France’s data watchdog warns over illegal use of Google Analytics

Following a decision earlier this year that found a local website's use of the tool to be in violation of European Union law, France's data protection watchdog has issued updated guidance on the use of analytic tools.

It has confirmed that it has issued formal notices to other organizations to bring their use of GOOGLE ANALYTICS into compliance

The legal issue, which affects use of the popular analytics tool in France but across the entire EU, hinges on user data being transferred to the US for processing by Google, without adequate legal protections in the wake of a 2020 decision by Europe's top.

The EU and the US agreed on a replacement transfer mechanism in March.

The joint statement is not a legal framework and cannot be relied on by users of US cloud services that take Europeans data over the pond for processing ahead of an actual replacement deal being formally adopted by the EU. It will face fresh legal challenges to see if the deal is the same as the earlier ones.

EU websites can either make changes to their use of Google Analytics or risk regulatory enforcement, which can include an order to amend their processes and a financial penalty for being in violation. It is likely that the risk of fines for non-compliance is going to go up now that regulatory guidance is getting more detailed.

The use of Google Analytics by data controllers in a similar way to already notified organizations is now considered illegal under the EU's General Data Protection Regulation. They need to turn to a service provider that can offer enough guarantees of conformity.

The possibility of a further month's extension is available for any site that gets a formal notice from the regulators about their use of the analytic tool.

EU-US data transfers deal could be finalized by end of year, says bloc

It is not possible for EU based organziations to use the tool without applying certain additional safeguards, according to the FAQ.

In response to the question of whether it is possible to rely on the US intelligence services, it states that there are no additional guarantees presented to the CNIL.

Standard contractual clauses are not enough to bridge the legal gap on data exports, and even if they were, they wouldn't be able to prevent data transfers to other countries. Personal data hosted on server located in the European Union may be required to be disclosed by organizations.

If the keys are held under the exclusive control of the data exporter or other entities established in a territory offering an adequate level of security, EU-based users of the tool may be able to apply to use it without breaching the law.

Obtaining explicit consent from users to a data transfer can be done, but only in exceptional circumstances according to the regulator. If you thought disrupting every visitor with an explicit consent request was a good idea, you were wrong.

In order to avoid user consent for processing data, the CNIL has published a list of alternative analytic tools. It warns that the list doesn't take into account the international transfers issue and that site owners still need to do their own leg work to determine whether alternative analytics tools are a less risky option.

Austria is one of the EU data protection authorities that has been issuing websites with decisions regarding non- compliant use of the internet search engine.

The complaints were filed by the EU privacy advocacy group, noyb, in August of 2020.

There was a response from the company.

In bad news for US cloud services, Austrian website’s use of Google Analytics found to breach GDPR