CNIL has given formal notice to website managers to come into compliance and to stop using Google Analytics due to illegal EU – US Data transfers.
CNIL has joined several other EU watchdogs in ordering website managers to stop using Google Analytics. As a result of several complaints being filed by NOYB, against a total of 101 companies across the EU, the use of Google Analytics was found to be a violation of the GDPR and Schrems II. The service is commonly used to help business owners with traffic statistics for tracking visitors to their site, however this assigns each visitor a unique identifier, which constitutes personal data, and the visitors’ information is then available to Google Analytics in the US. Currently, data transferred to the US is still not considered adequately protected, and as a result CNIL has given formal notice to the website managers to stop using Google Analytics, according to this recent report.
EU to US data transfers are currently deemed illegal if appropriate security measures are not applied, as the previously held Privacy Shield was invalidated since the Schrems II judgment.
Since the Schrems II judgement in which the CJEU had highlighted the risk that the American intelligence services could access personal data transferred to the United States, if the transfers were not properly supervised, companies and organisations across the EU have been ordered to stop using various US services, one of which is Google Analytics. In a recent blog, we covered a sanction imposed on the European Parliament by the EDPS for the use of Google Analytics. CNIL, in its recent report stated that in total, 101 complaints were filed by NOYB across 27 Member States of the European Union and the three other States of the European Economic Area (EEA), over alleged data transfers to the US.
CNIL reiterates that in the absence of an adequacy decision, EU – US transfers are not sufficiently protected.
The CNIL has noted that any personal data of Internet users which is transferred to the United States is done in violation of Article 44 of the GDPR. Article 44 covers data transfers to third countries, for which certain conditions must be met in order to ensure the security of that data. In the case of data transfers to the US, in the absence of an adequacy decision for data transfers, any data transferred from the EU to the US is considered unprotected. Due to US laws, this data can be accessed by US intelligence, making these data transfers unsafe, and therefore also illegal, under the GDPR.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.