On Thursday, 10.2.2022, CNIL released a statement “Utilisation de Google Analytics et transferts de données vers les États-Unis : la CNIL met en demeure un gestionnaire de site web”. (Translation: “Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply”).
It summarizes the first of six potential decisions after Max Schrems exemplary sued 101 companies in Europe (of which six are located in France).
While we do not have the text of notice available to conduct a detailed analysis , we can draw a couple of conclusions based on CNIL’s statement.
- CNIL’s action is an interim measure, not a final decision. CNIL issued a formal notice to a French website operator ordering it “to comply with the GDPR and, if necessary, to stop using this service under the current conditions”.
- Their request was calibrated with other European Data Protection Authorities, which reflects the common approach regarding this topic.
- Formal notice gives the website operator an opportunity to comply with the law within the period of 1 months. Based on the text of the press release by CNIL, stopping the use of GA or using an EU tool – are in this case options that could be possible, but not the only options.
- In the context of both cases (France and Austria) we definitely recognise a domino effect. There is a clear message by both DPAs: GA’s services cannot be used without supplementary measures and to be effective supplementary measures must exclude the possibility of access by U.S. intelligence services. Particular formulations by the French CNIL and the Austrian DPA are not contradicting one another, they are complementary. CNIL indicated that it may be possible to continue using GA for anonymised data to conduct ‘website audience measurement and analysis services’. The Austrian DPA said that anonymisation of IP addresses (even if done correctly) can not be sufficient to protect personal data, because there are also other identifiers that make it possible to single out an individual.
- Specified notification that CNIL and other European data protection authorities see Google Analytics as only one of many tools that infringe on GDPR due to the non-compliant transfer of personal data to the US. They add that “corrective measures in this respect may be adopted in the near future.”
All things considered, it is fair to say that CNIL’s notice is by no means surprising or unjustified. It is now more than 1.5 years since the EU-U.S. privacy shield has fallen. Month by month, there are new cases and judgements that support the initial Schrems II decision.
We expect similar decisions from other countries very soon – stay tuned.