On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.
The CNIL’s order is the second decision issued in response to the NOYB’s complaints; the Austrian DPA reached a similar decision in January 2022. Because the CNIL made its ruling in cooperation with other EU supervisory authorities, similar decisions are expected by DPAs in other EU Member States.
The CNIL investigated the transfer of EU personal data to the U.S. through the use of Google Analytics cookies, with a focus on the risks to data subjects related to such transfers in light of the Schrems II judgment.
Post-Schrems II, in the absence of an adequacy decision for the U.S., appropriate safeguards must be implemented to protect EU personal data transferred to U.S. recipients. The CNIL held that the organization at issue did not comply with this obligation, finding the additional safeguards adopted by Google to be insufficient to protect EU personal data from access by U.S. intelligence services.
The CNIL accordingly ordered the organization to bring its data processing activities into compliance with the GDPR within one month and, if necessary, to stop using Google Analytics and instead use an alternative analytics tool that does not involve the transfer of EU personal data to a non-adequate country.
In its statement, the CNIL also recommended using website audience measurement and analytics services that produce anonymous statistical data, to avoid data transfers in violation of the GDPR.
According to the CNIL, other organizations using Google Analytics have received similar orders, and the CNIL may issue decisions against companies using comparable tools that result in the transfer of EU personal data to the U.S.
Read the CNIL’s press release.