UPDATE: CNIL decides EU-US data transfer to Google Analytics illegal

Apr 05, 2022

UPDATE: CNIL orders three controllers to comply with GDPR after decision that using Google Analytics is illegal

Only weeks after the groundbreaking decision by the Austrian Data Protection Authority that the continuous use of Google Analytics violates the GDPR, the French Data Protection Authority (CNIL) ordered three French websites to comply with the GDPR. All these decisions are based on noyb's 101 model complaints which were filed after the Court of Justice ruling invalidating Privacy Shield. noyb expects similar decisions by the other authorities.

2020 CJEU ruling hits the real world. In July 2020, the CJEU has issued its groundbreaking "Schrems II" ruling, holding that a transfer to US providers that fall under FISA 702 and EO 12.333 violate the rules on international data transfers in the GDPR. The CJEU consequently annulled the transfer deal "Privacy Shield", after annulling the previous deal "Safe Harbor" in 2015. While this sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called "Standard Contract Clauses" to continue data transfers and calm its European business partners.

Max Schrems, honorary chair of noyb.eu: "It's interesting to see that the different European Data Protection Authorities all come to the same conclusion: the use of Google Analytics is illegal. There is a European task force and we assume that this action is coordinated and other authorities will decide similarily."

Decision relevant for almost all EU websites. Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US.

Long Term Solution. In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.

Max Schrems: "In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator - not to anyone in Europe."