Over one hundred French public bodies transfer personal data to Google – illegally

The French Council of State, the French Customs, and until very recently, the French Presidency, are among at least 184 French public websites that use Google Analytics, illegally allowing the transfer of users’ personal data to the US.

Every month, the website of the French Presidency is visited more than 560,000 times. Until 1 April, when the website appears to have reversed its policy, every time a web user visited the Elysée’s website, her movements were tracked. Click after click, her personal data was collected and stored in the US by Google Analytics, a Google service that allows website owners to understand their audience’s behaviour. Many website owners use Google Analytics, and many of them, like the French Presidency, anonymize user data they collect. But there is a problem: from 2020, it was illegal to use Google Analytics in the EU.

Ahead of the French Presidential election, Sciences Po’s Journalism School found 184 other French public websites that are using Google Analytics as of early April, sending users’ personal data to the US for audience measurement purposes despite French legislation providing for administrative and criminal sanctions against it. 

Several of them, of which the French Customs and the French Council of State—a governmental body that acts as legal adviser of the French government and as the highest administrative court of France—are at the top governmental level. The French Presidency appears to have stopped using Google Analytics on 1 April. It did not respond to requests for comment. The French Customs said on 12 April they had stopped using Google Analytics following our questions. 

Dozens of French public websites use Google Analytics – illegally

In 2020, the world of internet law experienced a shock. On 16 July, the EU’s Court of Justice invalidated the Privacy Shield, an EU-US data transfer agreement, over concerns that personal data of Europeans stored in the US by companies like Google could be obtained by American secret services such as the National Security Agency (NSA). In effect, the court ruled that personal data transfers to the US were illegal. The judges deemed that Europeans’ personal data, which includes most information pertaining to a living individual and which is protected in the EU by the General Data Protection Regulation (GDPR), was not sufficiently shielded in the US. 

In February, the French National Commission on Informatics and Liberty (CNIL) ruled that using Google Analytics in France was illegal, confirming the 2020 decision of the EU’s Court of Justice. Even if the CNIL ruling compels only one website to comply with the decision, data protection experts agree that the ruling extends to all French websites. 

Ranging from a tiny commune to the Presidential office, France has tens of thousands of public websites. For this piece, we analysed 395 of them, which belonged to some of France’s major public bodies: all national administrations but the embassies; all regional and departmental councils; and all communes with more than 50,000 inhabitants. All websites defined as “main governmental websites” by the French government were also included (see the methodology box).

Conducted early in April, our investigation found that more than a third of them, 184, are using Google Analytics. 161 of them are local administrations; the remaining 23 are national authorities and government-backed initiatives (see the list below). More than half of France’s regional and departmental councils are using Google Analytics (75 out of 119). So are more than half of France’s town halls with over 50,000 inhabitants (86 out of 157).

At least 23 French national authorities and government-backed initiatives use Google Analytics in early April

Canal UCivic service (Service civique)
The Competition Authority (Autorité de la concurrence)
The Controller General of Prisons (CGLPL)
The Economic, Social and Environmental Council (CESE)
The Energy Regulation Commission (CRE)
France Strategy (France Stratégie)
The French Anti-doping Agency (AFLD)
The High Council for the Evaluation of Research and Higher Education (HCERES)
The High Council of the Judiciary (CSM)
The High Council of the Statutory Auditor (H3C)
The Institute of France (Institut de France)
The interministerial Mission for the fight against drugs and addictive behaviours (MILDECA)
The National Agency for territorial cohesion (ANCT)
The National Energy Ombudsman (Médiateur national de l’énergie)
The National Office for Veterans and War Victims (ONAC-VG)
The Nuclear Safety Authority (ASN)
The portal for the validation of acquired experience (VAE)
The portal of the Directorate General for Enterprises (DGE)
The portal of the General Directorate of Customs and Indirect Taxes
The portal of the public serviceThe State Council (Conseil d’Etat)
The Transport Regulatory Authority (ART)

When questioned, the Ministry of Transformation and Public service, which supervises the portal of the public service, the Controller General of Prisons, the Energy Regulation Commission and the High Council for the Evaluation of Research and Higher Education said they were in the process of removing Google Analytics from their websites (see the answer box).

The Nuclear Safety Authority said that its website only uses Analytics with its interactive publications such as their annual report, adding that “data provided by these publications is very rudimentary and concerns only the numbers of pages consulted.”

The French Customs (the General Directorate of Customs and Indirect Taxes) said that it had initially missed the change of regulation but that it is “no longer [using] the Google Analytics tool on [its] website” following our questions.

A spokesperson for the National Energy Ombudsman and a spokesperson for France Strategy denied their websites were using Google Analytics (both websites openly mention they are using Google Analytics).

The other national entities using Google Analytics did not respond to requests for comment.

None Of Your Business

Romain Robert, program director at the European NGO None Of Your Business (NOYB), is a data protection lawyer who filed NOYB’s complaint with CNIL that led to its February finding that Google Analytics was illegal. “They use a service that has been declared illegal by CNIL, what more can I say?” Robert said when presented with our findings. 

“Folks, we’ve been saying for seven years that transfers to the United States are prohibited and you’re only waking up now. Please, let’s stop messing around,” Robert continues. “Especially a public authority, well it’s still mind-blowing.”

In 2020, one month after the Court of Justice ruling invalidating the Privacy Shield, NOYB filed complaints against 101 private companies to data protection authorities across Europe. In the complaints, NOYB said companies were still using Facebook and Google Analytics, thus failing to comply with the ruling. In France, the NGO targeted six companies, including three for their use of Google Analytics: Decathlon France, Sephora and Auchan E-commerce. 

After a first formal notice in February that ordered one of the three companies to stop using Google Analytics (CNIL did not publicly reveal the company’s name), CNIL issued similar notices towards the two other French companies targeted by the complaints for their use of Google Analytics. “CNIL informs us that 2 other companies were ordered to stop the transfer of data generated when using Google Analytics. One month to comply,” Robert announced mid-March in a LinkedIn post.

At the core of NOYB’s complaints: the concern that Europeans’ personal data, when used by services like Google Analytics, may be obtained by American secret services such as the NSA, an issue that was first exposed by Edward Snowden in 2013. “The CNIL decisions confirm that the use of Google Analytics falls under the ruling of the Court of Justice of the EU … data transfers to the US should be framed with additional measures to protect access from national security agencies in the US,” Robert explains.

For lawyer Olivier Iteanu, a pioneer of internet law in France and honorary president of Internet Society France, the main problem with data transfers to the US is that people lose control of their personal data. The heart of GDPR was to give back the control of personal data to citizens, consumers, parents, employees,” he says. Conversely, in the US, “you and I and any European citizen have no guarantees … and that will never change, because there are no personal data protection regulations [there],” he says. 

To Iteanu, our findings are not surprising. “Google has a monopoly on a certain number of services, and so everyone has become accustomed to it, and the free service is the trap into which everyone falls, he says.

“We don’t know what Google does with [the data]”

Céline Hunninck is webmaster at the townhall of Cagnes-sur-Mer, a town of 52,000 inhabitants nestled between Nice and Cannes on the French Riviera. Every Monday, her team debriefs on traffic to the town’s website. Hunninck, 41, helped develop Cagnes’ website in 2008. Since 2015, her team uses one service to analyse the website’s audience: Google Analytics. 

“We don’t know what Google does with [the data]. We use the system … it is true that it is a practical tool,” the 41-year-old webmaster says about Google Analytics.

One type of personal data collected by Google Analytics is a user’s IP-address, a unique number that allows the identification of the device or the local network from which the user connects—and thus, potentially, of the person behind the screen.

According to GDPR, the European data protection regulation that has been in effect since 2018, IP-addresses are considered personal data. GDPR also makes clear that it is the legal or natural person behind the website, or “data controller”, that is responsible for ensuring that data is being processed in compliance with the regulation.

At Cagnes-sur-Mer, Hunninck understands IP-addresses of users visiting the town’s website are transferred to Google in the US. “Yes, yes, yes, we know. We know that. Well, it’s true that it’s sent to Google,” she says. 

When asked about whether she is aware that using Google Analytics is illegal in France, she says that she “[hasn’t] heard of it at all.” The town has hired someone in charge of GDPR compliance, supposedly trained by CNIL and up to date with the rules, but he hasn’t addressed the matter, she says. Cagnes-sur-Mer did not respond to requests for comment. 

To Bernard Lamon, a French lawyer and GDPR expert with two decades of expertise in computer and technology law, public bodies often hire GDPR consultants based on how much they charge rather than on their expertise. “I don’t think it’s great that the public bodies don’t spend anything” on GDPR compliance, he says. 

Although GDPR applies both to public and private entities, to him, public entities bear a higher responsibility. “Public actors have a great duty to set an example,” he says. 

Lamon believes that small public bodies might be even less compliant with GDPR than middle-sized and large ones, such as those in our sample. “The smaller the size of the organisation, the less compliance effort they have made,” he says. Nevertheless, respecting GDPR “is their responsibility,” he says. “The fundamental problem is that, at the moment, local authorities are not putting enough resources into the subject of GDPR compliance,” Lamon says.

Iteanu agrees that the problem of data compliance is related to funding, but also lies at another level. “For me, local authorities are victims,” he says. “They have not been given the means to have alternative solutions. There is no public policy. There has been no digital public policy. The market has been left to act alone,” he says.

In January 2021, Macron’s government unlocked €88m until 2022 to support the “numeric transformation of local authorities”, as part of the €100bn French recovery plan following the pandemic, France Relance. Entities are asked to submit their projects before receiving governmental support. So far, less than one in thirty projects of the 3166 who have received funds include GDPR compliance in their program.

Macron: the first French president ruling with GDPR

When GDPR came into effect in 2018, French president Emmanuel Macron spoke to a floor of tech CEOs. “That’s a huge change in terms of data protection, but that’s a huge change because what we are doing is building a European sovereignty for data,” he said in English. 

Macron, a candidate for re-election in 2022, is the first French president to govern with the European regulation in effect. 

For French President Macron, the crux of GDPR is clarity of rules and compliance. In his speech in 2018, he urged the CEOs to comply with the new regulation: “That’s the pre-condition for our citizen, to believe, to have trust in this new environment.”

Four years into GDPR and two months after CNIL ruled that Google Analytics was illegal, dozens of French state-owned websites do not comply with the law, sending users’ personal data to the US to benefit from Google’s audience measurement services.

To Itenau, national authorities like the French Presidency have no excuse. “They are the top of the class. […] There is a real fault,” he says, stressing that French legislation provides for both administrative and criminal sanctions for this type of breach.

CNIL did not comment on our findings but said in an email, it is aware that “a large part of French website managers uses the Google Analytics functionality and therefore proceed to illegal transfers of personal data to the United States.” “It is therefore essential that CNIL and the other European authorities take a stand on the data transfer operated by Google Analytics and point out its illegal character,” the authority said, adding that “CNIL is investigating the complaints referred to it and adopting the necessary corrective measures to ensure that the organisations concerned comply.” 

Last month, Google announced that its next version of Google Analytics would no longer store IP-addresses. The EU and the US also announced they reached a preliminary deal for a new data transfer agreement, a move that was promptly criticised by data protection NGOs like NOYB.

At Cagnes-sur-Mer, Hunninck’s team is about to release the sixth version of the town’s website. With, according to the latest plans, Google Analytics. 

Article written by Karine PFENNIGER

Header Image (screenshot of Council of State’s website) taken by Karine PFENNIGER

Methodology

We analysed 395 French public websites and their use of Google Analytics. 

Focusing on France’s main public bodies, we chose to include the following websites in the sample:

– All national administrations as listed by lannuaire.service-public.fr, but the embassies: 24 independent authorities, 14 institutions and jurisdictions and 17 ministries;
– All departmental councils (102);
– All regional councils (17);
– All communes with more than 50,000 inhabitants, as listed by Insee in 2019 (128);
– All websites listed as “main governmental websites” by the Government information service (SIG) in 2019 (194).

Entities without websites and duplicates were removed. For entities with several websites, all websites were included. 

To determine whether a website is using Google Analytics, we used Chrome’s web inspector and the plugin “Google Analytics Debugger”. When asked so, we systematically accepted cookies. Only websites showing the presence of Google Analytics in the web inspector and in “Google Analytics Debugger” were marked as using Google Analytics.

The analysis was performed in early April 2022. Findings from March 2022 that were identified as using Google Analytics but had stopped using it, such as the French Presidency, were removed from the list. In total, 18 websites were not working.

Since our analysis, several websites have stopped using Google Analytics.

Answers

When questioned, the Controller General of Prisons said that “steps are underway to set up another audience measurement solution that complies with the regulation” and that the change “should take place during the month of April.” 

The High Council for the Evaluation of Research and Higher Education said it was “in the process of updating [its] tools in order to draw the consequences of the CNIL decision of February 10” and that it had “taken the necessary steps to suspend the use of Google Analytics.”

The Ministry of Transformation and Public service, which supervises the portal of the public service, said on 1 April that the portal is currently in the process of being redesigned and that Google Analytics should be removed “in a few days.” 

The Energy Regulation Commission said on 5 April it is “well aware of [the EU’s Court of Justice] decision and is in the process of stopping the use of Google Analytics,” which “should be fully effective within a few days.” 

Votre commentaire

Entrez vos coordonnées ci-dessous ou cliquez sur une icône pour vous connecter:

Logo WordPress.com

Vous commentez à l’aide de votre compte WordPress.com. Déconnexion /  Changer )

Image Twitter

Vous commentez à l’aide de votre compte Twitter. Déconnexion /  Changer )

Photo Facebook

Vous commentez à l’aide de votre compte Facebook. Déconnexion /  Changer )

Connexion à %s