Google Analytics declared illegal in France
'Big Tech' and business competitiveness at risk in the EU
On 10 February 2022, the French supervisory authority (the CNIL) published a statement in relation to a decision considering that the transfers to the US of personal data collected through Google Analytics are illegal, in light of the 'Schrems II' decision rendered by the Court of Justice of the European Union (CJEU) on 16 July 2020 (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, Case C-311/18) .
The French regulator is the second European supervisory authority to reach this conclusion. Indeed, on 13 January 2022, the Austrian regulator ruled that the use of Google Analytics breaches the GDPR. Statements from the Danish, Norwegian and Dutch supervisory authorities indicate that other European regulators are likely to take a similar view.
In 2020, the noyb association (founded by Mr. Schrems) filed complaints in all 30 of the European Economic Area (EEA) States against 101 European companies that continued to use Google Analytics or Facebook Connect, alleging that the data transfers to the US entailed by the use of such tools were illegal, pursuant to the 'Schrems II" decision.
In response, the European Data Protection Board (EDPB) established a task force and jointly considered how to address these 101 cases.
In this context, the CNIL conducted an investigation on one of the 101 complaints, in connection with the transfer to the US of data collected while browsing a website using Google Analytics.
The CNIL considered that transfers to the US (i) are currently not sufficiently framed, and, in the absence of an EU-US adequacy decision, (ii) could only take place provided that 'appropriate supplementary measures' are in place.
However, in the case at hand, the CNIL held that 'supplementary measures' implemented by Google to frame Google Analytics transfers were not sufficient to exclude the risk of data access by US surveillance agencies.
Therefore, the CNIL ruled that the data of Internet users were transferred to the US in violation of GDPR provisions on international data transfers (Articles 44 GDPR et seq.).
As a consequence, the CNIL issued a formal notice against the relevant website operator which uses Google Analytics, urging it to comply with the GDPR within one month, if necessary by ceasing to use Google Analytics or by using a tool that does not entail transfers of data outside the European Union.
Additionally, the CNIL specified that it has issued orders to comply to other website operators using Google Analytics.
The CNIL also warned that investigations are being performed on other tools used by websites and which give rise to the transfer of European users' data to the US.
As it stands, the future of Google Analytics in the EU is quite compromised. Certain workaround options could be explored but they do not seem to be sufficient. These include:
- IP anonymization. Google Analytics includes a feature allowing for 'anonymisation' of the user's IP address by deleting several of its digits.
However, the Austrian regulator considered that the activation of this feature would not totally suppress personal data and the GDPR would thus still apply.
- User consent. Data transfers to non-EEA countries can be carried out on the basis of the individual's explicit consent and in such context, the restrictions provided for in the 'Schrems II' decision do not apply. However, as per the GDPR and EDPB guidelines, explicit consent could be used in exceptional cases only, not as a rule for repetitive and structural transfers. Hence, it is quite unlikely that this approach would be endorsed by supervisory authorities.
The 'Schrems II' decision and its strict application / over-interpretation by regulators pose a serious threat to sustainability of 'Big Tech' tools in the EU. If international data transfers are banned in practice (which is not what 'Schrems II' provides), a significant number of widely used tools are at risk. This is not only a concern for Tech providers – it also compromises competitiveness of EU companies which rely on powerful IT solutions to run their businesses efficiently.
Since the Schrems II ruling, transfers of personal data to countries located outside the European Economic Area that do not offer a protection equivalent to that of the European Union (such as the US) are highly restricted: any contemplated transfer has to be assessed on a case-by-case basis to determine whether the personal data at stake are actually protected in compliance with the GDPR in the relevant non-EEA country. In particular, the CJEU pointed out the risks associated with US surveillance programs enabling US agencies to access transferred data. According to the CJEU, if the conclusion of this assessment is that the level of protection is insufficient, the data exporter (in the EU) would have to adopt (if possible) 'appropriate supplementary measures' should it wish to proceed with the transfer.
 Decision pursuant to which the European Commission considers that a non-EEA country provides a level of data protection equivalent to that of the EU.