InterHop, an association specializing in free software, has grasped the National Commission for Computing and Liberties (CNIL) so that e-health players such as Alan, HelloCare, Keldoc or Maiia stop using Google Analytics. According to them, the Mountain View firm’s website audience measurement service would process the data it collects illegally.
A referral motivated by the decisions of the Austrian CNIL and the CJEU
The referral to the CNIL by InterHop was first motivated by a decision of the Datenschutzbehörde, the Austrian CNIL. On January 13, 2022, the latter issued a decision in which it rules against the legality of the use of Google Analytics. The tool would not comply with the General Data Protection Regulation (GDPR).
Epic Games has new allies in its fight against Apple
This decision was made possible by the Scherems II judgment of July 16, 2020. On that day, the Court of Justice of the European Union (CJEU) invalidated a previous agreement, the Privacy Shield, which allowed the transfer of personal data to a country outside the European Union, here the United States. Thus, the transfer of personal data to the United States is not considered secure, not sufficiently protecting the privacy of European citizens.
Additionally, Google admitted to hosting all data collected by Analytics in the United States, whether collected in America, Asia, Africa, Oceania, or Europe. However, if a company uses Google Analytics, they transmit their collected data to Google in the United States, and are therefore illegal.
French e-health players cited by InterHop for their use of Google Analytics
For all these reasons, InterHop contacted the CNIL, asking it ” to analyze the consequences of the Schrems II case law on the use of the Google Analytics service concerning all e-health players (such as Maiia, KelDoc, HelloCare, Alan, Recare, Qare, Medadom, Implicity, Therapixel) and to stop processing that proves to be illegal “.
InterHop recalls that health data is sensitive data that must strictly comply with the conditions of the GDPR. She thus affirms that the actors of the e-health sector “ must ensure that they are not subject, in whole or in part, to injunctions from third-party jurisdictions or administrative authorities obliging them to transfer data to them “.
In Europe and France, two texts are in the sights of the authorities (including the CNIL): the Foreign Intelligence Surveillance Act (FISA), which makes it possible to target people located outside the United States and the Executive Order, which comes legalize techniques for intercepting signals from or to the United States. For example, the United States may require Microsoft to transfer data it hosts at any time, including if security reasons are invoked.