10. February 2022

CNIL against client side Analytics

French data protection authority confirms non-conformity of client side GA

On Thursday, 10.2.2022, CNIL released a statement “Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web”. (Translation: “Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply”).

It summarizes the first of six potential decisions after Max Schrems exemplary sued 101 companies in Europe (of which six are located in France).

While we do not have the text of notice available to conduct a detailed analysis , we can draw a couple of conclusions based on CNIL’s statement.

  • CNIL’s action is an interim measure, not a final decision. CNIL issued a formal notice to a French website operator ordering it “to comply with the GDPR and, if necessary, to stop using this service under the current conditions”.
  • Their request was calibrated with other European Data Protection Authorities, which reflects the common approach regarding this topic.
  • Formal notice gives the website operator an opportunity to comply with the law within the period of 1 months. Based on the text of the press release by CNIL, stopping the use of GA or using an EU tool – are in this case options that could be possible, but not the only options.
  • In the context of both cases (France and Austria) we definitely recognise a domino effect. There is a clear message by both DPAs: GA’s services cannot be used without supplementary measures and to be effective supplementary measures must exclude the possibility of access by U.S. intelligence services. Particular formulations by the French CNIL and the Austrian DPA are not contradicting one another, they are complementary. CNIL indicated that it may be possible to continue using GA for anonymised data to conduct ‘website audience measurement and analysis services’. The Austrian DPA said that anonymisation of IP addresses (even if done correctly) can not be sufficient to protect personal data, because there are also other identifiers that make it possible to single out an individual.
  • Specified notification that CNIL and other European data protection authorities see Google Analytics as only one of many tools that infringe on GDPR due to the non-compliant transfer of personal data to the US. They add that “corrective measures in this respect may be adopted in the near future.”

All things considered, it is fair to say that CNIL’s notice is by no means surprising or unjustified. It is now more than 1.5 years since the EU-U.S. privacy shield has fallen. Month by month, there are new cases and judgements that support the initial Schrems II decision.

We expect similar decisions from other countries very soon – stay tuned.

CNIL’s statement

More information

Blog

The 3 biggest Challenges for Digital Marketing 2023

What will be important in the coming year? What will pose the most difficult challenges for digital marketing? An analysis from a marketer's point of view.

Blog

How DPAs determine the level of GDPR fines

The GDPR applies as a legal basis to all EU data protection authorities. But there is far less uniformity when it comes to the level of fines. How high can they get? A quick guide to what companies can expect.

Blog

Server Infrastructure: How to master the Black Friday Test

Each year, e-commerce websites face an onslaught of web traffic during Black Friday week when shoppers hunt for the best deals. Four reasons why the best server infrastructures handle it easily when others fail.