French lifeline for online firms using Google Analytics

Online businesses which use Google Analytics have been given a lifeline by the French data protection watchdog, despite a ruling that in most instances the program breaches GDPR, as data transfers to the US are still not appropriately regulated.

The Commission Nationale de l’Informatique et des Libertés (CNIL) ruling follows an investigation into the data practices of an unnamed French website, which found Google Analytics breached Article 44 of GDPR.

The issue dates back 19 months, when the European Court of Justice ruled that the Privacy Shield agreement to transfer personal data between the EU and the US was invalid. It followed a seven year battle by Austrian lawyer and privacy activist Max Schrems, who had argued that the data transfer pact did not provide consumers adequate protection from surveillance by US authorities.

Schrem’s privacy organisation, NOYB, has been pursuing thousands of organisations ever since. Last month, the European Parliament was sanctioned for implementing Google Analytics cookies on a Covid-19 testing site, while the Austrian data protection authority ruled that a German website had also contravened GDPR by using the system.

The CNIL said that Google fails to give consumers adequate information about what happens to their data and how it is used, and also does not provide adequate routes for remedy if they believe their data has been exploited.

The regulator said: “Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services.

‘There is therefore a risk for French website users who use this service and whose data is exported.”

As part of its order, the CNIL has ordered the offending website to comply with GDPR by either ceasing its use of Google Analytics or adopting an alternative monitoring service that does not send data outside the EU.

However, crucially, CNIL also clarified that there may be some instances where the use of Google Analytics complies with GDPR, such as when the service is exclusively used to generate anonymised statistical data.

Even so, Facebook parent company Meta last week warned it may pull Facebook and Instagram out of the European market if the company is no longer able to transfer European users’ data to the US.