On 10 February 2022 the CNIL published its decision on the use of Google Analytics and data transfers to the United States in answer to several complaints from Max Schrems’ organisation, NOYB. This decision is hot on the heels of the Austrian DPA decision from early January 2022 (see our article here). The CNIL followed suit finding that the Google Analytics unique identifier and the data associated were personal data transferred to Google LLC in the United States and despite the additional measures Google had implemented they were “not sufficient to exclude the possibility of access by US intelligence services to that data” and “[t]here is therefore a risk for people using the French site using this tool and whose data is exported.”
You know what comes next, the CNIL found the data transfer to the US infringed Article 44 of the GDPR and therefore the (as yet unidentified) website manager was given one month to make the processing GDPR compliant, “if necessary by ceasing to use the Google Analytics feature (under current conditions) or by using a tool that does not entail a transfer outside the EU.”
The CNIL also confirmed its investigation extended to other website tools that transfer data from the EU to the US and said “corrective measures in this regard could be adopted in the near future” - so watch this space!
So what?
Although we’ve only had decisions from two DPAs so far (as well as murmurings from DPAs in Norway and Holland that they are in agreement with the decision), more are expected in the coming weeks as the various DPAs work their way through the other claims filed by NOYB. As the DPAs have been co-operating on the investigations many expect more decisions along similar lines.
We have already commented in our Austrian DPA decision article (see here) about the potential wider implications of these decisions and whether Europe can stop its inevitable slide into data localisation (or perhaps economic “data protectionism” – it is odd how the US seems to be the myopic focus of activists like Schrems, a myopia eagerly picked up on by various regulators and politicians (both domestic and at the EP level)).
The solution however, i.e. a Schrems proof Privacy Shield Mk II, is above all our paygrades and we just hope that the European Commission and the US Federal Trade Commission step up their negotiations, and make progress sooner rather than later.
But what about the UK? Will Brexit, the UK Government’s data reform agenda and a new ICO at the helm mean the UK’s ICO reaches a different conclusion? Any decision would need to be viewed in light of the UK’s adequacy decision from the EU and surely if more EU Regulators follow suit it will become increasingly difficult for the UK to adopt a contrary position.
That said, we are at the start of this process so for now don’t panic! Read and understand the decisions - and how they might impact your business - and keep an eye out for the direction of travel as future decisions are published.
“The CNIL considers that these transfers are illegal and requires a manager of the French website to comply with the GDPR and, if necessary, to no longer use this tool under the current conditions.”