EUROPEAN DATA PROTECTION AUTHORITIES STAND UP TO GOOGLE
In recent days, media across the European Union have echoed the apparent intention of Meta – formerly Facebook – to withdraw its social networks from the old continent. According to a document submitted by the company to the US Securities and Exchange Commission, Mark Zuckerberg’s company would be encountering serious difficulties in transporting personal information from its applications to the servers it has spread around the globe and, particularly, to the United States, all as a result of European data protection regulations.
However, there is another piece of news directly related to the first one that has not transcended beyond professional circles linked to the technology and legal sector, and which, however, will have much more profound effects for the entire digital economy in Europe. We are talking about the recent ruling issued by the CNIL – the French data protection authority – declaring that the use of Google Analytics, as it is currently configured, is contrary to the General Data Protection Regulation (GDPR). In other words, Google Analytics is illegal.
What exactly does the CNIL say?
The GDPR states that personal data may only be transferred outside the European Economic Area if measures are implemented that ensure a level of protection equivalent to that provided by EU law. Although most international providers – including Google and Meta – have contractual instruments that would fulfill this function, the Schrems II judgment of the Court of Justice of the European Union has shown that any commitment made by private companies in no way prevents the public authorities of the country receiving the data from accessing them by force of law or force of arms. This is the case of the United States, whose intelligence agencies have broad powers to collect information processed by companies located in its territory.
The problem therefore lies in the fact that the data collected by Google Analytics is stored and processed on US servers, exposing the fundamental rights of European citizens to undue interference.
What are the consequences of this ruling?
Currently, approximately 29 million websites worldwide use Google Analytics to monitor and evaluate their traffic, including hundreds of thousands of pages belonging to European companies of all sizes. Countless SMEs use this service on their websites. According to the CNIL’s criteria, these companies would be in breach of the GDPR and, therefore, would be exposed to heavy financial penalties, in some cases reaching up to 20 million euros or 4% of their annual turnover.
It is true that, in principle, the effects of the ruling will only be immediately applicable to organizations located in France, but this should not mislead us. The GDPR applies to all EU Member States, and data protection authorities are not in the habit of contradicting each other. Likewise, although the CNIL was the first to rule directly on the lawfulness of Google Analytics, other supervisors have already pointed in the same direction – such as the recent decisions of the European Data Protection Supervisor or the Austrian DSP -. European companies must understand that they are facing a legal limbo with significant regulatory risks.