France's privacy regulator said Thursday that the use of Google Analytics violates Europe's privacy laws, because Google transfers data to the United States -- where it can be accessed by intelligence agencies.
The French National Data Protection Commission said in a summary of its decision that the data transfers created “a risk for French website users” whose data is transferred.
The ruling marked the second time in as many months that a European regulator said the use of Google Analytics violates European privacy laws. In January, the Austrian Data Protection Authority said a health website violated EU privacy rules by using Google Analytics.
Both countries' decisions stemmed from complaints filed by privacy advocate Max Schrems' organization Noyb.eu.
That group brought more than 100 complaints in 2020, shortly after Europe's highest court struck down the Privacy Shield -- a transatlantic pact that aimed to allow companies to easily transfer EU citizens' data to the United States.
The European Court of Justice said at the time that the Privacy Shield agreement didn't adequately protect European citizens, because U.S. authorities are authorized to conduct broad surveillance.
In the decision announced Thursday, the French regulator said data could only be transferred to the United States “if appropriate guarantees are provided.”
The regulator added that even though Google takes steps to protect data sent through Google Analytics, those measures “are not sufficient to exclude the accessibility of this data for US intelligence services.”
The French agency also said it recommends that tools for audience measurement and analytics “should only be used to produce anonymous statistical data.”