Google Analytics is a web analytics service that allows us to use various tools and information exclusive to Google to analyze specific data in our companies. Thanks to Google Analytics, we can know the performance of our marketing actions according to the behavior of users on our websites and applications. This service can contribute a lot to understanding our users or clients so we can offer them better experiences and, therefore, get better results. However, not everything's just peachy.
This month, I read that the French Data Protection Agency, CNIL (Commission Nationale de l'Informatique et des Libertés), determined that the use of Google Analytics is illegal under GDPR (General Data Protection Regulation). As you may know, GDPR is a set of data protection and privacy rules within the European Union (EU) and the European Economic Area (EEA). These rules apply to any organization that stores, processes or transfers personal information of European citizens, even operating outside those territories.
The CNIL's decision immediately follows the same decision taken earlier this year by the Austrian Data Protection Authority (Datenschutzbehörde, DSB). And all this comes out of what was already resolved in 2020 by the Court of Justice of the European Union (CJEU). As I stated at that time, the CJEU "determined that the EU-U.S. Privacy Shield agreement, a safeguard used by many companies to transfer personal data from the European Union to the United States for commercial purposes, was invalid."
Schrems I and II
Let's briefly revisit what happened some years ago. It all started back in 2013 when Austrian privacy rights campaigner Max Schrems contested the transfer of personal data of European individuals from Facebook to servers in the U.S. After typically protracted and tiresome legal imbroglios, it was finally in 2015 that the CJEU determined that the principles of the existing Safe Harbor agreement between the EU and the U.S. Department of Commerce were inadequate for the protection of EU citizens' information. That ruling received the name "Schrems I."
Almost overnight, those under the Safe Harbor had to look for an alternative, which led to the emergence of the above-mentioned EU-U.S. Privacy Shield agreement. And while this was created to be consistent with EU laws for the use of personal information, it appears that there could still be indiscriminate access to such data by national authorities or intelligence agencies in the U.S. As I noted, "requests by these agencies could take priority over EU personal privacy rights, according to [the] United States security laws." Therefore, the Privacy Shield was not complying with the GDPR. Thanks to another long and arduous effort, this new agreement was invalidated with the "Schrems II" ruling in 2020.
Once again, the parties involved, companies in the U.S. and EU, had to seek changes and reformulations. Despite this, some ended up ignoring what happened, and it was precisely this that led to the DSB decree in Austria. In the words of Erin, from Google Analytics alternative, Matomo, "The choice to ignore is what landed one Austrian business in the [DSB's] line of fire, damaging the brand's reputation and possibly resulting in a hefty fine of up to €20 million or 4% of the organization's global turnover." But aren't there many at the moment surely doing the same thing? Well, as stated, penalization is a possibility; for now, what matters is to reinforce widespread compliance.
DSB and CNIL ruled against Google Analytics
It seems that noyb, the group of professionals founded by Max Schrems that acts in favor of the privacy rights of individual users in Europe, discovered an inappropriate behavior in the aforementioned Austrian company. They were using Google Analytics. And Google is among those U.S. providers that are required by law to provide personal data to their country's authorities. The thing is that, from that service, IP addresses and other user identifiers were being sent as cookie data to the U.S. Then, based on Schrems II, reviving that decision and rejecting insufficient measures of regulation taken so far by Google, DSB was the first to declare that the use of Google Analytics, at least in Austria, is illegal. Although, as Schrems himself says, "The bottom line is: Companies can't use U.S. cloud services in Europe anymore."
So, not a month passed before France, through the CNIL, took the same decision on the use of Google Analytics. As stated in a press release, the CNIL orders French website managers/operators to comply with the GDPR (Articles 44 et seq. are being violated) and, if necessary, to discontinue using that service under current conditions. In this case, the CNIL explicitly has given a month's deadline for the parties involved to comply with the decree. Furthermore, they mentioned something that affected their decision and that I choose to highlight now: What was reported by the noyb association to Austria is part of a set of 101 complaints that noyb presented for the EU and EEA countries "against 101 data controllers allegedly transferring personal data to the U.S."
Such complaints (within which Facebook Connect joined Google Analytics) were filed in 2020, shortly after Schrems II. Only this year, two European countries have acted on them. However, others are expected to do the same in a sort of chain reaction. It is expected that they recognize and enforce their regulations in favor of protecting the sensitive information of website users. Incidentally, it seems that the investigations will continue, extending to other web tools whose use may be leading to the data transfer reprimanded here.
And now, how to proceed?
In the short term, many Austrian and French companies or foreign companies providing website services to citizens of these two countries will have to look for alternative tools with similar functionality to Google Analytics (e.g., Matomo, Piwik Pro). Tools that do not give them legal headaches. Businesses in the other EU and EEA member states can prepare for something analogous. In the long term, as noyb points out, "Either the U.S. adapts baseline protections for foreigners to support their tech industry, or U.S. providers will have to host foreign data outside of the United States." If they do not resort to any of these options, alternative, non-U.S. products and services may well end up leading the market in Europe.
Recommended blog posts
You might be interested in the following related posts.
Watch out for keylogging/keyloggers
There's not an only way but here's a good one
Benefits and risks of these increasingly used programs
A hacker's view of the performance of Researcher CNAs
Why so many are switching to Rust
Description and critique of CEH certifications
An OffSec Experienced Pentester review
Or what makes the ethical hacker