The News: Last week, French privacy watchdog found Google Analytics breaches GDPR data transfer rules. According to the decision, data transfers of EU data to the US are not sufficiently regulated and therefore violate the data protection law. The governing body, the Commission Nationale de l’Informatique et des Libertés (CNIL) is giving organizations that use Google Analytics one month to stop using the service. Read the full ruling from CNIL.
French Privacy Watchdog Finds Google Analytics Breaches GDPR
Analyst Take: Google’s track record for privacy conflicts in the European Union continues to trend in a negative direction as it loses yet another battle, this time at the hands of CNIL, the French data protection agency responsible for ensuring that information technology remains at the service of citizens. The ruling handed down by the CNIL Thursday found that data transfers to the US are not sufficiently regulated and that Google Analytics’ current practices in the transference of data between countries breaches GDPR data transfer rules, specifically as it relates to the accessibility of data by US intelligence services. This ruling follows a similar ruling about a month ago in Austria.
Some Background on and The History of Trans-Atlantic Data Transfer Laws
In July of 2020, the EU eliminated the EU-US Data Privacy Shield agreement which allowed for companies — primarily big tech players like Google and Meta — to transfer data freely across borders that were considered to have both high and legally enforced standards that could be trusted to both limit access to data of EU citizens and also prevented the bulk collection of user information.
Data privacy advocates have been long concerned about the lack of data privacy protection for EU citizens, especially as it relates to US surveillance laws. Austrian activist and attorney Max Schrems has worked for years fighting against data being sent outside the EU to US servers, filing complaints against Facebook in Ireland, for example, with some success. One of Schrems’ victories included an October 2015 ruling by the E.U.Fre’s Court of Justice invalidating the Safe Harbor Principle, which was designed to protect privacy by preventing private organizations within the EU or the US which store customer data from accidentally disclosing or losing personal information.
The “Schrems II” judgment of the Court of Justice of the European Union mentioned above found that the privacy shield did not adequately satisfy GDPR requirements for personal data protection and that intelligence agencies like the NSA could access data at that time. Companies were told to stop using services that transferred data illegally, which it felt was problematic. There has not, however, been any recourse until now.
Following the abolition of the Safe Harbor Principle, the Standard Contractual Clauses (SCC) was created ensuring appropriate data protection safeguards, which, in conjunction with Privacy Shield, allowed organizations to transfer data between countries. July 2020 saw the striking down of Privacy Shield. In June of 2021, the European Commission updated the standardized contractual clauses under the GDPR replacing earlier sets of SCCs and expected to be affective until late December 2022. What remains problematic here is that rulings like the one in Austria and this one from French data protection authorities means that SCCs can no longer be relied upon, which will likely affect some products and services currently available in Europe.
The complaint that triggered this French investigation was one of 101 complaints filed throughout 27 EU Member States to privacy advocacy group NYOB in 2020. This is the second ruling — after the one in Austria last month mentioned earlier — to find that Google Analytics breaches GPDR. In this instance, CNIL concluded that data transfers to the US weren’t sufficiently protected and that in spite of additional measures Google has taken, they weren’t deemed enough to protect data from accessibility by US intelligence services.
In addition, CNIL noted that data transferred to the US was in violation of Articles 44 et seq. of the GDPR and that data processing would need to be in compliance with GDPR moving forward, including the cessation of using Google Analytics by organizations and their webmasters until such time as its compliance has been deemed acceptable.
Bottom line, it’s obviously a ruling that will have significant impact on companies doing business in the EU and in the habit of transferring customer data to US-based servers. They will now need to figure out which alternative methods they want to use and/or Google Analytics’ (or any providers’) website audience measurement and analysis services data will need to be completely anonymized to render it acceptable under these new rulings.
These rulings could have greater fallout than just companies no longer using Google Analytics. Without data transfer protection framework in place, many US based services are at risk of losing EU users. In Meta’s annual SEC filing report, released last week, the tech giant warned that it may have to pull its services such as Instagram, Facebook, and WhatsApp from the EU until a new agreement can be reached. It’s important to note though that politicians across the EU did not take kindly to the perceived threat and Meta has since walked back those comments.
As of now, French companies have one month to stop using Google Analytics. These companies have to understand how their data is flowing across the pond as it is ultimately the website owner who is responsible for protecting their user’s privacy. As I said previously, I don’t think this will be the last ruling we see from EU privacy watchdogs like this. I also think that big tech will have to get much more serious about privacy protection frameworks and not take their access to user data for granted. While the EU won this particular battle, the war is far from over, and this will be an interesting one to watch.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Other insights from Futurum Research:
Image Credit: Wired
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”