CNIL orders three controllers to comply with GDPR after decision that using Google Analytics is illegal
Only weeks after the groundbreaking decision by the Austrian Data Protection Authority that the continuous use of Google Analytics violates the GDPR, the French Data Protection Authority (CNIL) ordered three French websites to comply with the GDPR. All these decisions are based on noyb's 101 model complaints which were filed after the Court of Justice ruling invalidating Privacy Shield. noyb expects similar decisions by the other authorities.
“Google Analytics provides statistics on website traffic. After receiving complaints from the NOYB association, the CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.” ― CNIL Press Release.
2020 CJEU ruling hits the real world. In July 2020, the CJEU has issued its groundbreaking “Schrems II” ruling, holding that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal “Privacy Shield”, after annulling the previous deal “Safe Harbor” in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called “Standard Contract Clauses” to continue data transfers and calm its European business partners.
“It’s interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily.” ― Max Schrems, honorary chair of noyb.eu
Decision relevant for almost all EU websites. Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US.
Long Term Solution. In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.
“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.” ― Max Schrems
The article was first published here.
(Contribution by: EDRi member NOYB)