In a decision targeting an unnamed French website manager, the data privacy regulator — one of the most vocal and influential in Europe — said the U.S. tech giant hadn’t taken sufficient measures to guarantee data privacy rights under European Union regulation when data was transferred between Europe and the United States.
«These (measures) are not sufficient to exclude the accessibility of this data to U.S. intelligence services,» the regulator said in a statement.
«There is therefore a risk for French website users who use this service and whose data is exported.»
The CNIL said that the French website manager in question had one month to comply with EU regulation and that it had issued similar orders to other website operators.
Google declined to comment on the CNIL decision. The firm has previously said that Google Analytics doesn’t track people across the Internet and that organisations using this tool have control over the data they collect.
The CNIL’s decision follows a similar one by its Austrian counterpart, coming after complaints by Vienna-based noyb (Non Of Your Business), an advocacy group founded by Austrian lawyer and privacy activist Max Schrems who won a high profile case with Europe’s top court in 2020.
The Court of Justice of the European Union at that time scrapped a transatlantic data transfer deal known as the Privacy Shield, relied on by thousands of companies for services ranging from cloud infrastructure to payroll and finance, because of similar concerns.
Several large companies, including Google and Meta’s Facebook (FB.O), have called for a new transatlantic data transfer pact to be swiftly agreed because of the legal risks posed to them.
«In the long run we either need proper protections in the United States, or we will end up with separate products for the US and the EU,» Schrems said in reaction to CNIL’s decision.
«I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.»