Something of Doom: GDPR, France, Schrems II, and Google Analytics

Sunday, February 20, 2022

GDPR, France, Schrems II, and Google Analytics

If you grew up in The United States, you may recognize the picture below and remember television ads (yes, I have watched network television with commercials) that would push some trinket (think on the lines of a "belt that doubles as straw" or "self-cleaning shoe rack" which in fact is really complicated). When it came the time in the ad to say how much it was and how to order it, there was always a "But wait! There is more!" segment where they would bundle more junk in hopes the viewers would think they are getting a deal.

With that piece of Americana in mind, we will start this article asking if you remember when we talked about the Austrian Data Privacy Authority (DSB) decided Google Analytics is not GDPR-compliant. You do? Great!

But wait! There is more!

Earlier this month the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libertés, or CNIL for those like me who are not typing-trained) concluded, after receiving a complaint from the NYOB association regarding a French website using Google Analytics, that data transfers performed by Google Analytics are illegal in France. The reasoning is the same as their Austrian counterpart: Schrems II, as in there are not enough safeguards to protect this data collected from European Union residents from US intelligence agencies.

Workarounds

We mentioned them before, so let's just focus on the most important ones:

Stop using Google Analytics; it violates GDPR Article 44. Google Ireland does not cut it.
If you really need the functionality provided by Google Analytics, find a tool that transfer data outside the EU.
Any data collected by a Google Analytics-like but GDPR-friendly program should either be immediately anonymized (before being fed to the analytics program), has a Legitimate Purpose as defined in GDPR Article 6, or requires explicit consent from the data subject.

According to the CNIL ruling, the French website in question has 1 month to comply.

Given that NYOB filed complaints the 27 European Union Member States and the three other states belonging to the European Economic Area (EEA), expect more of these decsions to come.

About Me

Mauricio Tavares has worked in computer research, credit card and medical industry, leading to an interest in the behavioral aspect of data security and privacy. He has previously developed a security program for a $23M federally funded International research program and now helps companies reap the benefits of deploying a well planned data privacy strategy.

A TrustedCI Fellow, he has given talks and published in topics ranging from aerospace engineering to computer automation and data privacy at DEFCON, IEEE, ISSA, KVM Forum, OWASP, NSF Cybersecurity Summit, and AIAA.

About cookies used and data collected on this blog

I have put no ads or links that track you or collect your data on this blog. If you want me to know about you or what you think, do post a comment. What data Google is collecting from you is between you and Google.

Warning

Anything said here does NOT represent the opinions, policies, or tenets of any organization real or imaginary. This side up. Shake well before using. Clean up after use.