FRANCE: the CNIL is aligned with the Austrian Supervisory Authority – the use of Google Analytics leads to illegal transfers to the United States!

The French Supervisory Authority (the “CNIL”) sent a Formal Notice to a web operator using Google Analytics ordering to comply. Though the decision has been taken against one web site it should apply to the use of Google Analytics in general.

It should be noted that the European Data Protection Supervisor (“EDPS”) took the same position against the EU parliament and issued a reprimand for the placement of Google Analytics and Stripe on a Covid 19 testing site, without having appropriate measures in place. Such reprimand was prefiguring a wave of aligned decisions by EU regulators, which started with the Austrian Authority, is now followed by the CNIL in France whereas the Dutch and Danish Supervisory Authorities already issued statements that they were considering the Austrian decision.

  1. Context of the Formal Notice

Following the 101 complaints filed by the association ‘My Privacy is None of Your Business’ (“NOYB”), the CNIL has indicated that the transfer of personal data to the United States through Google Analytics is illegal.

This position is based on an analysis of the conditions of data processing through Google Analytics and the risks thereof for the data subjects carried out by the CNIL in cooperation with the other EU Supervisory Authorities.

  1. Legal grounds of CNIL’s position

Unfortunately the CNIL’s communication on its website published on 10 February 2022 remains very high level and does not allow to have a good understanding of the rationale behind such decision, notably in light of EDPB Recommendations.

We only note that according to the CNIL :

  • since the invalidity of the Privacy Shield, and in the absence of an adequacy decision, transfers to the United States are currently not sufficiently regulated and do not offer a sufficient level of protection.
  • Google Analytics uses a unique identifier attributed to website visitors, which is a personal data. The processing is thus not anonymized;
  • Even if Google has adopted additional measures (which for several of them are those recommended by EDPB) to secure the transfer of their personal data to the US, they are not considered sufficient to prevent access to this data by US intelligence service.

Therefore, transfers of personal data to the United States through Google Analytics is illegal as it raises a risk for the users of French web sites using Google Analytics.

The CNIL thus ordered the website operator to make its data processing compliant with the GDPR within one month from the formal notice, “if necessary by stopping to use Google Analytics functionality (under the current conditions) or by using an alternative tool that does not involve a transfer outside the EU.”

The CNIL informs in its communication that other formal notices have been issued against other websites operators using Google Analytics and that the EU Supervisory Authorities are also extending their investigations to other tools used by the websites leading to a transfer of personal data to the US

  1. Key Take away

Therefore, each company should determine whether:

  • the way it uses Google Analytics includes a processing of personal data and if so, whether Google Analytics parameters may not be modified to comply with the EU Data Protection Laws requirements. The CNIL recommends, if such change of the parameters is not possible, to use alternative tools which do not involve a transfer of data outside EU, which in practice, will have a substantial impact, as Google Analytics is very widely used;
  • it uses other tools for its websites that may involve transfers to the US. In such case, it should either cease to use them or proceed to the anonymization of the data processed, unless the providers of such tools are able to evidence that additional measures have been taken that ensure an adequate protection, bearing in mind that at the moment there is a trend from the EU Supervisory Authorities to consider that such additional measures are generally not sufficient even if the servers are located in the EU if there is even potentially a transfer to the US.

 

On the Supervisory Authorities side, it would be helpful to have more practical advice on why they consider that the additional measures that cloud service providers are taking since the CJEU decision of Schrems II are still not sufficient. Companies are lost and call US and EU authorities to find rapidly an agreement framing such transfers from EU to US. Though discussions are underway, the outcome still remains uncertain.

 

For any question related to this decision, please contact Denise Lebeau-Marianna, Partner or Yaël Hirsch, senior associate – Data Protection – IPT Department DLA Piper France LLP.