February 8, 2023

Volume XIII, Number 39

Advertisement

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis

French CNIL Rules EU-U.S. Data Transfers Through the Use of Analytics Cookie to be Unlawful

On February 10, 2022, the French Data Protection Authority (the “CNIL”) ruled the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie to be unlawful. In its decision, the CNIL held that an organization using Google Analytics was in violation of the GDPR’s data transfer requirements. The CNIL ordered the organization to comply with the GDPR, and to stop using Google Analytics, if necessary.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities regarding the use of Google Analytics and Facebook Connect by various companies. The complaints concerned whether the transfer of EU personal data to Google and Facebook in the U.S. through the use of cookies is permitted following the Schrems II judgment of the Court of Justice of the European Union. The European Data Protection Board subsequently created a taskforce to coordinate the response to the complaints filed by NOYB.

The CNIL’s order is the second decision issued in response to the NOYB’s complaints; the Austrian DPA reached a similar decision in January 2022. Because the CNIL made its ruling in cooperation with other EU supervisory authorities, similar decisions are expected by DPAs in other EU Member States.

CNIL’s Order

The CNIL investigated the transfer of EU personal data to the U.S. through the use of Google Analytics cookies, with a focus on the risks to data subjects related to such transfers in light of the Schrems II judgment.

Post-Schrems II, in the absence of an adequacy decision for the U.S., appropriate safeguards must be implemented to protect EU personal data transferred to U.S. recipients. The CNIL held that the organization at issue did not comply with this obligation, finding the additional safeguards adopted by Google to be insufficient to protect EU personal data from access by U.S. intelligence services.

The CNIL accordingly ordered the organization to bring its data processing activities into compliance with the GDPR within one month and, if necessary, to stop using Google Analytics and instead use an alternative analytics tool that does not involve the transfer of EU personal data to a non-adequate country.

In its statement, the CNIL also recommended using website audience measurement and analytics services that produce anonymous statistical data, to avoid data transfers in violation of the GDPR.

According to the CNIL, other organizations using Google Analytics have received similar orders, and the CNIL may issue decisions against companies using comparable tools that result in the transfer of EU personal data to the U.S.

Read the CNIL’s press release.

Copyright © 2023, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 41
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement