1. Formal notice issued by CNIL
The French data protection authority (CNIL) issued a formal notice on 10 February 2022 following a complaint filed by the association NOYB. The formal notice does not identify who it is directed at but according to a statement published by NOYB, the company most likely to be affected is Decathlon France SA, Auchan E-commerce France or Sephora SAS.
2. Procedure
NOYB filed 101 complaints in all of the 27 Member States of the European Union and the three other States of the European Economic Area (EEA) against 101 controllers who were transferring personal data to the United States of America (USA).
CNIL cooperated with its European counterparts and analysed the conditions in which the data collected through the use of Google Analytics was transferred to the USA as well as the risks for data subjects (mainly as a result of the ‘Schrems II’ Court of Justice of the European Union (CJEU) case dated 16 July 2020 that invalidated the Privacy Shield).1
Regarding Google Analytics, the Austrian data protection authority had already put a company on notice on 22 December 2021 to comply with the GDPR rules within a one-month period. The European Data Protection Supervisor (EDSP) also handed down a decision following a complaint filed by members of the European Parliament due to the use of Google Analytics by the European Parliament’s website (EDSP, Decision No 2020-1013, 5 January 2022).
3. Reasoning and outcome
CNIL considers that transfer of the subject’s data to the USA resulting from the use of Google Analytics is unlawful in regard of articles 44 et seq. of the GDPR. This results, firstly, from the absence of an adequacy decision for the transfer of personal data to the USA and, secondly, from the insufficient guarantees taken by Google.
CNIL therefore put this company on notice to comply with these provisions within a one-month period, ‘if necessary, by ceasing to process personal data under the current version of Google Analytics’.
4. Analysis
CNIL indicates that it has initiated other formal notice procedures against website administrators who use Google Analytics.2 Data protection authorities in France and other Member States are therefore likely to pursue this line of action in the near future.
Although Google itself is advocating for an agreement between the USA and the EU for a new adequacy decision3, no solution exists yet.
At this stage, CNIL believes that the use of Google Analytics is an infringement under article 83, §5 and §6 of the GDPR, which is punishable by an administrative fine of up to 20 million euros or 4% of the company’s turnover.
CNIL generally sends a prior formal notice before sanctioning an infringing company, but it can impose an immediate sanction to a company if it wishes to. The French administrative Supreme Court (Conseil d’Etat) held in case No 433311 dated 4 November 2020 that ‘The provisions of [the French Data Protection Law (Loi Informatique et Libertés)] clearly state that the chairman of CNIL has no obligation to give a controller or its processor prior notice before the CNIL's restricted panel imposes a sanction on them.’ In the present case, we cannot rule out the possibility that CNIL would consider that controllers are aware of the recent media coverage of Google Analytics and that it fines them without prior formal notice.
Therefore, unless Google offers a solution that would receive CNIL’s assent in the near future, it would be reasonable to seek an alternative solution to Google Analytics. In this regard, CNIL provides a guide on GDPR-compliant audience measurement tools and solutions on its website.
1 https://www.cnil.fr/fr/utilisation-de-google-analytics-et-transferts-de-donnees-vers-les-etats-unis-la-cnil-met-en-demeure
2 Ibid.
3 https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-framework/
CNIL, Google Analytics, GDPR, Personal data, NOYB, Formal notice, Data transfers, Third country, Audience measurement, Privacy Shield