Google Analytics remains a hot topic for companies, but also for data protection authorities (DPAs).
With the arrival of these new decisions and the new guidelines of the CNIL, companies are finding it even more difficult to justify their use of Google Analytics and will probably soon have to face fines. In the following article, we will analyze the latest DPA decisions and summarize the key takeaways for businesses.
After the decision of the Austrian Data Protection Authority (Austrian DPA) on the use of Google Analytics, the French Data Protection Authority (CNIL or French DPA) issued a similar decision in February, followed by a more recent decision of the Italian data protection authority (Garante or Italian DPA) in June this year.
In each of the aforementioned decisions, the respective DPA considered the relevant transfer of personal data to the United States when using Google Analytics to be unlawful under Chapter Five of the General Data Protection Regulation ( GDPR) based on the Schrems II judgment delivered by the Court of Justice of the European Union (CJEU) on July 16, 2020.
The CNIL also published in June FAQs on the formal notices it sent to several organizations in France asking them to bring their use of Google Analytics into compliance with the GDPR. The FAQs also set out the requirements for using the analytics tool and include the CNIL’s request to all French website operators to ensure compliance in this regard.
In their press releases on the above-mentioned decisions and in the FAQs, the CNIL and the Garante highlighted the coordination with other EU data protection authorities (DPAs) regarding their decisions, which indicates that their conclusions will be probably followed by other DPAs.
It therefore becomes clear that the decisions of the Austrian, French and Italian authorities are not isolated cases, but that the views and requirements set out by the data protection authorities are generally relevant for all website operators in the world. European Economic Area (EEA).
How did we come to these decisions?
All of the aforementioned DPA rulings and FAQs are based on complaints filed by Max Schrems’ non-governmental organization NOYB, which filed complaints against 101 European companies in all EEA member states in relation to their transfer. alleged personal data to Google and Facebook in violation of the GDPR and the Schrems II ruling (NOYB article).
The CNIL decision
The French decision was issued against a website operator headquartered in France that used Google Analytics in relation to individuals from multiple EU member states. With regard to the cross-border processing carried out, the CNIL determined that it was the main supervisory authority and, as such, submitted its draft decision to the other data protection authorities concerned, which did not not opposed.
The CNIL noted in particular that the information collected by Google Analytics from users was transmitted to Google Analytics servers hosted in the United States. The French DPA also indicated that the relevant Google Analytics contractual terms referred to the Google Ads data processing terms which incorporated standard contractual clauses (SCCs). It also acknowledged the additional legal, organizational and technical measures provided by Google regarding an international transfer of data via Google Analytics.
In its FAQs, the CNIL points out in particular that it has already given formal notice to all the French organizations for which the ONJB had filed complaints. The FAQs also set out the requirements that the CNIL expects all website operators in France to follow when using Google Analytics.
The Guarantor’s decision
The Italian decision was made against a website operator located in Italy that used the “free version” of Google Analytics. The website operator has concluded the Google Analytics Terms of Service, as Google Standard Terms, with Google Ireland Limited. The website operator’s processing of personal data regarding the use of Google Analytics was governed by the Google Ads Data Processing Terms, which incorporated Standard Contractual Clauses (SCCs). The Italian DPA also acknowledged that Google has established additional measures for international data transfers.
The Garante pointed to the website operator’s limited knowledge and understanding of the specifics of the processing carried out by Google Analytics, in particular with regard to data transfers to third countries and the effective implementation of additional measures. mentioned above by Google.
It has also been determined that the function of Google Analytics, which allows the so-called “anonymization” of the user’s IP address by deleting various user data, is a means of improving processing efficiency.