Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager to comply

Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l’informatique et des libertés, has reached a similar decision.

The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to set off a wave of decisions from other authorities.In its decision, the CNIL said data collection and transfers to the United States using Google Analytics “are illegal,” violating Article 44 of the GDPR. The CNIL ordered an unidentified French website manager to bring its processing into compliance with the GDPR within one month and stop using the service under current conditions, if necessary.

The CNIL said transfers to the United States “are currently not sufficiently regulated” and the absence of an EU-U.S. adequacy decision presents “a risk for French website users who use this service and whose data is exported.” The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”

The CNIL said its investigation “also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States,” adding, “Corrective measures in this respect may be adopted in the near future.”

NOYB’s Max Schrems, who believes other authorities will “decide similarly” to the French and Austrian DPAs, think that “In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems said in a written statement. “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

There will be a lot of attention paid to reports that the EU and U.S. are nearing a replacement Privacy Shield agreement, and said many companies are “sincerely hoping that this time around it will be “Schrems”-proof.

Google has not yet issued a response to the CNIL’s decision, but in a previous statement on Austria’s ruling, President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a Privacy Shield successor agreement. “We urge quick action to restore a practical framework that both protects privacy and promotes prosperity,” he said.

In the meantime, Europcar Mobility Group Data Protection and Compliance Officer Aurélie Banck noted organizations or websites using Google Analytics should pay attention to compliance. “So, if we have to fix the data transfer issue, select another service provider other than Google Analytics,” she said adding, “It seems to be difficult to use an American service provider.”