42 media attacked by the Cnil for illegal use of Google Analytics

The use of Google Analytics has been declared illegal in France since February 10, 2022, but the tricolor web does not seem to care. This is the observation made by the developer David Libeau, who has studied the practices of online media since this famous ban. Its verdict is final: despite the very clear declarations of the Cnil, none of the main French media has changed its habits. So the computer enthusiast decided to force their hand. He filed Thursday, June 23 in the evening of complaints with the National Commission for IT and Freedoms (Cnil), the French policeman for personal data. 42 complaints precisely, one for each of the targeted media.

A formal notice would force them to separate from Google Analytics

The list could have been much longer: the Alliance for Press and Media Figures (ACPM) May 2022 ranking lists 257 sites. But the use of Google Analytics in the media is so designed that the developer preferred to symbolically attack the 42 largest who use the tool. This choice to stop at 42 probably owes nothing to chance: in geek culture, the number 42 is a reference to the cult book by Douglas Adams “The Traveler’s Guide to the Galaxy”, in which a computer answers tirelessly that the answer to “the big question about life, the universe and everything else” is “42”. It is also for this reason that Xavier Niel named his training project “Ecole 42″…

Whatever, ” According to an analysis of fifty French media sites, almost all of them still include Google Analytics. The result is disastrous “, writes the developer on his blog post. According to the developer, bad students are everywhere: “in so-called progressive and conservative media, in local and national media “. Worse: only one of the 50 media recorded by the IT expert does not exfiltrate personal data with Google Analytics or a similar and equally problematic tool: the specialized site Next INPact.

The CNIL has confirmed to La Tribune that it has received these 42 complaints and specifies that they are currently the subject of an investigation to determine their admissibility. In the event that they are deemed applicable, the CNIL may, if it so wishes, give formal notice to the media concerned, which would then have one month to comply, i.e. switch from Google Analytics to another traffic analysis service.

A symbol of the legal battle between the EU and the United States

The Cnil is very clear: in the Frequently Asked Questions (FAQ) on the page of its website dedicated to Google Analytics, the organization answers the question ” Is it possible to configure the Google Analytics tool so as not to transfer personal data outside the European Union? » by a scathing « Nope “. In addition, the legal experts of the Data Constable also point out that it is not possible to configure Google Analytics to make it compatible with European law.

The problem with Google Analytics, like many other American tools, is that to function optimally, the service must transfer data from European users to the United States. However, American extraterritorial laws, in particular the Cloud Act but also the FISA law (Foreign Intelligence Surveillance Act) are incompatible with the European Regulation on the protection of personal data (GDPR). The reason: extraterritorial laws are “supranational”, therefore “superior” to the European GDPR. Clearly, the Americans have not submitted to the obligations of the GDPR with regard to informing users about the collection of their personal data and its proportionate use.

Consequently, there is a legal blockage, materialized by the judgments known as “Schrems” and “Schrems II” pronounced by the European Court of Justice (CJEU). These court decisions were annulled, in 2015 and then in 2020, the existing agreement between the EU and the United States on transatlantic data transfers (the Safe Harbor in 2015, the Privacy Shield in 2020), generating a real legal chaos for businesses, which has so far been unsatisfactorily filled with standard contractual clauses and additional guarantees. A new agreement in principle was recently announced, but its terms have not yet been specified. And anyway, many lawyers have estimated that it will inevitably lead to a “Schrems 3” if nothing changes in substance, that is to say if the EU does not come back to the GDPR or if the States – United are not backing down on their extraterritorial laws. Which doesn’t seem to be on the agenda.

Google Analytics is one of the symbols of this legal battle. In its formal notice of February 10 following the complaint filed by the association NOYB (None of your business or “it’s not your business”, Editor’s note) of the Austrian activist Max Schrems, the Cnil had revealed that the the data of the French are erased in the United States ” in violation of Articles 44 et seq. of the GDPR “. In other words, the Cnil has revealed that the conditions for transferring the data provided by this statistical tool to the United States, due to a lack of supervision, can expose French users to American surveillance programs.

Google Analytics does collect sensitive data:

“Using Google Analytics, the media provides Google with the full history of our conferences. This data is worth gold for digital companies that practice large-scale advertising targeting. They can reveal our tastes, our habits and even our political opinions. If I read articles on immigration or on organic farming, Google can easily profile us,” says David Libeau.

What alternatives for websites?

Faced with the disarray of companies, taken since 2020 by the judgment of the Privacy Shield and the Schrems II judgment, the Cnil has published on its website a list of alternatives that respect personal data.

The management of a website or a mobile application generally requiring the use of traffic or performance statistics which are often essential for the provision of the service, the Cnil explains first of all that the cookies deposited for this purpose ” may be exempted from consent under certain conditions “. But data transfers outside the European Union, a prerequisite for Google Analytics, do not fall into this scenario.

The Cnil then lists a series of solutions which, as of the date of its review, can be used instead of Google Analytics and can no longer be collected from a collection of user consent. Among them are in the list established on March 30, 2021 the Analytics Suite Delta solution from AT Internet, SmartProfile from Net Solution Partner, Wysistat Business from Wysistat, Piwik PRO Analytics Suite from Piwik PRO, or Abla Analytics from Astra Porta. 18 solutions in total seem to comply with the CNIL.