Google Analytics Violates GDPR, Says French Privacy Authority

Google Analytics on web page under a magnifying glass

Popular web analytics service Google Analytics does not comply with European privacy laws, says the Commission Nationale de l’Informatique et des Libertés (CNIL), France’s privacy watchdog. The regulator stated that Google Analytics transfers the personal data of EU citizens to the US without appropriate security measures, a violation of the General Data Protection Regulation (GDPR).

An unnamed French website is the subject of the controversy. CNIL has ordered the website manager to comply with the GDPR. Article 44 of the GDPR does not allow the transfer of personal data to countries outside the EU that do not have adequate privacy protections.

CNIL has also ordered the website to stop using Google Analytics “under the current conditions.” This decision could have a sweeping effect on all EU websites which use the service.

Over 100 Complaints Filed against Google Analytics in the EU

Google Analytics is an integrated service that provides important information relating to the number of visits by internet users. Every website visitor is assigned a unique identifier, and under the GDPR, this identifier constitutes personal data. Google transfers the identifier and some associated data to the United States.

CNIL said it has previously received several complaints regarding this data transfer to the US. The NOYB association has sent 101 complaints across 27 EU member states and 3 to European Economic Area states. The association says that 101 data controllers are unlawfully transferring personal data to the United States through Google Analytics.

CNIL’s Finding in Line with Schrems II Judgement

CNIL’s finding is in line with the EU Court of Justice’s (CJEU) ruling in the Schrems II judgment in 2020. In that case, the CJEU invalidated the EU-US privacy shield, a data transfer agreement between the European bloc and the United States.

CJEU found that security and intelligence agencies in the US can access personal information more easily than those in the EU. This creates a security concern for the personal data of EU citizens, which means they don’t comply with the GDPR.

In the absence of the privacy shield, or any adequacy agreement, data transfers to the US are only valid when parties provide certain guarantees.

CNIL acknowledged that Google has added new measures to regulate data transfers under its Analytics service. However, it said these measures still do not prevent intelligence agencies from accessing the data.

If you’re interested in learning more about GDPR, and how to stay on the right side of it, we recommend checking out our GDPR compliance checklist.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.