The National Commission for Computing and Liberties (CNIL) bangs its fist on the table. The data protection authority has issued a formal notice to Google, this February 10, for European data transfers to the United States of its Google Analytics service, after a complaint from the Noyb association. The American giant has one month to comply or to suspend its service.
Google Analytics does not comply with the GDPR
Analytics, for those who don’t know, is a free Google service used by many websites, including Century Digital, to analyze its audience. It provides information such as the number of unique visitors, in particular in real time, the number of pages viewed, which ones are viewed, the average duration of visits, the origin of visitors, etc.
To perform these measurements, Google assigns a unique and anonymous identifier to each visitor. According to the CNIL, this identifier can allow Google to find the identity of visitors by cross-checking the data available to the group, so it constitutes personal data. The problem is that this data is transferred to the United States.
Tech Leaders: Euronext announces the launch of a European Nasdaq
Article 44 of the General Data Protection Regulation, the famous GDPR, prohibits the transfer of European personal data to a country that does not provide equivalent protection to the regulations of the Old Continent. For the CNIL, “ transfers to the United States are not sufficiently supervised at present “.
The CNIL recognizes that measures have been taken by Google to protect the transfer of European data, but the authority considers that ” these are not sufficient to exclude the possibility of access by the American intelligence services to this data “.
Since the Schrems II judgment, named after the founder of the Noyb association, the Court of Justice of the European Union (CJEU) in July 2020 broke the Privacy Shield agreement governing the transfer of data to the United States from 2016. It was deemed insufficient to protect European data from American information, due to a local law, the Cloud Act.
The European CNILs work hand in hand
Noyb, which specializes in data protection issues, hastened to file 101 complaints in the 27 EU Member States and in 3 countries of the European Economic Area.
The Datenschutzbehörde (DSB), the equivalent of the CNIL in Austria, made a similar decision to the French authority on January 13, it was followed by the Dutch authority the same month. Other authorities could follow, the CNIL explaining that it has worked ” in cooperation with its European counterparts “.
Google Analytics could theoretically disappear in Europe. The notice from the data protection authority offers one of these options for Mountain View to comply with the GDPR, “ if necessary by ceasing to use the Google Analytics functionality (under current conditions) or by using a tool that does not result in a transfer outside the EU “.
Google has not yet reacted, but the French decision being very close to its Austrian counterpart, we can expect a similar response. Google initially estimated that the measures taken ” ensure convenient and effective data protection to any reasonable standard “. The American giant also claims to have never received requests from American intelligence.
The problem of EU-US data transfer
The most interesting element comes later, on January 19, via a blog post. Google asks the European and American authorities to find a solution, “ European and American businesses expect the European Commission and the US Department of Commerce to quickly finalize a successor agreement to the Privacy Shield to resolve these issues “.
Google does not hesitate to press the United States and the European Union ” we urge swift action to restore a practical framework that protects privacy and promotes prosperity “.
Google’s position is actually very similar to that of Meta at the beginning of February, when the group raised the prospect of leaving the European continent in a document intended for the policeman of the American stock market. Mark Zuckerberg’s company has defended itself from any threat, a term used by the media, including Century Digitalagainst the European authorities.
For Meta, this is a description of the reality of its situation since the Privacy Shield made the transfer of European data to the United States liable to fall under the scope of the GDPR.
Meta, like Google, is above all seeking to put pressure on the EU and the United States to find an agreement governing the transfer of data between the two. The two American giants are gradually being caught up with by European data protection authorities.
It would be the third agreement of this type and so far all have been broken by the CJEU because it was not sufficiently protective. This explains why the ongoing negotiations are dragging on. Europeans want a level of protection worthy of the GDPR, if only for legal issues, the United States does not want to give up its Cloud Act.
In the meantime Meta, Google and others could, for example, locate European data in Europe or find tips for protecting data that must cross the Atlantic, but that does not seem to be on the agenda.