Google Analytics Declared Illegal in France

What Happened?

On Thursday, February 10th, the Commission nationale de l’informatique et des libertés (CNIL) of France, declared that using Google Analytics is in violation of the European Union’s General Data Protection Regulation (GDPR). This came about after the non-profit privacy advocacy organisation, None Of Your Business (NOYB) brought up privacy concerns of using this service to CNIL (yes, that is what they are called). CNIL then confronted certain websites using Google Analytics, and ordered them to stop.

What is Google Analytics?

Google Analytics Dashboard

Google Analytics is a tool that website owners can use, that tracks and reports website traffic. In this case, data about website traffic is transferred from France to the USA via transatlantic communication cables. The data is then processed on American servers before being sent back to French website owners. This data collection is legal without consent in France, so long as the analysis is done anonymously.

What’s the issue?

The issue (according to CNIL) is that Google has not taken the appropriate security measures in order to ensure that American intelligence services (for example the CIA, FBI) cannot access the personal data of French citizens during the transfers. Either CNIL cannot trust American intelligence services to simply mind their own business, or American intelligence services were never interested in minding their own business in the first place.

What does this mean?

Transatlantic Communication Cables

Heavy restrictions on how personal data is transferred from the EU to the USA makes it harder for companies such as Google or Meta to provide their services in the EU, since they rely heavily on analyzing user data.

As evidence, Meta announced in a recent annual report that 

“If a new transatlantic data transfer framework is not adopted and we are unable to continue to rely on SCCs (standard contractual clauses) or rely upon other alternative means of data transfers from Europe to the United States, we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe.”

[1] Meta Annual Report

So far Google has not made any comment on the recent CNIL decision, but has claimed in the past that organizations using Google Analytics have control over the data they collect.

What’s next?

CNIL gave this particular website owner one month to stop using Google Analytics. After that they are still allowed to use a different traffic monitoring tool, so long as it does not involve the transfer of personal data outside of the EU. In the future, Google might be forced to beef up their security if they want to keep the business of European users, since France is not the only country to have made this decision. About a month ago, Austria made a similar decision about Google Analytics. And with the current climate of internet privacy in Europe compared to North America, it would not be surprising if more European countries followed suit. It will be interesting to see the result of this shift towards privacy, as nations continue to attempt to strike a balance between the privacy of their citizens and the wishes of big tech companies.

References

Join the Conversation

41 Comments

  1. Wow! Interesting. The recent decision made by France and other EU countries makes me think that the Giant companies like Google, Meta, etc. would probably not control the world as they want. Seems they will be required to follow country rules and regulation in order to provide services. I feel happy to see such decisions of the EU government concerning the citizens data being transferred to the United States as they data might be accessed by FBI or such. More similar decisions if came out by other countries, companies like Google and Meta would be forced to take data security measures and perhaps be careful in using users’ data.

  2. Really insightful post! As we rapidly transition towards a technology-driven world, we must be willing to accept that technology is not always embraced by those with good intentions. Additionally, technology might even be used for more frequently to gain an illicit and unfair advantage, which seems to be what this post is implying. Privacy especially, seems to be a hot-button issue. I do think that the framework of the Google Analytics tool is absolutely beneficial, as it provides significant insight into website traffic, but given that this tool has been flagged for privacy concerns, we must question whether or not this tool can be exploited for the wrong reasons. I do think that government agencies will attempt to use this tool to further their own illicit agendas, which is entirely expected.

  3. You make a good point about the differing climates of internet privacy. It’s interesting to see how the EU is reacting to these threats: Facebook in particular is highly unpopular with French and German politicians and lawmakers, many of whom would be perfectly happy to see the website shut down for good. Some, myself included, find it refreshing to see these megacorporations squirm as they lose the upper hand.

  4. This is a fantastic post! We must be willing to recognise that technology is not always embraced by those with good intentions as we swiftly migrate to a technology-driven world. Furthermore, technology may be utilised more frequently to acquire an illegal and unfair advantage, which appears to be the implication of this piece. Privacy, in particular, appears to be a contentious topic. I believe that the Google Analytics tool’s structure is quite valuable, as it provides substantial insight into website traffic; yet, given that this tool has been recognised for privacy concerns, we must consider whether this tool can be misused. Government agencies, I believe, will try to utilise this technology to achieve their own goals.

  5. Interesting post, you make a lot of good points in your post outlining European countries’ decisions and their deep concern for their citizen’s privacy. I think its interesting to see the steps that EU has taken in order to ensure privacy for everyone. I also think that government agencies will definitely use this tool to their advantage in order to achieve their ambitions.

  6. Very interesting post here. I did read and hear about hidden “costs” of google analytics before. There are definitely issues with how data is collected and used and shared. Data is often used for Google Ads. However, there are some paid platforms that could be good alternatives to Google Analytics. Some features such as data control/ownership and respecting user privacy has greater emphasis on some other platforms.

    1. That’s an interesting point. If some paid platforms exist besides Google Analytics, I’m sure it would be hard to get much business given the choice between a paid and a free service, especially when the free service is from one of the top tech companies in the world. So this decision by CNIL might be a golden opportunity for those countries to step in and claim some of the European market.

  7. This was explained really well! Although Google Analytics is very useful, it does have the potential for misuse. I also would not be surprised if other European countries start doing the same thing. I’m not sure what other traffic monitoring tools compete against Google Analytics, but this seems like there is potential for others to step into for these European countries.

  8. very insightful post! I feel like big companies think that they control the world and access other people’s data which is highly unethical and I would understand why France banned google analytics but then again its an amazing tool. The EU seems to care a lot about their citizen’s privacy unlike the US but then again I wouldn’t completely trust other EU countries might nor start doing the same thing.

  9. Different countries and regions have different attitudes and definitions of privacy, and rules and laws are even more different. Google, as a web company that provides services almost globally, should implement regionalization and regionalization in this regard. Feasible actions such as providing partial services to comply with local laws and regulations if the services are not fully accepted in the area.

  10. Different countries and regions have different attitudes and definitions of privacy, and rules and laws are even more different. Google, as a web company that provides services almost globally, should implement regionalization and regionalization in this regard. Feasible actions such as providing partial services to comply with local laws and regulations if the services are not fully accepted in the area.

  11. Different countries and regions have different attitudes and definitions of privacy, and rules and laws are even more different. Google, as a web company that provides services almost globally, should implement regionalization and regionalization in this regard. Feasible actions such as providing partial services to comply with local laws and regulations if the services are not fully accepted in the area.

  12. This is a very good post. For online companies like Google and Facebook, they have a lot of personal privacy information. Different countries and different governments will definitely have different opinions about such companies. But in general the state should ensure that the privacy of individuals is not violated. Technology is a double-edged sword, people get the benefit of convenience, but it brings the risk of privacy prying. For the development of new technology, people should not only focus on its benefits, but also on its disadvantages.

  13. Interesting Post! I didn’t know that companies like Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services

  14. Insightful post!
    It is interesting to see that companies like Google and Meta, who think that they have so much dominance in the industry, but this isn’t always the case. I think more countries need to stand up against these companies to break the dominance. Although Google Analytics is very useful, but any substitute to it might attract public interest, with these privacy concerns at the rise.

  15. I’d never actually thought about that, I’d always just assumed that Google and Meta had locations in the EU for monitoring data there to avoid such an international issue. If the pressure really came down to it, I wonder if that would be a feasible solution for both parties? It would allow Google and Meta to continue analysis, and if it was kept local, it would prevent American intelligence agencies from getting ahold of the data of foreign citizens.

  16. This is an interesting post. When Google Analytics involves revealing personal privacy information, it is very important to strengthen security. European countries take sensible measures to protect citizens’ privacy. They did not allow the development of technology to lead to the loss of data outside the EU for the sake of interests. Building trust and protecting privacy are essential elements if North America wants to retain European users of its business. When the data collected by Google Analytics is not used properly, the platform should make corresponding improvement measures for data control. While ensuring the development of technology, it can also effectively protect users’ privacy and reasonably control data.

  17. I had never considered the potential espionage that could come from Meta or Google’s data collection. It is quite impressive that France put their foot down on this! I wonder how effective this will be, or if there will be any consequence from the new regulations.

  18. Good Post! I find Meta’s response to being told they cannot analyze the data of users within these European countries very interesting. Meta’s statement consisted of them saying: “If we are unable to continue to analyze the data of users of our websites in Europe, then we will be forced to stop offering our services there”. This is a fascinating stance, as Meta does not even consider the option of simply removing their data analysis features from these sites for users in Europe, they’re saying: “let us analyze you or don’t use our service at all”. It will certainly be very interesting to see how this situation develops with new laws being passed in Europe, further requiring companies like Meta to halt their analysis of European users data.

  19. Good post!
    I always thought Google had built their data centers in Europe. Before reading your blog, I didn’t know the users’ personal data in Europe needed to be transferred to the USA for analysis by Google. This time, I agree with what the French did to deal with this problem. This is because I have learned from some articles on the Internet that Google has some kinds of cooperation with the US government, so the Europeans truly need to be worried about their privacy on this problem, and I think they can make rules together to supervise and restrict Google’s business in Europe.

  20. Very interesting topic. This makes me see the measures taken by European governments to protect people’s privacy. Laws in each country define privacy very differently. I understand and agree with the practice of European countries. The privacy of national citizens is what the country needs to protect. I think Google can achieve regional modularization in this respect and respect the laws of other countries.

  21. It is an engaging post! I think the decision is about French users’ privacy and political purposes. More or less, the reason is justified enough since there is no assurance from Google about how these information is protected against USA government. I wonder what Google would do next in order to address the issue.

  22. I’ve never seen a country step up to the plate and pick a fight with Google and American intelligence agencies at the same time for the interest of their own citizens. Good on France to be the first (as far as I’m aware)!

    Its fascinating how this seems more like a move in the interest of national security than it is to protect French citizens from spying eyes. The fact that they are concerned about government agencies like the CIA gathering portfolios on French communications makes it seem like they’re concerned about what America might do with that information (and rightly so in my opinion.). The intersection of politics and computer security will forever be an interesting area, as legislation and policy around privacy and data collection for every user of the internet struggles to keep up with every edge case and every advancement in data collection and usage, but to see the legislation finally catching up enough to be used to keep Google in line truly is an impressive sight. Thanks for the post!

  23. Pingback: pglike
  24. Pingback: crypto
  25. Pingback: fn exploit

Leave a comment