February 14, 2022
CNIL Issues Decision in Analytics Service Provider Case
3 Min Read
On February 10, 2022, the French data protection authority (CNIL) published a press release stating that it had concluded its investigation into a French website operator’s US data transfers through the use of Google Analytics.
The CNIL received the initial complaint in 2020 as part of the 101 complaints raised across the EU and EEA by NOYB -alleging that the use of Google Analytics and similar analytics service providers based in the US violated Chapter V of the GDPR, following the Court of Justice of the European Union’s decision in Schrems II.
The CNIL’s decision, in this case, follows the Austrian data protection authority’s (DSB) recent decision in a similar case raised by NOYB as part of its broader set of complaints. In that case, the DSB ruled that an Austrian website operator was violating Chapter V of the GDPR despite using supplementary measures, including encryption, when transferring data to the US through the analytics service provider.
What Was the CNIL’s Decision in the Case?
Like the DSB’s ruling, the CNIL found the website operator to be in violation of the GDPR, stating that the supplementary measures used to protect the personal information were not sufficient in excluding US surveillance agencies from accessing it. As a result, the privacy of French website visitors was found to be at risk.
The CNIL has subsequently ordered the website operator to bring its operations in line with the provisions of the GDPR within one month, by stopping the use of the analytics service provider under the current conditions if necessary, or by using tools that do not involve the transfer of data outside of the EU.
As part of the ruling, the CNIL also issued brief recommendations for organizations for using analytics services. The recommendations included only using such tools for anonymous statistical data which would allow ‘for an exemption from consent if the data controller ensures that there are no illegal transfers.’
The CNIL highlighted it had issued orders to other French website operators using Google Analytics to bring their operation in line with the GDPR. Furthermore, the CNIL has not ruled out the possibility of further actions being taken against French website operators using similar tools that require personal information to be transferred out of the EU.
Further resources on the CNIL’s decision in the analytics service provider case:
- CNIL Press Release: Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply
- OneTrust DataGuidance News: EU: NOYB files 101 complaints against EU companies for transferring data to Facebook and Google post-Schrems II
- OneTrust Blog: Austrian DPA’s Decision in Analytics Services Provider Case