French Data Supervisory Authority warns against illegal use of Google Analytics

- Advertisement -

The French supervisory authority for data protection CNIL has published updated guide about the use of Google Analytics after the decision has been made Earlier this year who found that using the tool on a local website violated European Union law.

- Advertisement -

He also confirmed that he has since sent legal notices to other organizations to bring their use of Google Analytics into compliance.

- Advertisement -

A legal issue that affects the use of a popular analytics tool not only in France, but throughout the EU, is related to the transfer of user data to the US for processing by Google – the export of personal data, and therefore there is no adequate legal protection. of a 2020 European Supreme Court ruling that invalidated the flagship data transfer agreement (also known as the EU-US Privacy Shield Agreement) due to the risk of illegal access to European data by US intelligence agencies.

Since then, the EU and the US have announced (in March) political deal to replace the transmission mechanism.

- Advertisement -

But, as CNIL points out, their joint statement is not a legal basis and cannot be relied upon by US cloud users who are taking data from Europeans for processing ahead of a de facto replacement agreement formally adopted by the EU, which in The Commission proposed may not happen before the end of the year. (He will also almost certainly run into new legal challenges to see if the deal is as flawed as the previous ones, since data protection experts suspect.)

The bottom line is that EU websites can either make changes to the use of Google Analytics or risk compliance, which could include being ordered to change their processes and a financial penalty for violating it. And it is likely that the risk of fines for non-compliance is increasing now that regulatory guidance on this issue is becoming more detailed, because it means there are fewer plausible excuses for not making the necessary changes.

“All data controllers using Google Analytics are similarly [already notified] organizations must now consider such use illegal under the GDPR. Therefore, they should contact a service provider that offers sufficient guarantees of compliance,” the CNIL warns in the guide. [which we’ve translated from French with machine translation].

Any sites that receive formal notice from the regulator that they are using Google Analytics are given one month to comply, with the option to extend for another month.

The CNIL FAQ on the use of Google Analytics further states that it is practically impossible for EU organizations to use the tool without applying certain additional security measures of their own.

“None of the additional safeguards provided by CNIL as part of the legal notice will prevent or render ineffective access by US intelligence agencies to the personal data of European users using only the Google Analytics tool,” the response to the question says. whether or not you can rely on additional security measures that Google claims to apply to the tool.

Standard contractual clauses are also not enough to close the legal gap in data export, the CNIL also stresses, noting that it is not possible to configure Google Analytics in such a way that it does not transfer personal data of Europeans outside the block, and further warning: “Even in the absence of a transfer, the use of solutions offered by companies under non-European jurisdictions is likely to cause difficulties in terms of data access. Indeed, the authorities of third countries may oblige organizations to disclose personal data hosted on servers located in the European Union.”

According to the FAQ, the possible additional security measures that EU Google Analytics users can apply to use the tool without breaking the law are limited to: encryption (but only if the keys are under the sole control of the data exporter or other legal entities created by in an area that provides an adequate level of protection); or a proxy server (to avoid any direct contact between the Internet user terminal and the measurement tool servers).

The regulator suggests that obtaining explicit user consent for data transfers may also remain valid, but only in exceptional circumstances, as the CNIL notes that a derogation cannot be used for systematic transfers (which, in essence, are Google Analytics data feeds). Thus, explicit consent is not a viable solution, even if you think it’s a good idea to interrupt every visitor with such a request.

Previously, CNIL published list of alternative analytics tools it determined that they could be configured in such a way as to avoid the general need to obtain user consent for data processing. However, he cautions that this list does not take into account the issue of international transfers – therefore, site owners still need to do their own work to determine if alternative analytics tools are offered, say those offered by an EU software maker that does all the processing in the EU. may offer a less legally risky option than Google Analytics.

Other EU data protection authorities (such as the Austrian ones) also publish websites with decisions regarding the inappropriate use of Google Analytics.

The regulatory scrutiny follows a series of complaints filed by an EU privacy advocacy group. noebback to August 2020 — targeting on Google Analytics and Facebook Connect. So even though Google’s analytics tool was first in line for DPA decisions, the issue is not limited to Google or analytics tools and may affect many other services in the US with clients in the EU.

Google was contacted for a response to the CNIL leadership.

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox