Google Analytics, Illegal in the EU
Google Analytics
is a web analytics service
that allows us to use various tools
and information exclusive to Google
to analyze specific data in our companies.
Thanks to Google Analytics,
we can know the performance of our marketing actions
according to the behavior of users
on our websites and applications.
This service can contribute a lot to understanding our users or clients
so we can offer them better experiences and,
therefore,
get better results.
However,
not everything’s just peachy.
This month,
I read that
the French Data Protection Agency,
CNIL (Commission Nationale de l’Informatique et des Libertés),
determined that the use of Google Analytics is illegal
under GDPR (General Data Protection Regulation).
As you may know,
GDPR
is a set of data protection and privacy rules
within the European Union (EU)
and the European Economic Area (EEA).
These rules apply to any organization
that stores, processes or transfers personal information of European citizens,
even operating outside those territories.
The CNIL’s decision
immediately follows the same decision
taken earlier this year
by the Austrian Data Protection Authority
(Datenschutzbehörde, DSB).
And all this comes out of what was already resolved in 2020
by the Court of Justice of the European Union (CJEU).
As I stated at that time,
the CJEU “determined that the EU-U.S. Privacy Shield agreement,
a safeguard used by many companies
to transfer personal data from the European Union to the United States
for commercial purposes,
was invalid.”
Schrems I and II
Let’s briefly revisit
what happened some years ago.
It all started back in 2013
when Austrian privacy rights campaigner
Max Schrems contested the transfer of personal data of European individuals
from Facebook to servers in the U.S.
After typically protracted and tiresome legal imbroglios,
it was finally in 2015
that the CJEU determined that
the principles of the existing Safe Harbor agreement
between the EU and the U.S. Department of Commerce
were inadequate for the protection of EU citizens’ information.
That ruling received the name “Schrems I.”
Almost overnight,
those under the Safe Harbor had to look for an alternative,
which led to the emergence
of the above-mentioned EU-U.S. Privacy Shield agreement.
And while this was created to be consistent with EU laws
for the use of personal information,
it appears that there could still be indiscriminate access to such data
by national authorities or intelligence agencies in the U.S.
As I noted,
“requests by these agencies could take priority
over EU personal privacy rights,
according to [the] United States security laws.”
Therefore,
the Privacy Shield was not complying with the GDPR.
Thanks to another long and arduous effort,
this new agreement was invalidated with the “Schrems II” ruling in 2020.
Once again,
the parties involved,
companies in the U.S. and EU,
had to seek changes and reformulations.
Despite this,
some ended up ignoring what happened,
and it was precisely this
that led to the DSB decree in Austria.
In the words of Erin,
from Google Analytics alternative,
Matomo,
“The choice to ignore is what landed one Austrian business
in the [DSB’s] line of fire,
damaging the brand’s reputation
and possibly resulting in a hefty fine of up to €20 million
or 4% of the organization’s global turnover.”
But aren’t there many at the moment surely doing the same thing?
Well,
as stated,
penalization is a possibility;
for now,
what matters is to reinforce widespread compliance.
This image was taken from noyb.eu..
DSB and CNIL ruled against Google Analytics
It seems that noyb,
the group of professionals founded by Max Schrems
that acts in favor of the privacy rights of individual users in Europe,
discovered an inappropriate behavior in the aforementioned Austrian company.
They were using Google Analytics.
And Google is among those U.S. providers
that are required by law
to provide personal data to their country’s authorities.
The thing is that,
from that service,
IP addresses and other user identifiers were being sent
as cookie data to the U.S.
Then,
based on Schrems II,
reviving that decision
and rejecting insufficient measures of regulation taken so far by Google,
DSB was the first to declare that
the use of Google Analytics,
at least in Austria,
is illegal.
Although,
as Schrems himself says,
“The bottom line is:
Companies can’t use U.S. cloud services in Europe anymore.”
So,
not a month passed before France,
through the CNIL,
took the same decision on the use of Google Analytics.
As stated in a press release,
the CNIL orders French website managers/operators to comply with the GDPR
(Articles 44 et seq. are being violated) and,
if necessary,
to discontinue using that service under current conditions.
In this case,
the CNIL explicitly has given a month’s deadline
for the parties involved
to comply with the decree.
Furthermore,
they mentioned something that affected their decision
and that I choose to highlight now:
What was reported by the noyb association to Austria
is part of a set of 101 complaints
that noyb presented
for the EU and EEA countries
“against 101
data controllers allegedly transferring personal data to the U.S.”
Such complaints
(within which Facebook Connect joined Google Analytics)
were filed in 2020,
shortly after Schrems II.
Only this year,
two European countries have acted on them.
However,
others are expected to do the same in a sort of chain reaction.
It is expected that
they recognize and enforce their regulations
in favor of protecting the sensitive information of website users.
Incidentally,
it seems that the investigations will continue,
extending to other web tools
whose use may be leading to the data transfer reprimanded here.
And now, how to proceed?
In the short term,
many Austrian and French companies
or foreign companies
providing website services to citizens of these two countries
will have to look for alternative tools
with similar functionality to Google Analytics
(e.g., Matomo, Piwik Pro).
Tools that do not give them legal headaches.
Businesses in the other EU and EEA member states can prepare
for something analogous.
In the long term,
as noyb points out,
“Either the U.S. adapts baseline protections
for foreigners to support their tech industry,
or U.S. providers will have to host foreign data
outside of the United States.”
If they do not resort to any of these options,
alternative, non-U.S. products and services
may well end up leading the market in Europe.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/google-analytics-illegal/
