July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data

Following a similar case from Austria, the French data protection authority recently concluded that certain use of cookies placed by US data analytics tools violated GDPR. The case came before the CNIL as the result of a complaint filed by “None of Your Business,” the non-governmental organization created by Max Schrems.

The complaint argued, and the CNIL agreed, that because of the way Google Analytics was implemented, there were not sufficient supplemental protection measures in place when transferring personal data to the US. Although Google had adopted additional measures, the CNIL concluded these measures could not prevent US intelligence services from accessing the personal data and are therefore insufficient. The website operator in question has one month to comply. Supplemental measures may be needed if a company is relying on standard contractual clauses as a basis for transferring personal data to the US. The EDPB has provided direction on what those measures might look like.

Following the earlier Austrian decision, Google indicated that to address the EDPB’s direction on “supplemental security measures” it had several security features that companies could put in place when configuring Google Analytics. They also disagreed with the EU DPAs conclusions that US law enforcement would likely gain access to EU individuals’ information. This French decision suggests that other EU DPAs may also disagree with Google’s current position.

Putting It Into Practice: The CNIL recommends that companies use Google Analytics with anonymous data, thus avoiding the transfer of personal information to the US (and taking the activity outside the scope of GDPR). CNIL has also indicated that it will be providing more direction on how to use these tools when transferring personal data to the US and directed companies to its September 2021 recommendations regarding use of cookies. We will continue to monitor developments here.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 53
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Advertisement
Advertisement
Advertisement