Why is Google Analytics illegal according to the CNIL, and what companies should do?
Jean-Christophe CHEVALLIER, Partner at Ydès and expert in information technologies and data protection, delves into the CNIL’s latest position on the use of Google Analytics (GA) and why it is deemed illegal.
During this quick interview Jean-Christophe CHEVALLIER, Partner at the French law firm Ydès and expert in information technologies and #dataprotection, delves into the CNIL’s latest position on the use of Google Analytics (#GA) and why it is deemed illegal.
According to the #CNIL, GA cannot be used anymore for EU citizens’ data as there are not enough assurances to prevent such data from being shared with US authorities, not even with the new platform Google Analytics 4. In particular, none of the measures implemented by Google were capable of providing sufficient anonymisation of the data. For example, the CNIL noted that such anonymisation is not applicable to all transfer and that the “anonymised” identifiers still permits to identify users.
However, it is worth noticing that the CNIL’s approach is very sympathetic to companies. The #DPA did not issue any fine yet, but approached companies through formal notices inviting them to find alternative solutions. Also, the DPA provided a one-month period for such implementation with the possibility to further expand this deadline under certain circumstances.
Finally, a brief mention of the supranational effects of such a position. This is not just about French companies, nor EU ones, as the issue further expands to any company dealing with EU subjects’ data at the international level. Indeed we can expect that other DPAs will further align to this position (e.g. the Austrian DPA already took a very similar position even before the CNIL), forcing companies to leave Google Analytics for different platforms.