Privacy & Information Security Law Blog

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities regarding the use of Google Analytics and Facebook Connect by various companies. The complaints concerned whether the transfer of EU personal data to Google and Facebook in the U.S. through the use of cookies is permitted following the Schrems II judgment of the Court of Justice of the European Union. The European Data Protection Board subsequently created a taskforce to coordinate the response to the complaints filed by NOYB.

The CNIL’s order is the second decision issued in response to the NOYB’s complaints; the Austrian DPA reached a similar decision in January 2022. Because the CNIL made its ruling in cooperation with other EU supervisory authorities, similar decisions are expected by DPAs in other EU Member States.

CNIL’s Order

The CNIL investigated the transfer of EU personal data to the U.S. through the use of Google Analytics cookies, with a focus on the risks to data subjects related to such transfers in light of the Schrems II judgment.

Post-Schrems II, in the absence of an adequacy decision for the U.S., appropriate safeguards must be implemented to protect EU personal data transferred to U.S. recipients. The CNIL held that the organization at issue did not comply with this obligation, finding the additional safeguards adopted by Google to be insufficient to protect EU personal data from access by U.S. intelligence services.

The CNIL accordingly ordered the organization to bring its data processing activities into compliance with the GDPR within one month and, if necessary, to stop using Google Analytics and instead use an alternative analytics tool that does not involve the transfer of EU personal data to a non-adequate country.

In its statement, the CNIL also recommended using website audience measurement and analytics services that produce anonymous statistical data, to avoid data transfers in violation of the GDPR.

According to the CNIL, other organizations using Google Analytics have received similar orders, and the CNIL may issue decisions against companies using comparable tools that result in the transfer of EU personal data to the U.S.

Read the CNIL’s press release.