Illegal data transfers to the U.S.: The French Data Protection Authority issues a formal notice to a website publisher for its use of Google Analytics
Communication from the CNIL on its website
The issue of personal data transfers outside the European Union, and in particular to the United States, has been at the forefront since the “Schrems II” ruling handed down by the Court of Justice of the European Union (CJEU) on July 16, 2020. The challenges concerning the use of Google Analytics by several European data protection authorities, including the CNIL, is one of the most notorious consequences to date.
As a reminder, in its “Schrems II” decision, the CJEU invalidated the “Privacy Shield” agreement allowing the transfer of personal data between the EU and the United States. Even more importantly, it imposed additional conditions on the lawfulness of transfers to any third country not recognized as offering an “adequate” level of protection by the European Commission, even when these transfers are already governed by a transfer agreement that includes the European Commission’s Standard Clauses. The CJEU has indeed highlighted the risk that foreign authorities and intelligence services – and in particular American ones – could access the personal data if specific organizational and technical measures were not implemented to avoid this. The “Schrems II” ruling concerned data transfers made by Facebook, but the scope of the solution adopted is obviously broader since it impacts any data transfer to a country outside the EU that is not subject to an adequacy decision.
Following this ruling, the activist association NOYB filed more than 100 complaints with the data protection authorities of the various EU Member States, arguing that the use of Google Analytics cookies by website publishers implies an illicit transfer of personal data to the United States.
To date, these complaints have resulted in two notable decisions: (i) a December 22, 2021 decision by the Austrian Data Protection Authority against the publisher of a medical information portal; and (ii) a January 5, 2022 decision by the European Data Protection Supervisor against a site published by the European Parliament. In these two decisions, the supervisory bodies ruled that the framework for transfers to the United States of data collected via Google Analytics did not comply with the principles set out in the “Schrems II” judgment. Indeed, even if Google had adopted additional measures to govern the transfers, these were deemed insufficient to exclude any possibility of access to the transferred data by the American intelligence services.
In this context, the CNIL has just announced that it has issued a formal notice to a website publisher using Google Analytics. The French authority came to the same conclusions as its counterparts and requires in this case the publisher to comply “if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve transfer outside the EU.”
This wave of decisions should continue to unfold in the coming months. On this issue, the European authorities are acting in cooperation and should therefore all reach the same conclusions. In France, the CNIL has already announced that it has initiated other proceedings against publishers of websites using Google Analytics.
As Google Analytics is the most widely used web analytics solution in the world, these decisions will have a strong practical impact for web publishers, who are clearly invited by the CNIL to turn to a different tool. The effects of the “Schrems II” decision will not stop at Google Analytics, as many other tools used on the web are likely to lead to transfers to the United States. This decision therefore raises real difficulties for European data controllers.