EUROPEAN DATA PROTECTION AUTHORITIES STAND UP TO GOOGLE

In recent days, media across the European Union have echoed the apparent intention of Meta – formerly Facebook – to withdraw its social networks from the old continent. According to a document submitted by the company to the US Securities and Exchange Commission, Mark Zuckerberg’s company would be encountering serious difficulties in transporting personal information from its applications to the servers it has spread around the globe and, particularly, to the United States, all as a result of European data protection regulations.

However, there is another piece of news directly related to the first one that has not transcended beyond professional circles linked to the technology and legal sector, and which, however, will have much more profound effects for the entire digital economy in Europe. We are talking about the recent ruling issued by the CNIL – the French data protection authority – declaring that the use of Google Analytics, as it is currently configured, is contrary to the General Data Protection Regulation (GDPR). In other words, Google Analytics is illegal.

What exactly does the CNIL say?

The GDPR states that personal data may only be transferred outside the European Economic Area if measures are implemented that ensure a level of protection equivalent to that provided by EU law. Although most international providers – including Google and Meta – have contractual instruments that would fulfill this function, the Schrems II judgment of the Court of Justice of the European Union has shown that any commitment made by private companies in no way prevents the public authorities of the country receiving the data from accessing them by force of law or force of arms. This is the case of the United States, whose intelligence agencies have broad powers to collect information processed by companies located in its territory.

The problem therefore lies in the fact that the data collected by Google Analytics is stored and processed on US servers, exposing the fundamental rights of European citizens to undue interference.

What are the consequences of this ruling?

Currently, approximately 29 million websites worldwide use Google Analytics to monitor and evaluate their traffic, including hundreds of thousands of pages belonging to European companies of all sizes. Countless SMEs use this service on their websites. According to the CNIL’s criteria, these companies would be in breach of the GDPR and, therefore, would be exposed to heavy financial penalties, in some cases reaching up to 20 million euros or 4% of their annual turnover.

It is true that, in principle, the effects of the ruling will only be immediately applicable to organizations located in France, but this should not mislead us. The GDPR applies to all EU Member States, and data protection authorities are not in the habit of contradicting each other. Likewise, although the CNIL was the first to rule directly on the lawfulness of Google Analytics, other supervisors have already pointed in the same direction – such as the recent decisions of the European Data Protection Supervisor or the Austrian DSP -. European companies must understand that they are facing a legal limbo with significant regulatory risks.

How do these new guidelines affect my company?

The use of Google analytics involves non-legitimate international data transfers. It is best to use a tool that complies with the guarantees established by the applicable regulations.
On the other hand, it will be essential to make a good analysis of the provider or tool that we are going to hire, thus assessing to what extent it agrees with the rules and guarantees that we must comply with.
Finally, and in line with the above, it is essential to identify what measures and considerations must be taken into account to achieve compliance in the most efficient way possible. Caberseg can help you select the tool that best suits your compliance with current regulations. We can accompany you from the negotiation process to the final contracting of a suitable service provider.