Iteanu Avocats is pushing Cnil companies towards European solutions by providing proper notice to the lawyer responsible for GDPR and data division, Google Analytics users.
J.D.N. Cnil has recently announced a French website manager that will use Google Analytics to comply with GDPR. What does this decision mean?
Alexandra Idenu. This result is not entirely surprising and one can expect it. Now the difference is that it is clearly established. This means that any European company using Google Analytics is likely to be allowed by Cnil to disregard the level of security required for public data protection regulation.
“In the sense of GDPR, browsing data is actually personal data”
Google transfers this data to the United States and Cnil justifies its decision that these transfers are illegal. The Schrems II ruling of the European Union (CJEU) Court has opened the door to some transfers, has not it?
Yes, absolutely, but it’s not about America. In fact, the CJEU invalidated the privacy shield (Bilateral agreement authorizing data transfer between Europe and the United States, Editor’s note), We can still rely on the terms provided in the GDPR: standard contract terms. This is the standard agreement that can be signed between the exporter and the importer of this data. But the CJEU made it clear that it was up to these players to assess whether the law of the country that imports the same level of protection provided by the GDPR is in practice. However, the federal law in force in the United States does not provide the same level of demand.
Google Analytics collects browsing statistics. Can this data be considered as personal data?
Personal data in the sense of GDPR includes a vast amount of information that directly or indirectly identifies a person. So browsing data is personal data.
“Google Analytics is a data processor, not a data controller”
Why Allow Site Manager and not directly allow Google Analytics?
Because for GDPR, Google Analytics is a processor, not a data controller. Therefore, companies that use Google Analytics determine the methods and objectives of data processing. As responsible, it is their responsibility to ensure that their subcontractors provide all guarantees of compliance with GDPR.
Cnil concludes that this manager no longer uses Google Analytics “under current conditions”. Can Google provide a solution to this problem?
This is one of the solutions for transferring data to company servers in Ireland. But even in this case, the question arises as to the possible interference of the US authorities.
“Even if the data is transferred to Google’s servers in Ireland, the question arises as to whether U.S. authorities can intervene.”
Reason Cloud Law (The U.S. Federal Law was enacted in March 2018 to clarify the legal overseas application of the Data Act, author’s note) Provides U.S. officials the ability to access data hosted on the computer servers of any U.S. company subsidiaries located in other countries. U.S. intelligence officials can access the personal data of European citizens without informing or assisting them …
Most sites use Google Analytics தியாக Sure, what does this mean immediately?
This decision pushes companies towards more secure alternatives to GDPR. This shows that Europe’s dependence on American tools, not Google but Microsoft, Amazon … Cnil shows by this decision that it acts as the protector of our digital sovereignty, which is very good. Faced with this decision, it is still necessary to have technical alternatives that French actors can propose. This requires mechanisms that allow these solutions to emerge.