Following a decision given by the European Data Protection Supervisor and the Austrian Data Protection Authority in January, the French data protection regulator (CNIL) has also declared the use of Google Analytics for processing personal data of EU data subjects to violate the GDPR. CNIL concluded that Google Analytics transfers data to the US without implementing sufficient supplementary measures to ensure a level of protection that is essentially equivalent to the GDPR. CNIL thus ordered French website operators to cease their use of Google Analytics within one month.
The Belgian Data Protection Authority found the Interactive Advertising Bureau of Europe (IAB) to violate the GDPR, following an inquiry initiated due to several complaints regarding the IAB’s Transparency & Consent Framework (TCF). TCF is a system developed and operated by IAB for the management of users’ preferences regarding online targeted ads. The Belgian privacy regulator found that IAB is the GDPR controller of the data collected through the TCF, that it has infringed the following principles of the GDPR:
- Lawfulness – IAB failed to establish a legal basis for processing personal data through the TCF.
- Transparency – the information provided to users regarding the TCF is too generic and vague, making it difficult for users to maintain control over their personal data.
- Accountability, security, and data protection by design – IAB did not present any organizational or technical measures to enable data protection by design and by default (e.g., measures to ensure the effective exercise of data subject rights).
In addition, the IAB failed to fulfill some of the obligations imposed on it as a controller, such as maintaining a record of its processing activities, appointing a DPO, and conducting a Data Protection Impact Assessment.
Consequently, the Belgian DPA imposed a €250,000 fine on IAB and ordered the company to take a few corrective measures, including establishing a legal basis for processing.