laitimes

Using Google Analytics to violate GDPR? CNIL ordered the website to be rectified within one month

Using Google Analytics to violate GDPR? CNIL ordered the website to be rectified within one month

Recently, the French Data Protection Authority (CNIL) issued a statement after investigating the data transmission of a local website, saying that its use of Google Analytics (Google's website traffic analysis tool) function violated the relevant provisions of the General Data Protection Regulation (GDPR), requiring the website to stop using the function or use alternative analysis tools within one month. Google currently declined to comment on the CNIL statement.

THE CNIL's data transfer survey on multiple websites dates back to 2020. In July 2020, the Court of Justice of the European Union declared the Privacy Shield, a cross-border data transfer agreement between the European Union and the United States, invalid because the Court of Justice of the European Union held that it was still possible for U.S. intelligence agencies to obtain user information under the agreement, and that EU citizens lacked effective access to judicial remedies in the United States and could not adequately protect their personal data.

However, it is reported that a month after the "Privacy Shield" was declared invalid, many companies still used Google Analytics and other functions for data transmission, and Google and other companies still used the "Privacy Shield" as the legal basis for data transmission.

To that end, in August 2020, Non Of Your Business, a nonprofit founded by Austrian lawyer and privacy activist Max Schrems, filed 101 complaints against CNIL over EU-wide websites that continued to use web analytics technology developed by companies such as Google, accusing the 101 site managers of allegedly transferring the personal data of EU citizens to the United States.

According to a recent statement released by the CNIL, it investigated after receiving the noyb association complaint and worked with a party to analyze the use of the feature to collect data and transmit it to the United States and the risks that the individuals involved may face.

CNIL found that websites that had committed such acts violated the GDPR and required webmasters to comply with the GDPR, make corrections within a month, and stop using Google Analytics features or adopt alternative technologies. In addition, the agency has issued similar notices to other website operators, and subsequent investigations into the transmission of data from the website will be extended to other technical tools.

Article 44 of the GDPR prohibits the transfer of personal data from within the EU to "third-party countries" that do not have equivalent privacy protections. In THE CNIL's view, the level of privacy protection in the United States is more relaxed than in the European Union, leaving EU users with no way of knowing whether their data is collected, how it is used, and with whom.

The CNIL concludes that the transfer of data to the United States is currently not adequately regulated. Although Google has taken additional steps to regulate the data transfer behavior under Google Analytics, these are not enough to rule out the possibility of US intelligence agencies accessing its personal data. "Therefore, a French website that uses this service and exports data puts users at risk." The statement read.

However, the CNIL does not completely ban Google Analytics. In audience measurement and analytics services, the website can use this feature to generate anonymous statistics and obtain exemption consent as long as the data controller does not transmit the data illegally. Specifically, the CNIL has now launched an evaluation program to determine the circumstances in which consent is exempt.

In fact, France is not the first country to make this decision. Also based on a complaint from the NOYB Association, in January this year, an Austrian website was found by the Austrian data regulator to be in violation of the GDPR for its continued use of Google Analytics.

"In the long run, either we get proper protection in the U.S. or (Google) end up offering different products to the U.S. and the EU." In response to the CNIL statement, Schrems said, "I personally would prefer better protection in the United States, but it is up to U.S. legislators — not anyone in Europe." ”

Compilation/Synthesis: Nandu trainee reporter Fan Wenyang

Read on