42 media attacked by the Cnil for illegal use of Google Analytics

The use of Google Analytics has been declared illegal in France since February 10, 2022, but the tricolor web does not seem to care. This is the observation made by the developer David Libeau, who has studied the practices of online media since this famous ban. Its verdict is final: despite the very clear declarations of the Cnil, none of the main French media has changed its habits. So the computer enthusiast decided to force their hand. He filed Thursday evening June 23 a flurry of complaints with the National Commission for IT and Liberties (Cnil), the French policeman for personal data. 42 complaints precisely, one for each of the targeted media.

A formal notice would force them to separate from Google Analytics

The list could have been much longer: the Alliance for Press and Media Figures (ACPM) May 2022 ranking lists 257 sites. But the use of Google Analytics in the media is so widespread that the developer preferred to symbolically attack the 42 largest who use the tool. This choice to stop at 42 probably owes nothing to chance: in geek culture, the number 42 is a reference to the cult book by Douglas Adams “The Traveler’s Guide to the Galaxy”, in which a computer answers tirelessly that the answer to “the big question about life, the universe and everything else” is “42”. It is also for this reason that Xavier Niel has named his training project “School 42″…

Either way, the result is ” disastrous writes the developer on his blog post. “D‘after an analysis of around fifty French media sites, almost all of them still include Google Analytics’, he continues. According to the developer, bad students are everywhere: “in so-called progressive and conservative media, in local and national media “. Worse: only one media in the 50 observed by the IT expert does not exfiltrate personal data with Google Analytics or a similar and equally problematic tool. This is the Next INPact specialized site.

The CNIL has confirmed to La Tribune that it has received these 42 complaints and specifies that they are currently the subject of an investigation to determine their admissibility. If they are deemed relevant, the CNIL has several options. It may issue a call to order, order compliance with processing, including under penalty, temporarily or permanently limit processing, suspend data flows, order to satisfy requests to exercise the rights of individuals, including under penalty payment, or impose an administrative fine of up to 20 million euros in the case of a company or up to 4% of its annual worldwide turnover. However, the most likely is the formal notice, public or not, of the targeted media, which will then have one month to comply, that is to say, switch from Google Analytics to another traffic analysis service.

A symbol of the legal battle between the EU and the United States

The Cnil is very clear: in the Frequently Asked Questions (FAQ) on the page of its website devoted to Google Analytics, the organization answers the question ” Is it possible to configure the Google Analytics tool so as not to transfer personal data outside the European Union? » by a scathing « Nope “. Further, the independent authority’s legal experts also clarify that it is not making Google Analytics compatible with European law even with other schemes like encryption.

The problem with Google Analytics, like many other American tools, is that the service must transfer European user data to the United States to function optimally. However, American extraterritorial laws, in particular the Cloud Act but also the FISA law (Foreign Intelligence Surveillance Act) are incompatible with the European Regulation on the protection of personal data (GDPR). The reason: extraterritorial laws are “supranational”, therefore “superior” to the European GDPR. Clearly, in the context of processing by their intelligence agencies, Americans do not consider themselves subject to the obligations of the GDPR with regard to informing users about the collection of their personal data and their use.

Consequently, there is a legal blockage, materialized by the judgments known as “Schrems” and “Schrems II” pronounced by the European Court of Justice (CJEU). These court decisions annulled, in 2015 and then in 2020, the existing agreement between the EU and the United States on transatlantic data transfers (the Safe Harbor in 2015, the Privacy Shield in 2020), generating real chaos legal framework for companies, which up to now has been unsatisfactorily fulfilled by standard contractual clauses and additional guarantees. A new agreement in principle was announced recently, but its terms have not yet been specified. And in any case, many lawyers believe that it will inevitably lead to a “Schrems 3” if nothing changes in substance, that is to say if the EU does not come back to the GDPR or if the Member States States are not backing down on their extraterritorial laws. Which doesn’t seem to be on the agenda.

Google Analytics is one of the symbols of this legal battle. In its formal notice of February 10 following the complaint filed by the association NOYB (None of your business or “it’s not your business”, Editor’s note) of the Austrian activist Max Schrems, the Cnil had estimated that the French data is transferred to the United States ” in violation of Articles 44 et seq. of the GDPR “. In other words, the Cnil estimated that the conditions for the transfer to the United States of data collected by this statistical tool, for lack of supervision, may expose French users to American surveillance programs.

Google Analytics does collect sensitive data:

“Using Google Analytics, the media provides Google with the full history of our readings. This data is worth gold for digital companies that practice large-scale advertising targeting. They can reveal our tastes, our habits and even our political opinions. If I read articles on immigration or on organic farming, Google can easily profile us”, explains David Libeau.

What alternatives for websites?

Faced with the disarray of companies, caught in the pincers since 2020 by the shutdown of the Privacy Shield, the Cnil has published on its website a list of alternatives that respect personal data.

The management of a website or a mobile application generally requires the use of traffic or performance statistics which are often essential for the provision of the service, the Cnil explains first of all that the cookies deposited for this purpose ” may be exempted from consent under certain conditions “. But data transfers outside the European Union, a prerequisite for Google Analytics, do not fall into this scenario.

The Cnil then lists a series of solutions which, as of the date of its examination, can be used instead of Google Analytics and do not require the collection of user consent. Among them are in the list established on March 30, 2021 the Analytics Suite Delta solution from AT Internet, SmartProfile from Net Solution Partner, Wysistat Business from Wysistat, Piwik PRO Analytics Suite from Piwik PRO, or Abla Analytics from Astra Porta. 18 solutions in total have been validated by the CNIL.