The use of Google’s web analytics tool does not comply with the General Data Protection Regulation (GDPR), the EU data protection law, despite the guarantees offered by the digital giant and the precautions website publishers can take when using the tool, CNIL said in a Q&A published on Tuesday (7 June) on its website. The clarification comes after the agency sent out formal notices to a series of companies in February after it decided data transfers to the US via Google Analytics were illegal. The watchdog’s decision in February, which came one month after its Austrian counterpart issued a similar decision, follows the EU Court of Justice invalidating the so-called “Privacy Shield” – an agreement between the EU and the US on data processing – in July 2020. [...] # An unambiguous ‘no’ In the meantime, France’s data protection authority has been keen to set the record straight. In response to the Q&A question asking whether it is “possible to configure the Google Analytics tool in such a way as not to transfer personal data outside the European Union,” the CNIL responded with an unambiguous “no”. Google confirmed to the French body that all data collected by Google Analytics is indeed hosted on US soil. “Even in the absence of a transfer, the use of solutions proposed by companies subject to non-European jurisdictions is likely to pose difficulties in terms of access to data,” the authority also states. Google proposed additional guarantees like anonymisation and encryption but none have been deemed satisfactory by the CNIL. On anonymisation, CNIL acknowledges that Google offers an IP address anonymisation feature. Still, it does not apply to all transfers, and Google could not demonstrate that such anonymisation occurred before being transferred to the US. According to the CNIL, using unique identifiers is not sufficient either, as their use can be identified through their association with other data. Well aware that Google Analytics is not the only solution offered by Google to companies, the data watchdog notes that “these services, which are widely used in France, can allow the IP address to be cross-checked and thus trace the browsing history of the majority of Internet users on a large number of sites.” The CNIL also addressed the encryption solutions proposed by Google, saying they were ineffective due to Google offering and conserving encryption keys, allowing it to access personal data if it so wishes. Companies wishing to keep using the tool need explicit consent from the individuals concerned. https://www.euractiv.com/section/data-protection/news/french-watchdog-tweaki... Ad oggi, la stragrande maggioranza delle risposte che abbiamo ricevuto dalle PA che abbiamo contattato con Monitora PA, contiene rigraziamenti. Tuttavia una dozzina sostiene che l'anonimizzazione di Google Analytics garantisce una protezione sufficiente agli utenti. A questi DPO / Titolari del trattamento non rispondiamo. Lo spiegheranno al Garante della Privacy su nostra segnalazione. Giacomo