Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply
Google Analytics provides statistics on website traffic. After receiving complaints from the NOYB association, the CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions.
Google Analytics is a service that can be integrated by websites such as online sale sites in order to measure the number of visits by Internet users. In this context, a unique identifier is assigned to each visitor. This identifier (which constitutes personal data) and the associated data are transferred by Google to the United States.
The CNIL received several complaints from the NOYB association concerning the transfer to the United States of data collected during visits to websites using Google Analytics. In total, 101 complaints were filed by NOYB in the 27 EU Member States and the three other European Economic Area (EEA) states against 101 data controllers allegedly transferring personal data to the US.
An analysis at European level
The CNIL, in cooperation with its European counterparts, analysed the conditions under which data collected through the use of Google Analytics was transferred to the United States and the risks incurred for the individuals concerned. The aim is to collectively draw the consequences of the "Schrems II" judgment of the Court of Justice of the European Union of 16 July 2020, which invalidated the Privacy Shield. The CJEU had highlighted the risk that American intelligence services would access personal data transferred to the United States if the transfers were not properly regulated.
Consequences in France
The CNIL concludes that transfers to the United States are currently not sufficiently regulated. Indeed, in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.
However, the CNIL found that this was not the case. Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services.
There is therefore a risk for French website users who use this service and whose data is exported.
The CNIL notes that the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR. The CNIL therefore ordered to the website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU. The website operator in question has one month to comply.
Regarding website audience measurement and analysis services, the CNIL recommends that these tools should only be used to produce anonymous statistical data, thus allowing for an exemption from consent if the data controller ensures that there are no illegal transfers. The CNIL has launched an evaluation programme to determine which solutions are exempt from consent.
The CNIL has issued other orders to comply to website operators using Google Analytics.
The investigation by the CNIL and its counterparts also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States. Corrective measures in this respect may be adopted in the near future.