France's data protection authority (DPA), Commission Nationale de l'Informatique et des Libertés (CNIL), announced its ruling on February 10, 2022, that the use of Google Analytics by companies in the EU violates Article 44 of the General Data Protection Regulation (GDPR). The CNIL found that even though Google adopted additional measures to protect personal data transferred to the United States in the context of Google Analytics functionality, those measures were insufficient to preclude access to EU internet users' personal data by the U.S. government, which resulted in the violation of Article 44 of the GDPR.
This is the second ruling arising from 101 complaints that a European privacy advocacy group, None of Your Business (NOYB) (an organization co-founded by privacy activist Max Schrems), filed with 14 EU DPAs against 101 data controllers allegedly transferring personal data to the United States by way of Google Analytics and Facebook Connect integrations in their webpages. The CNIL's ruling follows on the heels of the Austrian DPA's decision released in January finding that data transfers to the United States associated with integrated cookie and data analyzing functionalities violate the GDPR.
Both rulings are the result of the Court of Justice of the European Union's (CJEU) July 2020 decision in Schrems II, which invalidated the EU-U.S. Privacy Shield (Privacy Shield) which had enabled lawful cross-border data transfers from the EU to the United States.
At issue in both the Austrian and French cases was the transfer by websites in the EU of certain cookie data, such as internet users' IP addresses and unique identifiers, to the United States for processing by Google Analytics. Article 44 of the GDPR requires companies to ensure that personal data transferred to another country outside of the EU is subject to "adequate" protection under the laws of that transferee country.
Because the European Commission has not found the United States to provide an "adequate" level of data protection, companies transferring personal data from the EU to the United States must use one of several approved data transfer mechanisms to ensure lawful transfer, such as standard contractual clauses (SCCs), binding corporate rules (if a company seeks to make intra-company transfers), or—until the Schrems II decision—the Privacy Shield.
Although the Schrems II decision invalidated only the Privacy Shield, the decision continues to have negative implications for other transfer mechanisms, such as the SCCs that were in place and challenged in the Austrian case and apparently in the French case too.
Specifically, the CNIL noted that the CJEU struck down the Privacy Shield in part because of concerns about the U.S. government's alleged access to personal data once it is transferred to and maintained by private companies in the United States, finding there is "a risk for French website users who use this service and whose data is exported."
In the Austrian case, the DPA found that these concerns applied with equal force to transfers of cookie data by way of Google Analytics conducted under SCCs because Google is a provider of electronic communications services (ECS) and subject to surveillance by U.S. intelligence services under the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. Moreover, the SCCs do not protect against U.S. government surveillance and the additional measures Google had adopted—issuance of regular transparency reports, data pseudonymization, and even encryption—were insufficient to address the risk posed by U.S. intelligence authorities' access to ECS providers' data.
Similarly, the CNIL concluded that "transfers to the United States are currently not sufficiently regulated." The CNIL gave the website operator one month to ensure its processing is in compliance with the GDPR, "if necessary by ceasing to use the Google Analytics functionality" or by using another tool that does not transfer data outside of the EU. In addition, the CNIL recommended that the analytics tools should produce only anonymized statistical data to avoid triggering a consent requirement, although it is not clear whether such anonymized data would be analytically useful.
It is highly likely that the remaining decisions on NOYB's 101 complaints will similarly reject further use of Google Analytics as a violation of Article 44. If this trend continues, EU data exporters who use U.S.-based services will have to anonymize their data before transferring it or cease transferring it altogether because neither EU controllers nor U.S. providers can limit U.S. governmental access.
In the meantime, everyone will need to wait for a new Privacy Shield agreement that hopefully will survive scrutiny under Schrems II.