates offshore data transfers completely will be an important selling point.”

Zawadziński added that the company had opened an EU located data center to host and process client data for this reason, noting: “The data center is managed by an EU company and neither we nor any of our suppliers is subject to the [U.S.] Cloud Act.”

Schrems also predicts a splintering of digital services and dedicated EU product provision — unless or until the U.S. reforms its approach to privacy. “In the long run we either need proper protections in the U.S., or we will end up with separate products for the U.S. and the EU. I would personally prefer better protections in the U.S., but this is up to the U.S. legislator — not to anyone in Europe,” he added in a statement.

This report was updated with additional comment

As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers

Facebook’s EU-US data transfers face their final countdown

In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR

More TechCrunch

London-based fintech Vitesse has closed a $93 million Series C round of funding led by investment giant KKR.

Vitesse, a payments and treasury management platform for insurers, raises $93M to fuel US expansion

Zen Educate, an online marketplace that connects schools with teachers, has raised $37 million in a Series B round of funding. The raise comes amid a growing teacher shortage crisis…

Zen Educate raises $37M and acquires Aquinas Education as it tries to address the teacher shortage

“When I heard the released demo, I was shocked, angered and in disbelief that Mr. Altman would pursue a voice that sounded so eerily similar to mine.”

Scarlett Johansson says that OpenAI approached her to use her voice

A new self-driving truck — manufactured by Volvo and loaded with autonomous vehicle tech developed by Aurora Innovation — could be on public highways as early as this summer.  The…

Aurora and Volvo unveil self-driving truck designed for a driverless future

The European venture capital firm raised its fourth fund as fund as climate tech “comes of age.”

ETF Partners raises €284M for climate startups that will be effective quickly — not 20 years down the road

Copilot, Microsoft’s brand of generative AI, will soon be far more deeply integrated into the Windows 11 experience.

Microsoft wants to make Windows an AI operating system, launches Copilot+ PCs

Hello and welcome back to TechCrunch Space. For those who haven’t heard, the first crewed launch of Boeing’s Starliner capsule has been pushed back yet again to no earlier than…

TechCrunch Space: Star(side)liner

When I attended Automate in Chicago a few weeks back, multiple people thanked me for TechCrunch’s semi-regular robotics job report. It’s always edifying to get that feedback in person. While…

These 81 robotics companies are hiring

The top vehicle safety regulator in the U.S. has launched a formal probe into an April crash involving the all-electric VinFast VF8 SUV that claimed the lives of a family…

VinFast crash that killed family of four now under federal investigation

When putting a video portal in a public park in the middle of New York City, some inappropriate behavior will likely occur. The Portal, the vision of Lithuanian artist and…

NYC-Dublin real-time video portal reopens with some fixes to prevent inappropriate behavior

Longtime New York-based seed investor, Contour Venture Partners, is making progress on its latest flagship fund after lowering its target. The firm closed on $42 million, raised from 64 backers,…

Contour Venture Partners, an early investor in Datadog and Movable Ink, lowers the target for its fifth fund

Meta’s Oversight Board has now extended its scope to include the company’s newest platform, Instagram Threads, and has begun hearing cases from Threads.

Meta’s Oversight Board takes its first Threads case

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender SoLo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

2 days ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses