CNIL Issues Decision in Analytic...
CNIL Issues Decision in Analytics Servic...

CNIL Issues Decision in Analytics Service Provider Case

The CNIL has ordered a French website operator to comply with the GDPR following complaints made by NOYB

clock3 Min Read

Featured Image

On February 10, 2022, the French data protection authority (CNIL) published a press release stating that it had concluded its investigation into a French website operator’s US data transfers through the use of Google Analytics.

The CNIL received the initial complaint in 2020 as part of the 101 complaints raised across the EU and EEA by NOYB -alleging that the use of Google Analytics and similar analytics service providers based in the US violated Chapter V of the GDPR, following the Court of Justice of the European Union’s decision in Schrems II.

The CNIL’s decision, in this case, follows the Austrian data protection authority’s (DSB) recent decision in a similar case raised by NOYB as part of its broader set of complaints. In that case, the DSB ruled that an Austrian website operator was violating Chapter V of the GDPR despite using supplementary measures, including encryption, when transferring data to the US through the analytics service provider.

What Was the CNIL’s Decision in the Case?

Like the DSB’s ruling, the CNIL found the website operator to be in violation of the GDPR, stating that the supplementary measures used to protect the personal information were not sufficient in excluding US surveillance agencies from accessing it. As a result, the privacy of French website visitors was found to be at risk.

The CNIL has subsequently ordered the website operator to bring its operations in line with the provisions of the GDPR within one month, by stopping the use of the analytics service provider under the current conditions if necessary, or by using tools that do not involve the transfer of data outside of the EU.

As part of the ruling, the CNIL also issued brief recommendations for organizations for using analytics services. The recommendations included only using such tools for anonymous statistical data which would allow ‘for an exemption from consent if the data controller ensures that there are no illegal transfers.’

The CNIL highlighted it had issued orders to other French website operators using Google Analytics to bring their operation in line with the GDPR. Furthermore, the CNIL has not ruled out the possibility of further actions being taken against French website operators using similar tools that require personal information to be transferred out of the EU.

Further resources on the CNIL’s decision in the analytics service provider case:

Follow OneTrust on LinkedInTwitter, or YouTube for the latest privacy and security news. 

You Might Also Be Interested In


JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

JANUARY 9, 2023

Navigating the California Privacy Rights Act as a HIPAA-compliant business

JANUARY 6, 2023

US state privacy bills on the horizon in 2023

BackToTop
Onetrust All Rights Reserved