CNIL concludes that data transfers to the US through the use of Google Analytics violate GDPR

The order relates to one of the complaints submitted by the privacy rights organisation none of your business (noyb) against certain websites in France that were using Google Analytics. The CNIL announced that, under the specific circumstances of how Google Analytics was implemented on these websites, the personal data collection and transfer to the US did not comply with the General Data Protection Regulation (GDPR).

The CNIL’s decision, which has not yet been published in full, is in response to the 101 complaints raised by noyb in August 2020. These complaints were lodged with several EU and European Economic Area (EEA) data protection authorities (DPAs) against a number of EU-based websites that noyb alleged were transferring user data to the US in violation of the Court of Justice of the European Union (CJEU)’s judgement in Schrems II. 

Google Analytics is a free or paid analytics service that can be integrated in a website in order to measure the number of internet visitors. According to the CNIL, a unique identifier, assigned to each visitor (and which the CNIL considers personal data), along with other user-related data, are transferred by Google to the United States. Although Google had adopted additional measures in relation to data transfers in this context, the CNIL concluded these measures could not prevent the US intelligence services from accessing the personal data and are therefore insufficient. 

The CNIL’s decision follows closely the decision of Austrian DPA, announced last month, and is aligned with the statements of the Dutch, Danish and Norwegian DPAs. These DPAs clarified that they are also investigating the use of Google Analytics and other tracking tools on a number of websites in their respective jurisdictions, as well as the validity of users’ personal data transfers to the US. The CNIL clarified that the DPAs cooperated in analysing the conditions under which the data are collected through the use of Google Analytics and transferred to the US, as well as the risks to the individuals concerned. 

The CNIL ordered the website operator to bring its data processing in this context into compliance with the GDPR within one month. This can be done, according to the CNIL, either by ceasing the use of the Google Analytics functionality altogether, in its current form, or by using tracking tools that do not entail personal data transfer outside the EU. The CNIL clarified that it also issued similar orders to other website operators using Google Analytics.

The CNIL also made a general recommendation to controllers to use website audience measurement and analysis services that produce anonymous statistical data only, noting that this would potentially avoid the requirement to obtain user consent, under condition that there are no illegal transfers. The CNIL is currently evaluating which solutions would potentially fall under this exemption. 

Read the press release on 'Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply'.