Google Analytics: The CNIL Asked a Website Operator to Stop Using Google Analytics

Google Analytics: The CNIL Asked a Website Operator to Stop Using Google Analytics

On 10 February 2022, the CNIL issued a formal notice to a website operator using Google Analytics cookies to comply with the GDPR and more specifically with the CJEU Schrems 2 ruling on the transfer of data to the US.

The CNIL considers that as long as the US authorities can access users’ data, the use of Google Analytics is not legal. The Authority has therefore asked the website operator to comply with the GDPR and if necessary, to stop using Google Analytics cookies.

Cookies and other Trackers : How to Comply

Cookies and other Trackers : How to Comply

Following the hundreds  of million fines imposed Amazon, Google and Facebook by the CNIL and other authorities relating to their use of cookies, this article aims to review the CNIL’s practical recommendations in this area so that to help organisations to understand the requirements in France and to some degree, to the rest of the European Union.

The CNIL reminds in its recommandations that it constitutes only examples which are neither prescriptive nor exhaustive and that although they are focused on the web and mobile environment, they can also be applied to other environments (connected TV etc.).

GDPR : International Data Transfers

GDPR : International Data Transfers

Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:

the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;

adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);

a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).

Google Analytics – GDPR : The EDPS & Austrian DPA Consider Data Transfers to Google LLC (US) Illegal

Google Analytics – GDPR : The EDPS & Austrian DPA Consider Data Transfers to  Google LLC (US) Illegal

The European Data Protection Supervisor (“EDPS”) and the Austrian Data Protection Authority have both recently issued a decision ruling that the transfers of personal data to Google LLC (US) entailed by the use of Google Analytics tool on the European Parliament and by a company located in Austria (the “website operator”) websites, were not GDPR compliant.