Google and the GDPR: a difficult reconciliation?

In its strategic plan, the CNIL highlights the role of the GDPR as a tool allowing effective respect “for the rights of individuals and competitive equality between economic players”.

Although this equality is sought and desired, in particular via the Internet regulation projects which are currently being negotiated within the European Union, aiming, among other things, to limit the domination of large accounts and to curb the spread of illicit, there is no doubt that the GAFAM are today the leaders of the digital market and that they hold an enormous quantity of data belonging to the few billion of their users.

Among these platforms, Google is the world’s leading search engine with a turnover of more than 250 billion US dollars. This company, which offers attractive services and innovative tools with sophisticated and intuitive functionalities, bases its activity on people’s data. Highlighting the freeness of its services, although it is a false free, this Internet giant immediately succeeded in capturing the attention of Internet users and in some way deciding the future of their data. . These are most often at a loss: in order to be able to take full advantage of the functionalities of a solution or even the advantages of a service, it would be necessary to obey the prescribed rules. No margin of negotiation exists and any disagreement can imply an immediate rejection.

We are therefore witnessing a confrontation between the protection of privacy on the one hand and the digital revolution on the other. Balance is difficult to achieve and practice has shown that this universe cannot exist without data. Strong international tensions have therefore arisen due in particular to the European Union’s lack of technological independence. Most companies in Europe use American tools, which most often implies their submission to foreign rules. However, the level of data protection in the United States is not equivalent to that required by European texts and this divergence is the source of strong tensions.

Conflicting regulations

If the GDPR was not immediately challenged by companies across the Atlantic, the heaviness of European rules has begun to be felt in recent months. With the announcement of the company Meta considering the possibility of no longer operating its services offered by Facebook and Instagram in Europe, this Internet giant highlights the complexity of the obligations implied by the entry into application of the GDPR.

Similarly, Google seems to be taking advantage of its position in the market and is quick to make its opinions known. In its communication following the decision of the Austrian authority calling into question the compliance of Google Analytics, the company mentioned the need to put in place a new European legislative framework to replace the Privacy Shield.

With the invalidation of the Privacy Shield in July 2020, data transfers between the European Union and the United States are now illegal, unless additional safeguards are put in place, in order to prohibit in particular the potential access of US authorities to this information. However, since this guarantee is not guaranteed, the CNIL has called into question the compliance of Google Analytics by inviting the manager of a website to comply with the requirements of the GDPR or even to no longer use the tool under current conditions. .

Similarly, 2021 ended with a record fine: 150 million euros for Google’s non-compliance with the provisions on cookies. Although already sanctioned in 2020 for the same reasons, Google clarified that the breaches raised do not arise from either the ePrivacy directive or the GDPR, thus implying that it is not concerned by the rule according to which it must also be simpler to refuse cookies than to accept them. However, the CNIL has rightly clarified: the ease of refusing cookies makes it possible to meet the consent requirements introduced by the GDPR according to which consent must in particular be collected in a free and informed manner.

This conflict between the European Union and the web giants seems to be only in its infancy, each wishing to achieve its own objectives: to protect the data of its residents for the European Union and to gather even more data for Google.

A weakened sovereignty

The economic strength of Google and the technologies it offers raise doubts about data sovereignty. This allows organizations, or even the State, to control the management of resident data by regulating access and transfers in particular. However, in a world governed by large accounts based outside the European Union, controlling the use of personal data of Europeans is complex.

This is notably due to the existing conflict between, on the one hand, the European regulations, and on the other hand, the Cloud Act. While the GDPR intends to protect data located on European territory as well as access to this data, federal law allows US authorities to access data held by US companies even when they are in outside the United States. Although it is data of European citizens governed by the GDPR, other laws may thus apply to this data when it is in the hands of foreign companies, and this is not without consequences on the level of their protection.

The questioning of the compliance of Google Analytics reveals the intention of France or even Europe to regain the sovereignty of their data. Transfers of data to the United States are considered to be illegal and recourse to additional safeguards or to reinforced technical measures does not seem sufficient, in that it does not make it possible to prevent access to the data of American authorities. The CNIL’s message is far from neutral and suggests that the supervisory authority is determined to promote ‘made in Europe’ solutions.

Similarly, Microsoft’s Azure Cloud was designated to store health data as part of the creation of the Health Data Hub. However, in view of the risks that a possible transfer of data to third countries can entail, the request for authorization from the Health Data Hub has been withdrawn, which constitutes a real step forward in terms of data sovereignty.

These risks have also been highlighted by the CNIL in its communication on the priority control themes for 2022. The use of the Cloud can indeed lead to massive transfers of data outside the European Union, to countries that do not offer not an adequate level of protection. Particular attention will therefore be paid to these questions and to the management of the contractual relations between the data controllers and the providers of these solutions.

The use of American data hosts for data storage can then be challenged. However, despite the determination of the French authority, Franco-American collaborations are taking shape with, on the one hand Thalès and Google Cloud which have established a partnership to jointly develop a Cloud, and on the other hand Orange and Capgemini which have associated with Microsoft to create an Azure Cloud. A question may therefore arise on the possibility of achieving the desired autonomy by relying on foreign support for the creation of future products.

A strategy to improve

By observing the different stages that the legal framework for the transfer of personal data to the United States has undergone since the adoption of Directive 95/46/EC until the invalidation of the Privacy Shield, we note a progressive hardening of the constraints for companies wishing to transfer data to third countries.

In Europe, the protection of the privacy of individuals is essentially based on legal texts. The implementation of the GDPR was intended in particular to standardize the rules on the protection of personal data at European level and to allow individuals to regain control over their data. However, this last objective does not seem to have been achieved. In addition, these data are most often hosted outside the European Union and mostly subject to foreign legislation.

In order to regain data sovereignty, is it not necessary to review the strategy followed by the European Union?

The standardization of rules at European level, although necessary, should not lead to the neglect of the need to cooperate in order to put in place reliable and attractive technological solutions for companies. Instead of just strengthening the legal framework, it would be recommended to develop a new common strategy so as to have control of future tools at all stages of their implementation. To do this, French and European companies should benefit from the support of the States and have a certain leeway in the use of data for research and innovation purposes.

We can only regret that the stakeholders seek to deal only with the consequences and not the origin of the problem. Putting barriers to the use of data by European companies leads in practice to the opposite of the desired effect, this data then finding itself hosted outside the Union. It is only by combining legal instrument and technological solution that we can hope to preserve this resource!

Leave a Comment