CNIL (Commission nationale de l’informatique et des libertés) – the French Data Protection Agency, has concluded that the use of Google Analytics is illegal under GDPR. The same move was made by he Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB” or “DPA”) few weeks ago. DSB was the first to announce that Austrian website providers using Google Analytics are in violation of the GDPR. Now it seems that different European Data Protection Authorities come to the same conclusion, that the use of Google Analytics is illegal in EU.
The rule is sourcing in 2020 when the Court of Justice of the European Union (CJEU) stated that cloud services hosted in the US are not complying with the GDPR and EU privacy laws. US surveillance laws requires US providers (like Google or Facebook) to provide personal data to US authorities.
It was the end of so called Privacy Shield, a framework that allowed for EU data to be transferred to US companies that became certified. Google Analytics and other US-based services are breaching Article 44 which prohibits the transfer of personal data beyond the EU, unless the recipient country can prove adequate data protection. Under the GDPR, personal data covers a range of identifiers including email address, race, gender, phone number to name a few, but the less obvious identifiers include IP addresses or cookie IDs, device IDS and others.
Many EU companies seemed to be ignoring the case. Finally it landed both in Austrian DPA’s and French CNIL. The CNIL has started to issue formal notices to website managers using Google Analytics.