PARIS — France’s privacy regulator has ruled that an unnamed website cannot use Google Analytics because it transfers personal data to the United States in breach of EU privacy law.
„The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions,“ the regulator said in a statement.
The French regulator is the second European data protection authority to reach this conclusion. In January, the Austrian regulator ruled that a website could not use the Google Analytics tool and the Dutch one also gave warnings to that effect.
In August 2020, Max Schrems‘ NGO noyb.eu lodged 101 complaints throughout the bloc against websites that have adopted web analytics tech developed by Google and Facebook. The organization argues that the use of the tools violates the so-called Schrems II ruling at the EU’s top court, which has stricken down a transatlantic data flow agreement over a lack of privacy protections.
„Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,“ the CNIL wrote.
„There is therefore a risk for French website users who use this service and whose data is exported,“ it added. The CNIL gave the website one month to become compliant and said it has issued other orders to comply.
The French complaints target online media outlet HuffPost, retailers Leroy Merlin, Auchan and Decathlon, beauty shop Sephora and telecom operator Free, and their use of Google and Facebook tools. Auchan, Sephora and Decathlon use Google Analytics.