The CNIL considers that the use of Google Analytics is a violation of the GDPR

Google Analytics: the decision of the French CNIL

Last month, the Austrian CNIL issued an important decision regarding the use of Google Analytics, considering breaches of the GDPR. This morning, the French authorities issued an equivalent verdict.

The NOYB association contacted the European CNIL, considering that the transfer of data to the United States via the Google Analytics tool did not comply with the GDPR. More specifically, this transfer would not respect the “Schrems II” judgment of the CJEU which invalidated the Privacy Shield, which governed the transfer of data to the United States. The decision of the French CNIL confirms these observations.

The CNIL considers these transfers to be illegal and requires a manager of the French website to comply with the GDPR and, if necessary, to no longer use this tool under current conditions.

Thunderbolt for web professionals

In 2020, the CJEU ruled that the transfer of data to the United States did not sufficiently protect European citizens. The Court had mentioned a risk of access to personal data by the American intelligence services. The CNIL notes a “lack of adequacy decision” : clearly, the United States does not guarantee the same level of confidentiality as the countries of the European Union.

The transfer of data can only take place if appropriate safeguards are provided for this flow.

It acknowledges Google’s efforts to regulate this transfer, but considers that these mechanisms do not make it possible to exclude ” the possibility of access by the American intelligence services to this data”. The French CNIL thus considers that in the context of the use of Google Analytics, personal data is transferred to the United States. “in violation of articles 44 et seq. of the GDPR”.

What responsibilities and what consequences?

Google provides a tool that sends personal data to the United States. The vast majority of websites use this tool, now considered “non-compliant” by the French CNIL. Google is therefore not responsible: it is up to the publishers of these websites to regularize their situation.

In this case, the CNIL was seized to rule on the use of Google Analytics by several identified sites. At least 3 French sites were targeted by the NOYB association, they are published by Decathlon, Auchan and Sephora. The CNIL indicates that it has sent formal notices to those responsible.

The site manager in question has one month to comply.

The web analytics tool is used by most websites, so this decision could go down the drain. Unless Google brings real solutions, facilitating a compliant use of its service?

This case is likely to cause a stir among web professionals. It recalls in any case the recent declarations of Meta, which requires a new regulatory framework to allow the transfer of data to the United States.

Leave a Comment