An investigation conducted by the Sciences Po School of Journalism found that half of the twelve candidates running for President in France use Google Analytics, a tool currently prohibited by the French data protection agency, CNIL.
Last October, French President Emmanuel Macron hosted a very niche dinner party. Twenty people—authors, professors, specialists—were invited. Around the table, the invitees shared one thing in common: a healthy distaste for GAFA. GAFA is neither an entree nor a dessert; it is an abbreviation for Google, Amazon, Facebook, and Apple, and the goal of the dinner party was to discuss the challenges of regulating these companies.
Outside the dinner party, Macron has made several public comments about reining in the power of tech giants, particularly via the European legal framework called the General Data Protection Regulation (GDPR). “It’s time to have our own technological sovereignty,” said Macron at the 2020 State of European Tech Report launch. “The United States has GAFA, China has BATX [Baidu, Alibaba, Tencent and Xiaomi]. And Europe? We have the GDPR,” he said, highlighting such differences in data protection.
Yet despite Macron’s engagements in favor of GDPR, the French President who is currently running for a second term is not compliant with it. After inspecting the websites of all twelve candidates racing for the Elysée, many of whom have expressed similar reservations, half fail to respect European data protection law, as they rely on a personal data collection tool created by Google that has been found to be in violation of the GDPR.
Following the Cookie Crumbs
Between practicing photography and chatting about his favorite movies, Éric Nguyen, an E-Commerce Manager and Digital Consultant, spends his free time testing the data protection compliance of websites, especially government ones. Building websites is a large part of his day-job, and he pays close attention to the regulations surrounding it.
“It’s my job to make things right for websites. I have to know if what I am doing is correct or not because my company pays me to do that, but every digital marketer should know these rules,” explains Nguyen.
Nguyen feels strongly that if tech employees like himself must respect the law, then those running for high office ought to, as well. He enjoys diving into the backsides of candidates’ and politicians’ websites, testing to see if they are following the rules.
“They should follow the law because they are the leaders of our country,” he said.
The GDPR, which regulates data protection and privacy in the European Union, establishes that websites must follow certain protocols surrounding their cookies.
According to CNIL, the data protection agency who is in charge of enforcing the GDPR in France, websites should abstain from tools that send data transfers to the United States. They should also only keep cookies for a limited amount of time, recommending only six months, and each site should clearly lay out its data protection policy and explicitly reference their adherence to the GDPR.
To check websites’ respect for data protection law, Nguyen uses the browser extension “Edit this Cookie.” Switching his Google chrome to “Incognito » mode, Nguyen travels to the website of current French President Emmanuel Macron, Avecvous.fr. At first glance, the website seems normal. A somber image of the 44-year-old incumbent flashes on the screen with his campaign promise: “For a new French and European Era.” After scrolling for a moment, a small white box appears titled “Les cookies.”
Nguyen opens “Edit this Cookie” and tests each of the options: “Accept All,” “Personalise” (to recommended settings), and “Reject All.” After accepting the cookies, they start to populate.
“There! Do you see that? That is Google Analytics, and that is not allowed,” says Nguyen, hovering his mouse over the “_ga” cookie. A series of other Google Analytics cookies appear on the GAFA-skeptical President’s campaign site, as well as Facebook’s marketing and tracking cookie, “_fbp.”
Nguyen is referring to the recent decision by the CNIL, France’s regulatory body, that Google Analytics breaches the GDPR because it stores data in the United States, where the transfers are at best not sufficiently regulated, and at worst potentially vulnerable to seizure by the U.S. government.
Although Nguyen clicked “Accept All,” the simple presence of Google Analytics cookies indicates a breach in data protection law, even if the website asked for consent beforehand.
To verify Nguyen’s findings and other candidates’ websites, each website needed to be tested individually by clicking “inspect” and looking at which cookies appeared in the website’s “storage.” Then, once the individual cookies appeared, the “Network” tab showed where those cookies “requests” were being sent.
For Emmanuel Macron, Valérie Pecresse, Fabien Roussel, Jean Lassalle, Eric Zemmour, and Marine Le Pen, the cookies on their websites indeed sent requests to Google Analytics. Meaning, six of the twelve campaigns fail to properly follow the legal data protection protocol.
(None of the campaigns have responded for comment)
What does it mean to have your cookies tracked?
Expert in EU data privacy law, Belkys Lefebvre Valbuena explains that Google Analytics tool is used by websites to “observe and measure user engagement.” “Most cookies have personal data,” says Valbuena, adding that this means they can “directly or indirectly [identify] someone and someone. It’s a physical person.”
To understand cookies in layperson’s terms, Valbuena recounted her vacation in Marseille last weekend. “[In Marseille], I went to a soap shop. I stayed there quite a while, and I ended up buying soap. My phone has Google on it, and it has my GPS activated. So, probably my Google account had knowledge I went to that store and spent some time there. This morning when I came home and went on my computer, I got an ad for soap on a website that had absolutely nothing to do with soap. And this ad had the exact same brand of soap that I bought…so I think the risk is more that you accept cookies and you also go through many websites, and your accounts are all connected to each other,” she said.
Essentially, your cookies typically do not just stay on the individual website you might be surfing right now, Valbuena says. They follow you across sites and applications, allowing for better optimisation and advertising. Valbuena cautions that some of these cookies are necessary for the functioning of the website.
“The fact is that when you accept cookies, your accounts are all connected to each other, because it’s all interconnected,” said Valbuena. What Valbuena means is that cookies do not exist in a vacuum, the concern lies more so in the links between devices and websites, when your cookies follow you from one site to another, building up information about you over time.
What is Google Analytics?
“Google Analytics are theoretically illegal, and people should stop using them” said Valbuena, explaining that CNIL ruled against the use for one website, but that this should be viewed as legal precedent for others. All websites, therefore, should apply CNIL’s ruling that Google Analytics violate GDPR.
Google Analytics functions similarly to many other cookie trackers, intended to analyze software and track traffic. The greatest concern with Google Analytics though is that U.S. intelligence agencies could have access to French voters’ IP addresses, a unique number linked to the device or network they connect from that is considered as personal data in GDPR. This number represents a physical person, clarifies Valbuena.
“I don’t know how we could make it [Google Analytics] legal according to the CNIL findings,” said Valbuena. The only scenario that would make the transfer legal would be to have contractual clauses with US companies, in which they agree not to allow the data to be seized by the U.S. government. “But a company in the U.S. couldn’t guarantee that…it would be a false guarantee,” she says, adding that such a guarantee falls outside the purview of an individual company.
For these reasons, CNIL ruled against the use of Google Analytics in February. The agency instead recommends that campaigns use European tools, as they are beholden to European law. Matomo and TarteAuCitron are some of the tools that CNIL recommends website developers use in lieu of Google Analytics. Candidates like Jean-Luc Melanchon and Yannick Jadot use “Matomo,” and thus respect the CNIL ruling.
Why is GDPR Important?
In 2018, when the GDPR came into force throughout the European Union, it became, by the EU’s own account, “the toughest privacy and security law in the whole world.” It set unprecedented data privacy standards for the whole of the European Union. These regulations are implemented country to country, and as discussed, in France the regulatory body responsible for doing so is the “CNIL.”
However, some feel that the regulatory body is not meeting its obligations to actively monitor data protection, particularly in relation to the French election.
Luc Mandret is one of those people. Mandret is a 38-year-old French expat living in Vietnam. For over ten years, he worked as an activist against the rise of the far-right. Now, he works in communication in the private sector. As an expat, his voter registration is kept on file by the French Ministry of Foreign Affairs.
About a month ago, he received an email addressed to his full legal name, including his two middle names. “I almost never use all three of my names,” said Luc. When he opened it, he felt shock and anger: it was a campaign advertisement from the Éric Zemmour, the controversial far-right candidate known for provocative statements on Islam, feminism, and immigration.
Under the law, political parties have access to the voter lists of French people living abroad, and thus the means of contacting them. But a protocol must be followed—campaigns must request the information from the Foreign Ministry.
Upon receiving the email, Mandret immediately reached out to the Foreign Ministry to see if the Zemmour campaign had obtained his personal information. The response he received was startling—according to Mandret, the Foreign Ministry said none of his personal information was requested by or transferred to the Zemmour campaign.
“Then, I sent about 35 emails to CNIL,” said Mandret. “It has not been easy. I also contacted the Zemmour campaign to be unsubscribed.” After many attempts to contact CNIL, he received an automatic reply stating they will process his request. But that was over a month ago, exceeding the allowed window of time for the agency to respond.
“The thing is that CNIL does not have enough people. They can’t handle everything, and navigating the site is extremely technical and complicated,” explained Mandret.
Mandret has now contacted the French consulate, the Foreign Ministry, CNIL, and the Zemmour campaign. He is no closer to understanding how his personal data was obtained by the campaign. “It frustrates me that no one cares,” said Mandret.
(The CNIL has not responded for comment)
The Standard for Elected Officials
Éric Nguyen would also like to see CNIL play a more active role. “CNIL should send a warning to En Marche saying ‘if you don’t take this seriously, we will fine you’,” he exclaims.
Macron’s site, along with others, fails to respect GDPR in other areas besides Google Analytics. For instance, the website stores cookies for over two years, a breach of the recommended 13-month maximum.
Others, such as Éric Zemmour, Yannick Jadot, and Anne Hidalgo all use the American data processor NationBuilder, which though not illegal, has come under serious scrutiny.
In 2016-2017, CNIL reprimanded NationBuilder for attempting to illegally obtain personal information via social media accounts. Used by Nicolas Sarkozy’s team during his primary, the tool collected a massive amount of data using a “Match” function that sucked personal data from social networks including Facebook, LinkedIn and Twitter, via simple email addresses.
Though NationBuilder agreed to cease this function in France, it still refuses to specify where it hosts its data, even though European law states that personal data held by political parties must be stored in Europe. As the data reveals European citizens’ political opinions, it must be managed under European law.
Ultimately, to tech workers like Nguyen, who must respect these rules and think about them on a daily basis, elected officials should hold themselves to a higher standard.
In 2018, right after the GDPR went into effect, President Macron posted a tweet: “It is through Europe that we will be able to protect your personal data.” And yet, alongside several of his fellow candidates, the incumbent President’s website fails to do so.
Article and image by Genevieve MANSFIELD