CNIL Issues Decision in Analytic...
CNIL Issues Decision in Analytics Servic...

CNIL Issues Decision in Analytics Service Provider Case

The CNIL has ordered a French website operator to comply with the GDPR following complaints made by NOYB

clock3 Min Read

Featured Image

On February 10, 2022, the French data protection authority (CNIL) published a press release stating that it had concluded its investigation into a French website operator’s US data transfers through the use of Google Analytics.

The CNIL received the initial complaint in 2020 as part of the 101 complaints raised across the EU and EEA by NOYB -alleging that the use of Google Analytics and similar analytics service providers based in the US violated Chapter V of the GDPR, following the Court of Justice of the European Union’s decision in Schrems II.

The CNIL’s decision, in this case, follows the Austrian data protection authority’s (DSB) recent decision in a similar case raised by NOYB as part of its broader set of complaints. In that case, the DSB ruled that an Austrian website operator was violating Chapter V of the GDPR despite using supplementary measures, including encryption, when transferring data to the US through the analytics service provider.

What Was the CNIL’s Decision in the Case?

Like the DSB’s ruling, the CNIL found the website operator to be in violation of the GDPR, stating that the supplementary measures used to protect the personal information were not sufficient in excluding US surveillance agencies from accessing it. As a result, the privacy of French website visitors was found to be at risk.

The CNIL has subsequently ordered the website operator to bring its operations in line with the provisions of the GDPR within one month, by stopping the use of the analytics service provider under the current conditions if necessary, or by using tools that do not involve the transfer of data outside of the EU.

As part of the ruling, the CNIL also issued brief recommendations for organizations for using analytics services. The recommendations included only using such tools for anonymous statistical data which would allow ‘for an exemption from consent if the data controller ensures that there are no illegal transfers.’

The CNIL highlighted it had issued orders to other French website operators using Google Analytics to bring their operation in line with the GDPR. Furthermore, the CNIL has not ruled out the possibility of further actions being taken against French website operators using similar tools that require personal information to be transferred out of the EU.

Further resources on the CNIL’s decision in the analytics service provider case:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy and security news. 

You Might Also Be Interested In

SEPTEMBER 21, 2022

Jason Koestenblatt

SEPTEMBER 20, 2022

Ojas Rege

SEPTEMBER 20, 2022

Anne Kenyon


Kelly Maxwell


Julie Yamamoto

AUGUST 31, 2022

Julie Yamamoto

AUGUST 30, 2022

Jason Koestenblatt

AUGUST 29, 2022

Kelly Maxwell

Onetrust All Rights Reserved