On 10 February 2022, the CNIL issued a formal notice to a website operator using Google Analytics cookies to comply with the GDPR and more specifically with the CJEU Schrems 2 ruling on the transfer of data to the US.
The CNIL considers that as long as the US authorities can access users’ data, the use of Google Analytics is not legal. The Authority has therefore asked the website operator to comply with the GDPR and if necessary, to stop using Google Analytics cookies.
Thus, the CNIL has joined the Austrian authority and the EDPS who took the same position a few weeks ago. This formal notice also reflects a common position of the European authorities insofar as this formal notice follows more than a hundred complaints filed by the NYOB association in the 27 Member States against various data controllers.
If Google does not make any changes to its products, website operators will have no choice but to use other providers of equivalent services.
Google Analytics is a feature that can be integrated by webmasters of websites such as online retailers to measure the number of visitors to their websites.
A unique identifier assigned to each visitor and the data associated with it are transferred by Google to the United States.
The CNIL received several complaints from the NOYB non-profit organisation concerning the transfer of data collected during visits to websites using Google Analytics to the United States, considering these transfer as illegal following the ECJ Schrems 2 ruling.
Indeed, a total of 101 complaints were filed by NOYB in the 27 EU Member States and the three other European Economic Area (EEA) states.
The CNIL has, in cooperation with its European counterparts, analysed the legality of the transfers to the US and considers them to be illegal.
As a result, it asked a French website operator to comply with the GDPR and, if necessary, to stop using this tool under the current conditions.
This decision is stemming from the “Schrems II” judgment of the Court of Justice of the European Union (CJEU) of 16 July 2020, which invalidated the Privacy Shield. In this ruling, the ECJ had required that additional measures be put in place to prevent US intelligence services from accessing personal data transferred to the US.
The CNIL’s analysis / position
The CNIL considered that the transfer of data to the United States can only take place if additional and appropriate safeguards are implemented for this data flow.
However, the CNIL found that the additional measures implemented by Google as part of the Google Analytics functionality were not sufficient to prevent the access to this data by the US intelligence services.
It therefore issued a formal notice to the site manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.
The CNIL recommends that audience measurement cookies should only be used to produce anonymous statistical data, thus allowing an exemption from consent if the controller ensures that there are no illegal transfers.
The CNIL has launched an evaluation programme to determine which solutions are exempt from consent.
Should you have any question, do not hesitate to contact Arnaud BLANC, French&UK qualified lawyer based in France