France’s privacy regulator has recently found that Google Analytics was breaching the European Union’s General Data Protection Regulation (GDPR).
Indeed, the Commission Nationale de l’Informatique et des Libertés (CNIL) reported that the unnamed local website’s use of Google Analytics was in violation of the GDPR. The tool in question was breaching Article 44, which bans personal data transfers from within the bloc to third-party countries that don’t have equivalent privacy protections in place, such as the US.
The current investigation into the unnamed local website was done after receiving 100 other complaints to the privacy advocacy group Noyb following the removal of the EU-US Privacy Shield agreement in 2020. Hence, the CNIL has ordered the website to comply with the GDPR or it would have to stop using Google Analytics under the current conditions.
Even though Google has adopted additional measures to regulate data transfers for Google Analytics, it is still not enough to exclude the accessibility of this data for US intelligence services. French website users are at risk to have their data exported.
There are however instances where the use of Google Analytics meets GDPR requirements, thus this could create a consent exemption as long as the data is not transferred illegally. Besides, CNIL aims to launch an evaluation to know which audience measurement and ad tools are exempt from consent.