The CNIL has issued formal notices to organizations regarding the use of Google Analytics and the transfer of data to the United States without sufficient guarantees for European users’ rights. The organizations have one month to comply with the notices. The CNIL’s decision is in line with the “Schrems II” ruling and is shared at the European level. Google Analytics does not provide sufficient protection for the data of European Internet users, and organizations should consider alternative solutions. Encryption alone is not considered a sufficient additional safeguard. The explicit consent of individuals can be used as a derogation, but it cannot be a long-term solution. The CNIL has published a list of audience measurement tools that can be exempted from consent when properly configured. Organizations should assess the legal framework of third countries for data transfers and consider additional technical measures to prevent unauthorized access to personal data.
| Signal | Change | 10y horizon | Driving force |
|---|---|---|---|
| CNIL orders compliance with Google Analytics use | Data transfer safeguards | Increased data protection measures | Concerns about access to personal data |
| Privacy Shield invalidated, additional safeguards required | Data transfers from EU to US | Stricter regulations and enforcement | Protection of European residents’ data |
| European Commission and US government’s future decision | Data flows to US | Potential legal framework for data transfers | Harmonization of decisions and legal certainty |
| CNIL’s anonymized publication of order to comply | Anonymized organization | Data controllers advised to comply | Widely used tool, unnecessary to name specific organizations |
| CNIL’s deadline for compliance and justification | Compliance with CNIL’s order | Compliance with GDPR regulations | CNIL’s authority and enforcement |
| European authorities’ working group on Google Analytics transfers | Legal issues and coordination | Harmonized decisions and legal certainty | Coordination and cooperation among European authorities |
| Google’s insufficiency in protecting European users’ data | Insufficient safeguards by Google | Need for providers with better compliance guarantees | Inadequate measures by Google |
| Limitations of standard contractual clauses with Google | Insufficient protection in data transfers | Need for additional safeguards and protection | Inadequate level of protection in transfers |
| Inability to set Google Analytics to not transfer data | Inability to prevent data transfer | Difficulties in accessing and protecting data | Access to data by third country authorities |
| Difference between anonymization and pseudonymization | Data processing and identification techniques | Anonymization offers higher level of protection | Protection of personal data and privacy |
| Encryption as additional safeguard for data transfers | Encryption as protection measure | Conditions for encryption to be effective | Control of encryption keys and access to data |
| Inadequate additional safeguards for Google Analytics use | Insufficient safeguards against access by US authorities | Need for additional measures to protect data | US authorities’ access to personal data |
| Limitations of explicit consent for data transfers | Consent as derogation in specific cases | Cannot be a long-term solution | Limited use of consent for transfers |
| Alternative audience measurement tools | Exempted tools with proper configuration | List of tools that do not require consent | Compliance with French data protection law |
| Assessing legal framework of third countries for data transfers | Legal framework of third countries | Consideration of data protection standards | Protection of data in third countries |
| Inability to adopt a risk-based approach for data transfers | Requirement of substantial equivalent data protection | Additional technical measures needed to prevent access | Protection of fundamental rights and freedoms |