French data protection regulators on Thursday detected the use of Google Analytics is breaking the law General provisions on data protection (GDPR) of the European Union in the country, almost a month after a similar decision was made in Austria.
As a result, the National Commission on Informatics and Freedom (CNIL) ruled that transatlantic movement of data Google Analytics to the United States is not “regulatory enough” for a violation of Article 44 et seq. of the data protection ordinance, which governs the transfer of personal data to third countries or international organisations.
Specifically, the independent administrative regulator highlights the lack of comparable privacy protections and the risk that “US intelligence services will access personal data transferred to the United States if the transfer delivery is not properly regulated.”
“[A]CNIL said that while Google has adopted additional measures to regulate data transmission in the context of Google Analytics functionality, these measures are not sufficient to exclude the accessibility of this data to third parties. intelligence services of the United States. who uses this service and whose data is exported. “
As part of the order, CNIL recommended that one of the violating websites comply with GDPR by either discontinuing the use of the Google Analytics functionality or by using an unrelated alternative website traffic monitoring tool. for deliveries outside the European Union, giving a one-month deadline to comply.
In addition, the watchdog emphasized that website audience analysis and measurement services such as Google Analytics should only be “used to generate anonymized statistical data, thereby allowing consent waivers if the user data control ensures that there is no illegal transfer.”
The development comes amid new warnings from Meta Platforms, the owner of social networks such as Facebook, Instagram and WhatsApp, that the law regulating how EU citizens’ user data is transferred to the US could be dangerous. may result in the withdrawal of services from the area.
“If a new transatlantic data transmission framework is not adopted and we cannot continue to rely on the SCC (standard contract terms) or on other alternative data transmission mediums from Europe, Europe to the United States, we won’t be able to deliver some of our most important products and services, including Facebook and Instagram, in Europe,” the company said in an annual report published today. released earlier this week.
The ruling also comes less than two weeks after a regional court in the German city of Munich found that there was no consent to embedding Google Fonts on a website and passing the IP address to Google via a library. of users is a violation of GDPR laws, which require the website operator to pay. 100 € compensation for damages.