The French DPA: The CNIL’s Google Analytics Decision
The Commission Nationale de l’informatique et des Libertes (CNIL) is the French data protection authority. Along with other national and regional data protection authorities they are responsible for enforcing the General Data Protection Regulation (GDPR). Recently, their Austrian counterparts, the Austrian data protection authority, determined that Google Analytics violated the GDPR. Both data protection authorities felt that Google Analytics violated Article 44 of the GDPR. Article 44 prohibits transferring personal data about European Union data subjects to third countries that are neither within the European Union nor are “adequate.” To be adequate a country must have data protection laws such that European Union data subjects would receive comparable privacy protection of their data in the third country as they would in their home country.
Google Analytics currently transfers data to the US, which is not considered to be an “adequate” country. The US has previously negotiated agreements to allow data transfers to the US, but there is currently no such agreement in place. The two previous agreements, the EU-US Safe Harbor Framework and the Privacy Shield Agreement, were both ruled to not sufficiently protect the data rights of data subjects in the European Union.
Interestingly enough, the Safe Harbor Framework was invalidated, the Privacy Shield Agreement was invalidated, and the complete leading to CNIL’s Google Analytics decision was brought due to the efforts of Max Schremms, an Austrian data privacy activist.
Google has argued that they take additional measures to regulate data transfers. However, the additional measures leave something to be desired. The CNIL indicated that if Google only transferred anonymous statistical data out of the EU, that would be acceptable. Anonymous data is not considered to be personal data and so there is no harm to data subjects if it leaves the country.
Companies can still learn a lot from anonymized statistical data. They can learn trends, popular links, time spent on particular pages, and other details. These are all valuable things for a company to know about their consumers and potential consumers. What anonymized data doesn’t provide them though is context about their consumers. They don’t get to learn fine-grained details about their consumers such as their previous purchase or interaction history, what competitors they are competing with for the attention of individual consumers, or whether specific advertisements lead to purchases or subscriptions from their consumers.
Undoubtedly, personal data is more valuable to companies if it hasn’t been anonymized. However, there are other considerations – the rights of data subjects. Companies need to perform a balancing act of collecting the data that is appropriate and necessary while also respecting the rights of data subjects.
Clarip helps companies do just that. With consent management, we help businesses receive and respond to the permissions granted by consumers. Clarip also helps companies comply with data subject request fulfillment so that data subjects can exercise their data privacy rights. Clarip provides vendor management, website scanning, data mapping, and many more data privacy solutions. Contact us at 1-888-252-5653 or visit us at www.clarip.com to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
Cookies & Data Transfers: The Google Analytics decision
Cross-Border Standard Contractual Clauses after Schrems II
The Schrems Decisions: Cross-border Data Transfers
Cookies & Data Transfers: The Google Analytics decision
The Asymmetry of Intelligence Collection after Schrems II