France: CNIL publishes full decision on Google Analytics ruling
The French data protection authority ('CNIL') published, on 16 February 2022, its full decision to order an unnamed French website operator to comply with Chapter V of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), having found that transfers of personal data to the US carried out through the use of Google Analytics were non-compliant with Article 44 of the GDPR. CNIL's decision is in light of the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), as first announced in a press release issued on 10 February 2022.
Findings of CNIL
In addition to the high-level findings presented in the press release, the decision highlights that the website operator and Google had entered into Standard Contractual Clauses ('SCCs'), and analyses the effectiveness of this safeguard for the transfer of personal data to the US by means of the use of Google Analytics.
In particular, having found that Google qualifies as an 'electronic communications provider' within the meaning of Section 50 U.S. Code § 1881(b)(4) and is, therefore, subject to surveillance by US intelligence agencies pursuant to Section 50 U.S. Code § 1881a ('FISA 702'), and furthermore noting that from Google's transparency report it is evident that Google LLC is regularly the recipient of such access requests by US intelligence agencies, CNIL outlined that the implementation of SCCs cannot, in and of themselves, protect the personal data of French data subjects from US intelligence agency access. CNIL further noted that as such, in accordance with the Schrems II ruling and the European Data Protection Board's ('EDPB') Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, Google would be required to either implement effective supplementary measures, which can be contractual, organisational, and technical measures or, in the absence of any such effective measures, cease of the transfer of such data.
Further to the above, CNIL outlined that Google, as the recipient of the data, had adopted contractual, organisational, and technical measures to supplement the SCCs. However, CNIL concluded that none of these measures were effective to protect against US intelligence access.
With respect to legal and organisational measures adopted by Google, CNIL found that neither the notification of users, nor the publication of a transparency report or a request management policy effectively prevent or reduce access by US intelligence services. Furthermore, CNIL rejected the careful review of the lawfulness of each request as an effective supplementary measure, noting that even lawful requests from US intelligence services do not comply with the requirements of European data protection law, according to the CJEU.
With respect to technical measures adopted by Google, CNIL rejected the protection of communications between Google services, the protection of data in transit between data centres, the protection of communications between users and websites, or on-site security as effective supplementary measures to prevent US intelligence access. Further, CNIL found that the encryption techniques adopted by Google were not sufficient, noting that as a data importer, Google has, in every case, the obligation to grant access or to provide the imported data which is in its possession, including the encryption keys necessary to make the data intelligible, to US intelligence agencies, meaning that as long as Google has the ability to access the data of natural persons in clear text, such technical measures cannot be considered effective. CNIL further rejected Google's argument that Google Analytics data which is transferred by website operators is pseudonymised, holding that universally unique identifiers ('UUIDs'), insofar as they have the specific purpose of identifying users rather than serving as a protective guarantee, do not fit within the GDPR's definition of pseudonymisation. Additionally, CNIL rejected the 'optional technical measure' put forward by Google, which consists of an IP address anonymisation function, as an effective supplementary measure, noting that as an optional measure, it is not applicable to all transfers, and found that it is unclear whether anonymisation occurs prior to or post-transfer of the IP address to the US, thus concluding that it is possible for the IP address to be accessed in full by US intelligence.
Moreover, CNIL rejected the website operator's claims with respect to derogations from the application of Chapter V of the GDPR. Notably, the website operator had argued that the transfer could be based on Article 49(1)(a) of the GDPR, which provides for a derogation based on the explicit consent of the data subject, but CNIL ruled that the consent of the user to the deposit of trackers during their visit to the website cannot be considered as equivalent to 'explicit consent to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.'
Consequently, CNIL concluded that the website operator could neither rely on SCCs under Article 46 or any derogation under Article 49 to justify the transfer of personal data of website visitors to the US and therefore found it to be in violation of Article 44 of the GDPR. Accordingly, CNIL ordered the website operator to bring its processing into compliance with the GDPR within one month of notification of the decision, if necessary, by ceasing to use Google Analytics (under the current conditions) or by using a tool that does not involve a transfer of personal data outside the EU.
You can read the decision, only available in French, here.