Q&A on the CNIL's formal notices concerning the use of Google Analytics

20 July 2022

The CNIL has issued an order to comply to several organisations regarding the use of Google Analytics, due to the transfer of data to the United States without sufficient guarantees for the rights of European users. What are the consequences for organisations?

Utilisation de Google Analytics

This Q&A only covers the decisions of the CNIL concerning the use of Google Analytics following the invalidation of the Privacy Shield.

The joint statement by the European Commission and the United States government in March 2022 on a future decision to adequately regulate data flows to the US is, at this stage, only a political announcement. The EDPB issued a statement on 6 April indicating that this does not constitute a legal framework on which organisations can rely to transfer data to the US.

This Q&A is a courtesy translation of the French Q&A published on June 7th, 2022. In the event of any inconsistency, please note that the French version shall prevail.


Concerning formal notices

In short, what should we learn from the formal notices issued by the CNIL?

Why was the order to comply published in an anonymised form?

Do organisations have a deadline for compliance?

Is this interpretation of the consequences of the "Schrems II" ruling by the CNIL shared at the European level?

Why weren't all the complaints filed by the association noyb processed at the same time?

Concerning the use of the Google Analytics tool

Are there any standard contractual clauses and additional safeguards allowing the use of Google Analytics?

Is it possible to set the Google Analytics tool so that personal data is not transferred outside the European Union?

Is it possible to set up Google Analytics to only transfer anonymous data to the US?

Could encryption be a sufficient additional guarantee?

Are there sufficient additional safeguards to continue to use the Google Analytics tool alone?

Is it possible to continue to transfer data with the explicit consent of individuals?

Concerning alternative solutions available to actors

Are there alternative tools?

How to ensure that audience measurement tools do not transfer data to a third country that is not adequate?

Can controllers adopt a risk-based approach, taking into account the likelihood of data access requests?