French data protection regulators on Thursday found the use of Google Analytics a breach of the European Union’s General Data Protection Regulation (GDPR) laws in the country, almost a month after a similar decision was reached in Austria.
To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not “sufficiently regulated” citing a violation of Articles 44 et seq. of the data protection decree, which govern the transfers of personal data to third countries or international entities.
Specifically the independent administrative regulatory body highlighted the lack of equivalent privacy protections and the risk that “American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.”
“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL said. “There is therefore a risk for French website users who use this service and whose data is exported.”
As part of the order, the CNIL recommended one of the offending websites to adhere to the GDPR by ceasing to utilize the Google Analytics functionality or by using an alternative website traffic monitoring tool that does not involve a transfer outside the E.U., giving it a deadline of one month to comply.
In addition, the watchdog underscored that website audience measurement and analysis services such as Google Analytics should only be “used to produce anonymous statistical data, thus allowing for an exemption from consent if the data controller ensures that there are no illegal transfers.”
images from Hacker News