French data protection regulators on Thursday found the use of Google Analytics a breach of the European Union’s General Data Protection Regulation (GDPR) laws in the country, almost a month after a similar decision was reached in Austria.
To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the U.S. is not “sufficiently regulated” citing a violation of Articles 44 et seq. of the data protection decree, which govern the transfers of personal data to third countries or international entities.
Specifically the independent administrative regulatory body highlighted the lack of equivalent privacy protections and the risk that “American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.”
“[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” the CNIL said. “There is therefore a risk for French website users who use this service and whose data is exported.”
As part of the order, the CNIL recommended one of the offending websites to adhere to the GDPR by ceasing to utilize the Google Analytics functionality or by using an alternative website traffic monitoring tool that does not involve a transfer outside the E.U., giving it a deadline of one month to comply.
In addition, the watchdog underscored that website audience measurement and analysis services such as Google Analytics should only be “used to produce anonymous statistical data, thus allowing for an exemption from consent if the data controller ensures that there are no illegal transfers.”
The development comes amid fresh warnings from Meta Platforms, the owner of social media networks like Facebook, Instagram, and WhatsApp, that legislation dictating how E.U. citizens’ user data gets transferred to the U.S. could lead to it pulling out the services from the region.
“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe,” the company said in an annual report issued earlier this week.
The ruling also arrives less than two weeks after a regional court in the German city of Munich found that embedding Google Fonts on a website and transferring the IP address to Google via the library without users’ consent contravenes GDPR laws, ordering the website operator to pay €100 in damages.