While high-tech companies are still mainly consolidated in and around the U.S., the division between continents continues to deepen, as concerns regarding data privacy remain on the rise in the EU. France’s privacy regulators have ruled that using Google Analytics may represent a breach in EU privacy laws, as the application might transfer the personal data European citizens to United States intelligence services.
Different Privacy Standards
Google Analytics is a widely used tool for obtaining the performance statistics of a given website. The toolset actively tracks metrics such as session duration, pages per session, the bounce rate of individuals using the site, and the information on the traffic source.
According to Article 44 of the General Data Protection Regulation (GDPR), the transfer of personal data beyong the EU/EEA is prohibited unless the recipient country provides adequate data protection. In this instance, the U.S. has far fewer privacy protection measures in place, leaving EU users uncertain as to whether their data is being collected, and for what it’s being used, or with whom it’s being shared.
The CNIL, the French Data Protection Agency, asserts that websites using Google Analytics breach Article 44 of GDPR, as the Google Analytics tool transfers user data to the U.S.
"The CNIL considers that these transfers are illegal and orders all French website managers to comply with the GDPR and, if necessary, to stop using this service under the current conditions,"
the regulator declared in an official statement.
Google has so far declined to comment on the CNIL’s statement. The tech giant has previously claimed that Google Analytics does not track users across the Internet, and that organizations utilizing the tool have control over the data they collect. However, experts in the EU believe that the U.S. tech giant has not taken sufficient measures in guaranteeing data privacy rights under European Union regulations when data is transferred between Europe and the United States.
"Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,"
underlined the CNIL.
Websites Must Comply
The French regulator is the second such European data protection authority to reach a negative conclusion on the use of Google Analytics. In January, the Austrian regulator ruled that a website could not realistically both use the Google Analytics tool and also comply with GDPR. Similarly the Dutch authorities have issued a related warning.
The remarks have largely been made in regards to online media outlet HuffPost, retailers Leroy Merlin, Auchan and Decathlon, beauty shop Sephora and telecom operator Free concerning their use of Google and Facebook tools.
The manager of these websites has been given a month to comply by sharing anonymous statistical data or “if necessary, to stop using this service under the current conditions.” The CNIL says that it has also issued similar orders to other website operators in France. Any decisions made in relation to these cases will be of some import for almost all EU websites, as Google Analytics is the most common and widely used statistics tool.
"In the long run, we either need proper protections in the United States, or we will end up with separate products for the U.S. and the EU,"
highlighted Austrian activist and lawyer Max Schrems in reaction to CNIL’s decision.