France says Google Analytics breaches GDPR when it sends data to US
Hapless unnamed website manager given one month to strip GA from their site
French data protection authority CNIL has declared that Google Analytics breaches Euro privacy law the General Data Protection Regulation (GDPR) because it transfers European netizens' data to America.
In a statement this morning CNIL said it "considers these transfers to be illegal," blowing a large hole in French usage of one of the world's most ubiquitous traffic-counting suites.
Precise details of exactly what laws Google Analytics breaches were not explained in the statement. We have asked CNIL for more detail and will update this article if it responds.
The decision, while only applicable inside France, is likely to be echoed around the European Union: CNIL confirmed it had reached its decision in cooperation with its other EU data protection counterparts – and today's ruling mirrors one made by Austria a month ago.
Celebrating the decision, privacy campaigner Max Schrems, whose complaints had triggered the CNIL probe, cheered: "In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in [the EU]."
CNIL's decision found that Google Analytics' operation contravened article 44 onwards of the EU's General Data Protection Regulation. The French agency read the EU directive together with the famous Schrems II judgment of the EU Court of Justice, which struck down the old Privacy Shield transatlantic data-sharing agreement.
The regulator ordered an unnamed website manager to strip Google Analytics out of their site, giving him a month to comply. It added: "Concerning the audience measurement and analysis services of a website, the CNIL recommends that these tools be used only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers."
The decision boils down to the US not having EU-style data protection laws preventing secret transfer of personal data from corporations to US law enforcement and spy agencies. Nonetheless both the United States and the political bloc have, until now, fudged the issue by publishing standard contractual clauses that allow commerce to continue while politicians haggle over a permanent solution to the problem.
- Privacy Shield: EU citizens might get right to challenge US access to their data
- Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'
- Austrian watchdog rules German company's use of Google Analytics breached GDPR by sending data to US
- Google fails to neutralize lawsuit that complains Chrome's incognito mode isn't very private at all
Article 44 of the GDPR says "processing should be lawful where it is necessary in the context of a contract" while article 45 states:
Where processing is carried out in accordance with a legal obligation to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, the processing should have a basis in Union or Member State law.
CNIL's decision reiterates the Austrian finding that automatic operation of Google Analytics (think of all the cookie opt-out boxes which put analytics under the "necessary and not disable-able" heading) does not qualify for the "necessary for the performance of a task" exemption in the GDPR.
Google did not immediately respond to a request for comment.
A lawsuit filed in the US last year alleged that Google Analytics can still track users of its Chrome browser in incognito mode. ®
The Register uses Google Analytics, as specified in the cookie notice shown to all you fine folk browsing our digital doings.