Companies in France are being warned that default use of Google Analytics is illegal over concerns of data transfer between the EU and US.
France’s National Commission for Informatics and Liberties (CNIL) ordered a website to stop using Google Analytics in February over data privacy concerns. The CNIL has now issued updated guidance that deems the default use of Google Analytics illegal.
Unlike the US, the EU has comprehensive privacy legislation in the form of the GDPR. A 2020 EU court ruling established that US cloud providers do not meet GDPR requirements. In particular, there is concern over US cloud providers being forced to work with intelligence agencies and hand over customer data to them.
By default, Google Analytics shares customer data, transferring it from the EU to the US. This gives Google access to the data, and is therefore in breach of the GDPR. The CNIL has already sent out notices to some organizations, but is warning all to make changes as soon as possible. Those changes can include modifying how Google Analytics works, so it does not export data to the US, or stop its use altogether.
Below is a statement from the CNIL website [translated]:
“Organizations given formal notice have a period of one month to comply and justify this compliance to the CNIL. This one-month period may be renewed, at the request of the organizations concerned.
“All data controllers using Google Analytics in a similar way to these organizations must now consider this use as illegal under the GDPR.”