On 10 February 2022, the CNIL issued a formal notice to a website operator using Google Analytics cookies to comply with the GDPR and more specifically with the CJEU Schrems 2 ruling on the transfer of data to the US.
The CNIL considers that as long as the US authorities can access users’ data, the use of Google Analytics is not legal. The Authority has therefore asked the website operator to comply with the GDPR and if necessary, to stop using Google Analytics cookies.
Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:
the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;
adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);
a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).
As expected, the Commission has adopted two adequacy decisions for transferring personal data freely to the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. These adequacy decisions also facilitate