Sunday, February 20, 2022

GDPR, France, Schrems II, and Google Analytics

If you grew up in The United States, you may recognize the picture below and remember television ads (yes, I have watched network television with commercials) that would push some trinket (think on the lines of a "belt that doubles as straw" or "self-cleaning shoe rack" which in fact is really complicated). When it came the time in the ad to say how much it was and how to order it, there was always a "But wait! There is more!" segment where they would bundle more junk in hopes the viewers would think they are getting a deal.

With that piece of Americana in mind, we will start this article asking if you remember when we talked about the Austrian Data Privacy Authority (DSB) decided Google Analytics is not GDPR-compliant. You do? Great!

But wait! There is more!

Earlier this month the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libert├ęs, or CNIL for those like me who are not typing-trained) concluded, after receiving a complaint from the NYOB association regarding a French website using Google Analytics, that data transfers performed by Google Analytics are illegal in France. The reasoning is the same as their Austrian counterpart: Schrems II, as in there are not enough safeguards to protect this data collected from European Union residents from US intelligence agencies.

Workarounds

We mentioned them before, so let's just focus on the most important ones:

  1. Stop using Google Analytics; it violates GDPR Article 44. Google Ireland does not cut it.
  2. If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
  3. Any data collected by a Google Analytics-like but GDPR-friendly program should either be immediately anonymized (before being fed to the analytics program), has a Legitimate Purpose as defined in GDPR Article 6, or requires explicit consent from the data subject.

According to the CNIL ruling, the French website in question has 1 month to comply.

Given that NYOB filed complaints the 27 European Union Member States and the three other states belonging to the European Economic Area (EEA), expect more of these decsions to come.