France’s privacy regulator has found instances where using Google Analytics is not compliant with the European Union’s General Data Protection Regulation (GDPR).
Through an investigation into unnamed local website’s data practices, the Commission nationale de l’informatique et des libertés (CNIL) found that the website’s use of Google Analytics was in violation of the GDPR. The French regulator said using the tool breached Article 44, which bans personal data transfers from within the bloc to “third-party countries” that do not have equivalent privacy protections in place.
Among the countries that fail to meet this threshold is the US as it does not provide non-US citizens with the means to know how their data is acquired or used. US laws also do not provide non-US citizens with the ability for recourse when their data is misused.
The regulator’s investigation into the unnamed local website was done in conjunction with looking into 100 other complaints that were filed to privacy advocacy group Noyb shortly after the European Court of Justice struck down the EU-US Privacy Shield agreement in 2020.
The complaints were filed to Noyb, whose founder, Max Schrems, was the one who initiated proceedings to invalidate the Privacy