French regulators have held that the use of Google Analytics violates the GDPR, a decision that likely has broad implications for web analytics companies and website operators.

On February 10, 2022, the French Data Protection Authority (Commission nationale de l'informatique et des libertés, or “CNIL”), following analysis in cooperation with its European counterparts, concluded that the conditions under which data collected through Google Analytics and transferred to the United States violates the European Union General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”). Google Analytics is a widely used web analytics tool that, when implemented, allows for the collection of information about the usage of a particular website, which is then analyzed by Google before being shared with the website operator. As part of the process, a unique identifier is assigned to each visitor and such personal data is transferred by Google to the United States. According to the CNIL, this transfer violates Articles 44 et seq. of the GDPR and the website manager at issue has one month to comply with the GDPR (potentially through ceasing to use Google Analytics or using a tool that does not involve a transfer outside the European Union).

The CNIL order stems from the 101 complaints that None of Your Business (“NOYB”), a Vienna-based non-profit founded by Max Schrems, in 27 EU Member States and three other European Economic Area States concerning whether data transfers via Google Analytics and Facebook Connect are permitted in the wake of Schrems II. Although the NOYB complaints were filed in August 2020, the CNIL’s ruling is only the second decision made thus far. It comes weeks after the Austrian Data Protection Authority (the “Austrian DPA”) published a partial decision concluding that the use of Google Analytics by an Austrian website provider involved the collection and subsequent transfer of personal data to Google in the United States in violation of Chapter V of the GDPR.

Underpinning the Austrian DPA’s ruling was the view that IP addresses and cookie data constitute personal data under the GDPR. Although Google Analytics has a functionality that anonymizes IP Addresses of website users, the website operator here failed to activate that feature. Furthermore, the Austrian DPA also found that the Standard Contractual Clauses (“SCCs”) between Google and the website operator failed to provide an adequate level of protection under the GDPR because: (1) Google is qualified as a provider of electronic communications services within the meaning of 50 US Code § 1881 (b) (4) and is therefore subject to surveillance by US intelligence services in accordance with 50 US Code § 1881a (“FISA 702”); and (2) Google’s additional technical safeguards were insufficient as they did not eliminate the possibility of surveillance of, and access to, European personal data by U.S. intelligence agencies. Notably, the Austrian DPA found that the violation was attributable to the website operator rather than Google, as Chapter V of the GDPR applies to the data exporter rather than the data importer – though the Austrian DPA did state that it will issue a separate decision on whether Google LLC violated Articles 5 et seqq. GDPR in connection with Article 28(3)(a) and Article 29, GDPR.

The CNIL statement, while significantly shorter than the Austrian DPA’s published decision, similarly concluded that Google’s additional safeguards are insufficient. More details on the key takeaways from the CNIL decision are below:

Key Takeaways from the CNIL’s Decision

• Appropriate Safeguards. Pursuant to Schrems II, in the absence of a European Commission adequacy decision concerning transfers to the United States, appropriate safeguards and guarantees must be provided for the particular data flow. The CNIL found the organization at issue here failed to meet this obligation since the additional measures that Google Analytics adopted to regulate data transfers were insufficient to protect EU personal data from being accessed by U.S. intelligence services.
• Website audience management and analysis services. The CNIL recommended that these services should only be used to produce anonymous statistical data. Anonymous statistical data would not constitute personal data under GDPR and therefore, website visitors would not need to provide consent for data transfers so long as the data controller ensures there are no illegal transfers taking place.
• Evaluation Program. The CNIL noted that it has launched a program to determine what website audience management and analysis service solutions are exempt from consent. The CNIL is also investigating other tools used by sites that transfer European personal data to the United States and corrective measures may be adopted in the near future.

Conclusion

The CNIL decision has implications for any website based in France currently using Google Analytics as well as other tools used by sites that transfer EU data to the U.S. A key component of both the Austrian DPA and CNIL decisions is the alleged ineffectiveness of the measures that Google adopted to protect EU personal data from being accessed by U.S. intelligence services when transferred to the U.S.  Google noted in a post responding to the Austrian DPA’s decision, the hope that this issue will be quickly resolved by a successor agreement to the previously invalidated Privacy Shield.  While negotiations between the European Commission and U.S. counterparts have been ongoing,  resolution has seemed unlikely given the schism between Europeans’ fundamental rights and U.S. surveillance law. However, there have been reports that new proposals will finally be put forth this month with optimists predicting an official announcement on the Privacy Shield replacement during the upcoming Trade and Tech Council (“TTC”) meeting in May.

In the meantime, with a plethora of NOYB complaints still pending and given that the CNIL decision was made in cooperation with its European counterparts, it seems likely that more decisions on the use of Google Analytics will be forthcoming in the near-term and that other European data protection authorities will draw similar conclusions.