Recently, an independent whistleblower in France found that the use of Google Analytics is non-compliant with the GDPR, forcing retailers to stop using the popular service for the time being. The GDPR (General Data Protection Regulation) is a law within the European Union that regulates the data protection and privacy rights of European citizens.
France isn’t the first country to have serious privacy concerns with Google Analytics, and it likely won’t be the last. As people continue to question Google’s data collection methods, there could be a major shift in the way we do business online.
Read on to learn about France’s ruling against Google Analytics, what concerns citizens have, and how this might change Google’s presence in the EU for good.
Background
The world was first alerted to the shocking lack of privacy on the internet when Edward Snowden exposed the NSA (National Security Agency) in 2013. Snowden found that the NSA was spying on U.S. residents and viewing international data transfers with users’ personal information, which led to the creation of the CNIL (Commission Nationale de l’informatique et des libertés) in France and the NOYB (European Center for Digital Rights) in Austria.
In 2020, a European Union court ruling further raised the standards for these independent regulatory organizations. The court expressed doubts and concerns about American surveillance practices and data transfer laws, urging European watchdogs to be on the lookout for anything that seems non-compliant with the GDPR. This ultimately led to the NYOB’s ruling on Google Analytics in 2022, followed closely by CNIL’s ruling.
About Google Analytics
Google Analytics is one of the most popular website analytics tools available to businesses and website owners around the world. The tool is capable of tracking website traffic, monitoring how people land on the site, how long they spend browsing each page, and how well different marketing efforts work. Some people see this data collection as non-invasive and ultimately beneficial for their businesses and their customers.
The EU, on the other hand, has found that the alleged safeguards in place for website visitors aren’t fully protecting the users’ personal data. Max Schrems, honorary chair of the NYOB, said, “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice.” He argued that it was time for European businesses to resort to legal action in order to uphold the standards of the GDPR.
NYOB’s and CNIL’s Ruling
The Austrian-based NYOB ruled that the use of Google Analytics would become illegal for website owners in January of 2022 after it found that the service wasn’t providing the protections required by the GDPR. CNIL’s ruling came shortly after in February when the agency discovered that a website’s use of Google Analytics breached Article 44 of the GDPR.
Article 44 of the GDPR “…prohibits the transfer of personal data beyond EU/EEA, unless the recipient country can prove it provides adequate data protection.” Despite Google’s attempts to make the analytics tool conform to the GDPR, the CNIL said that transatlantic data transfers “are currently not sufficiently regulated.”
The decision was made because of the lack of data protection within the U.S. When the unnamed European website used Google Analytics, therefore transferring visitor data to the U.S., it puts those site users at risk of having their privacy violated. Under the GDPR, “personal data” includes email addresses, phone numbers, cookie IDs, and IP addresses, just to name a few.
Future Outlook
Max Schrems said that these rulings are sound, if not overdue. “The bottom line is,” Schrems explained. “Companies can’t use [U.S.] cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced. ” In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems mused. “I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”
