The French data protection authority ('CNIL') announced, on 10 February 2022, that it had issued an order against an unnamed French website operator to comply with Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), having found that transfers of personal data to the US carried out via use of Google Analytics were non-compliant with Article 44 of the GDPR, in light of the the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), and following a complaint addressed to CNIL by None of your business ('NOYB').

Background to the case

On 17 August 2020, NOYB filed 101 complaints against EU website operators that continue to send website visitor data to Google LLC and Facebook Inc. (now Meta Platforms, Inc.), allegedly in continued violation of the GDPR despite the ruling in the Schrems II Case. On 13 January 2022, NOYB published the first decision to be issued following the filing of its complaints - a decision issued by the Austrian data protection authority ('DSB') finding an unnamed website operator's use of Google Analytics in violation of the GDPR. Specifically, the present order issued by CNIL represents the second decision to be published by a EU data protection authority in response to NOYB's 101 complaints. 

For further context, CNIL outlined that Google Analytics, a service that can be integrated by websites such as online sale sites in order to measure the number of visits by internet users, works by assigning a unique identifier to each visitor, which, CNIL highlighted, constitutes personal data, and which is subsequently transferred to the US along with additional associated data, and thus subject to Chapter V of the GDPR.

In addition to the above, CNIL explained that it had cooperated with its European counterparts to assess the lawfulness of the conditions under which the data collected through this service is transferred to the US.

Findings of CNIL

In particular, CNIL highlighted that the transfer of personal data to the US may only take place if appropriate guarantees are provided for, and found that this was not the case with the website operator's use of Google Analytics. Specifically, CNIL outlined that although Google had adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these were not sufficient to exclude the accessibility of this data for US intelligence services. Consequently, CNIL found that the use of Google Analytics in this case implies that the data of internet users is transferred to the US in violation of Articles 44 et seq. of the GDPR.

Outcomes

In view of the above findings, CNIL ordered the website operator to bring its processing into compliance with the GDPR, if necessary by ceasing to use Google Analytics (under the current conditions) or by using a tool that does not involve a transfer of personal data outside the EU. Furthermore, CNIL noted that the website operator has one month to comply.

In addition, CNIL highlighted that current investigations by CNIL and its EU counterparts also extend to other tools used by sites that result in the transfer of the data of EU internet users to the US, further emphasising that corrective measures in this respect may be adopted in the near future.

You can read the press release here.