On Thursday, the CNIL said that a certain website’s use of Google Analytics was in breach of the EU’s General Data Protection Regulation (GDPR), which prohibits the transfer of data outside of the region to countries that do not have strong data privacy laws.
Google Analytics is a tool provided by Google, that website owners install on their websites to gain insight about its users.
The GDPR would potentially prohibit the transfer of data to the US, which has sweeping anti-surveillance laws that only cover US citizens. The GDPR requires that data protection is exported to countries outside the region.
The CNIL ruling came after an investigation of 101 complaints filed by privacy advocacy group Noyb in August 2020. The complaints followed the invalidation of the EU-US Privacy Shield agreement. The invalidation of the agreement left a cloud of uncertainty about data transfers across the Atlantic.
The CNIL ordered the website that was cited in Noyb’s complaint to comply with the GDPR and “if necessary, to stop using this service under the current conditions.” Like in Austria, the CNIL said that the supplementary measures Google said ensured the protection of EU citizens’ data were inadequate.
“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL writes in a press release announcing the decision.
“There is therefore a risk for French website users who use this service and whose data is exported.”
The CNIL did not rule out the continued use of Google Analytics. However, Google has to make changes to ensure that only “anonymous statistical data” is transferred. The watchdog also suggested the use of alternative analytics tools that do not transfer data outside of the region.
The CNIL said that the investigation impacts “other tools used by sites that result in the transfer of data of European internet users to the United States.” It added that: “Corrective measures in this respect may be adopted in the near future.”
In other words, all US-based tools that transfer personal data could face regulatory risk.
But this whole situation could change if the EU and US reach a new data transfer agreement. According to POLITICO, the EU and US are almost signing a new data transfer agreement, which could be unveiled during the Trade and Tech Council meeting in May.
While the European Commission is willing to reach an agreement, the new deal has to address the concerns that led to the invalidation of the previous deal, and that would require a lot of changes to the surveillance practices of the US.