After the Austrian data protection authority dsb concluded at the end of last year that the use of Google Analytics is illegal, the French data protection authority CNIL has now come to the same conclusion.

Numerous proceedings against the use of Google Analytics

On 21 December 2021, the Austrian data protection authority (dsb) came to the conclusion in a relatively comprehensive partial decision that the use of Google Analytics on websites with European visitors was impermissible (see also the article by Erik Petersen “Einsatz von Google Analytics datenschutzrechtswidrig! – What follows from the decision of the Austrian data protection authority? And what not?). The use of Google Analytics on European websites is currently the subject of various proceedings in different countries. All of the 101 proceedings were initiated by Max Schrems’ NGO None Of Your Business (NOYB). On 10 February 2022, the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) also came to the conclusion that the use of Google Analytics is not compatible with the GDPR.

Google Analytics is a tracking tool used to analyse website traffic. Each visitor to the website is given an identifier, which represents a personal data. The problem is that Google can use it to create a comprehensive user profile of visitors to a website. The personal data collected in this way is then transmitted to the USA and stored on Google servers

Transfer of personal data to the USA

In its decision, the CNIL states that due to the repeal of the US Privacy Shield in the Schrems-II ruling by the European Court of Justice (cf. ECJ ruling of 16.06.2020, C-311/18), there is no longer an adequate level of data protection for the transfer of data to the USA and measures must therefore be taken pursuant to Art. 46 et seq. GDPR must be taken. Thus, standard contractual clauses (so-called SCC, for more information see: New standard data protection clauses adopted by the EU Commission) were agreed with Google. However, the CNIL recalled in its ruling that according to the Schrems II case law, SCC as a contractual measure cannot bind third parties and thus in particular US authorities and therefore does not necessarily guarantee an adequate level of data protection as a sole measure (see C-311/18, n 126).

The additional measures that Google had taken in accordance with the recommendations of the European Data Protection Committee (EDSA) were also not sufficient to exclude access to personal data by US intelligence services. CNIL also found the optional technical measure highlighted by Google, which consists of anonymising IP addresses (so-called IP masking), to be insufficient. On the one hand, this function was optional and not applicable to all transmissions. Secondly, Google had not been able to explain whether this anonymisation takes place before the transmission or whether the IP address is always transmitted in its entirety to the USA and only shortened in a second step.

Since, according to the CNIL, there are consequently no suitable guarantees for an adequate level of data protection under Art. 46 GDPR, the transfer of data to the USA would only be possible if the grounds for exemption under Art. 49 GDPR were met. Here, the respondent claimed that the data transfer was based on explicit consent pursuant to Art. 49 No. 1 (1) (a) GDPR. However, the CNIL clearly stated that the data subject’s consent in principle to the tracking on the website could not be equated with explicit consent “after having been informed of the potential risks to him or her of such data transfers without the existence of an adequacy decision and without appropriate safeguards”. However, the respondent could not provide this evidence.

Conclusion

The CNIL therefore concludes that there is a risk for the data subjects.

The CNIL therefore recommends using tools for measurements and analyses that generate or collect anonymous statistical data. This can also circumvent the consent requirement for tracking, provided that no data transfer to third countries takes place.

This decision raises eyebrows in two respects; on the one hand, together with the decision of the dsb, this is already the second decision that follows an absolute approach for the assessment of the lawful data transfer to third countries according to Art. 44 et seq. of the Code of Obligations. In both rulings, the probability of access by a US authority was therefore not examined. This absolute approach could still be recognised in the Schrems II ruling. However, it contradicts the risk-based approach stipulated by the EDSA in its guidelines as well as by the EU Commission in the new standard contractual clauses, according to which the probability of access by the authorities must be taken into account.

On the other hand, this once again makes it clear that explicit consent pursuant to Article 49 (1) (1) (a) GDPR may not be assumed lightly. This is because it requires the explicit indication of existing possible risks of such data transfers, in particular that there is no adequate level of data protection and that data subjects’ rights may not be enforced.