Google Analytics is a service that can be integrated by websites such as shopping websites to track the number of visitors. Google transfers this identifier and the associated data to the United States. The CNIL received several complaints from the NOYB association regarding the transfer of data collected during website visits using Google Analytics to the United States.
NOYB filed 101 complaints in the 27 EU Member States and three other EEA countries against 101 data controllers accused of transferring personal data to the US. The use of Google Analytics by French data protection regulators was found to be a violation of the European Union’s GDPR laws in the country on Thursday, nearly a month after a similar decision was reached in Austria.
To that end, the National Commission on Informatics and Liberty (CNIL) ruled that the transatlantic movement of Google Analytics data to the United States is not sufficiently regulated, citing a violation of Articles 44 et seq. of the data protection decree, which govern personal data transfers to third countries or international entities.
The independent administrative regulatory body specifically mentioned the lack of comparable privacy safeguards and American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.
The news comes with new warnings from Meta Platforms, the owner of social media networks such as Facebook, Instagram, and WhatsApp, that legislation governing how E.U. citizens’ user data is transferred to the US could force the company to withdraw its services from the region.
The ruling comes less than two weeks after a regional court in Munich, Germany, ruled that embedding Google Fonts on a website and transferring IP addresses to Google through the library without users’ consent violates GDPR laws, ordering the website operator to pay €100 in damages.
Finally the CNIL concludes that,” transfers to the US are not currently adequately regulated. Indeed, in the absence of an adequacy decision (which would establish that this country provides a sufficient level of data protection in accordance with the GDPR) regarding transfers to the US, data transfers can only take place if appropriate guarantees are provided for this flow in particular.