French CNIL issues decision on use of Google Analytics and data transfers to the United States

February 11, 2022

The French data protection authority CNIL has published its decision resulting from complaints it received about the use of Google Analytics.

Google Analytics is a service that can be integrated by websites to measure the number of visits by Internet users. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.

The CNIL received several complaints from the NOYB association concerning the transfer to the United States of data collected during visits to websites using Google Analytics. In total, 101 complaints were filed by NOYB in all EU and EEA member states against 101 data controllers allegedly transferring personal data to the US.

The CNIL considered the consequences of the Schrems II judgment of the Court of Justice of the European Union of 16 July 2020, which invalidated the Privacy Shield. The CJEU had highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.

The CNIL has concluded that transfers to the United States are currently not sufficiently regulated. Indeed, it says that in the absence of an adequacy decision concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.

However, the CNIL found that this was not the case. Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services.

There is therefore a risk for French website users who use this service and whose data is exported.

The CNIL notes that as a consequence, the data of Internet users is transferred to the United States in violation of Article 44 GDPR. The CNIL therefore ordered the website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU. The website operator in question has one month to comply.

Regarding website audience measurement and analysis services, the CNIL recommends that these tools should only be used to produce anonymous statistical data, thus allowing for an exemption from consent if the data controller ensures that there are no illegal transfers. The CNIL has launched an evaluation programme to determine which solutions are exempt from consent. The CNIL has also issued other orders to website operators using Google Analytics.

The investigation by the CNIL and its counterparts also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States. It says that it may adopt corrective measures in this respect in the near future.

The decision (and a similar one by the Austrian regulator) seem to be an overreaction to the theoretical possibility that data could be used by the US National Security Agency. The European Commission’s standard contractual clauses allow for the possibility that a regulatory authority could make a request for data and contain a process for dealing with such requests including challenging them if a data controller believes the request is unlawful. Such requests are in any event extremely rare to the point of being non-existent. However, the CNIL is considered to be the European powerhouse regulator and if it says something is unlawful, it is likely that other regulators will follow. The Dutch regulator has already said that it also intends to follow the CNIL.