France data watchdog, Commission Nationale de l’Informatique et des Libertés (CNIL), announced Thursday that Google does not guarantee the protection of European data as per GDPR norms. It analyzed the conditions under which data is transferred to the United States through Google Analytics, a service determining site visits by an Internet user.
The investigation by CNIL and its European counterparts came after receiving 101 complaints by NYOB in the 27 EU Member States, and three other European Economic Area (EEA) states against 101 data controllers allegedly transferring personal data to the US.
This statement comes in light of a critical judgment of 2020 from the European Court of Justice, which increased the bar for the region’s privacy watchdogs after the ECJ expressed reservations about American surveillance laws and the measures in place to protect people’s data from unauthorized access. CNIL found that the transfer of Internet users’ data to the United States violates Article 44 et seq. of the GDPR, which regulates transfers of personal data to third countries or international organizations that do not have equivalent privacy protections.
It noted that despite the additional measures adopted by Google to regulate data transfer, the current mechanism is insufficient to exclude US intelligence services from accessing the data.
CNIL ordered the website manager under investigation to bring their processing into compliance with the GDPR by either ceasing to use Google Analytics or switching to a technology that does not involve data transfer outside the EU.
Last month, Austria’s data protection authority also found EU-US data transfers by Google Analytics to be illegal. In early January, the European Data Protection Supervisor also issued a decision finding the use of Google Analytics by the European Parliament on its COVID testing website violated the bloc’s data protection law. A cumulative effect of these developments might suggest an end of Google Analytics services in the European Union.