CNIL (France) - Google Analytics (no case number)
CNIL (France) - Google Analytics (no case number) | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 4(7) GDPR Article 4(22) GDPR Article 4(23)(b) GDPR Article 44 GDPR Article 45 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.08.2020 |
Decided: | 10.02.2022 |
Published: | |
Fine: | None |
Parties: | noyb Google Analytics |
National Case Number/Name: | Google Analytics (no case number) |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | Frederick Antonovics |
The French DPA held that a French online retailer violated Chapter V of the GDPR by using Google Analytics, which led to unlawful transfers of personal data to Google LLC in the U.S.
English Summary
Facts
The respondent is an online retail company. The complainant is an individual represented by noyb - European Centre for Digital Rights.
In August 2020, the French DPA (CNIL) received a complaint regarding the transfer of personal data of the complainant to the US, collected during their visit to the respondent's website. This complaint was one of 101 filed by noyb against controllers that allegedly transfer personal data to the US without respecting the requirements set out by the CJEU in C-311/18. As such, the DPA opened an investigation into the company's processing activities.
First, the CNIL sent a questionnaire and a request for additional information to the company, both concerning the transfer of data from visitors to the French version of the respondent's website which integrates the Google Analytics functionality. The company replied that the statistics obtained via this service concerned people in several Member States, with the effect that this processing was of a cross-border nature (Article 4(23)(b) GDPR). The CNIL nonetheless remained the lead supervisory authority as the company's main establishment was in France.
Interestingly, after the CNIL submitted a draft decision to the authorities concerned (Article 60 GDPR), none of these submitted any reasoned objections. This may signal that future similar cases will have the same outcome.
Holding
Processing operation and Controllership
The CNIL first considered what the processing operation consisted of and who the responsible party was.
The processing operation consisted of the integration of the Google Analytics functionality on the company's website for the purpose of measuring the audience and performance of its media campaigns. This service allowed for the tracking of users by associating their unique identifier with data from a session launched from their devices. When this information is collected, it is transmitted to Google Analytics servers hosted in the US.
The company was found to be a controller within the meaning of Article 4(7) GDPR for this processing because it determined the means and purposes of the collection and processing of the data obtained through the integration of Google Analytics on its website.
Personal Data
The CNIL then assessed whether the data collected within the Google Analytics framework constituted personal data.
It cited Recital 30 GDPR to establish that online identifiers (e.g. IP addresses, information stored in cookies) can be used as a means to identify a user, especially when combined with other similar types of information, and that it is the responsibility of controllers to prove that these identifiers are anonymous. It therefore examined to what extent the implementation of Google Analytics on the defendant's website allowed it to make visitors identifiable.
The company argued that the personal data processed consisted of: visitors' Google Analytics "client ID"; an internal identifier (if they had a user account); order identifiers; and IP addresses. It claimed that IP addresses were anonymised, but provided no information as to the process underlying this.
The CNIL held that the combination of the Client ID with several elements (e.g. address of the site visited, metadata about the browser and operating system, time of visit, IP address) made the website's visitors identifiable. It highlighted that any other interpretation would narrow the scope of Article 8 Charter of Fundamental Rights of the European Union, lower the protection afforded to individuals, and go against the jurisprudence of the CJEU (e.g. C-439/19). Thus, the data described above was found to be personal data per Article 4 GDPR.
Unlawful Data Transfers
The CNIL then assessed whether the transfers of the data to the US comply with Article 44 GDPR. It considered whether the online retailer could rely on any transfer mechanisms under Chapter V. of the GDPR and held:
- The respondent could not rely on an adequacy decision following C-311/18.
- The SCCs concluded between the retailer and Google LLC do not offer an adequate level of protection, because:
- Google LLC qualifies as an "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services, and
- any contractual, organisational and technical measures which Google put into place to complement the SCCs were insufficient as they could not prevent US intelligence services from accessing the data subject's personal data
- Notably, the CNIL rejected Google's argument that any Google Analytics data were pseudonymised, highlighting that Universal Unique Identifiers do not meet the definition of pseudonymisation under Article 4(5) GDPR, as their sole purpose is to identify users.
- The respondent could not rely on other transfer mechanisms under Chapter V. of the GDPR.
As such, the French DPA held that the online retailer failed to provide an adequate level of protection within the meaning of Articles 44 et seq. GDPR and gave it one month to bring its processing into compliance with the GDPR, "if necessary by ceasing to process personal data under the current version of Google Analytics."
Comment
This is the second decision that confirms the use of (the current version of) Google Analytics is unlawful under the GDPR.
See here for a summary of a similar decision by the Austrian DPA.
See here and here for statements published by noyb on the French and Austrian decisions respectively.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Decision No […] of […] giving formal notice […] (No […]) The President of the National Commission for Computing and Liberties, Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data, in in particular Articles 56 and 60; Having regard to law n° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms, in particular its article 20; Considering the decree n° 2019-536 of May 29, 2019 taken for the application of the law n° 78-17 of January 6 1978 relating to data processing, files and freedoms; Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties; Vuladecision […]of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or have carried out a verification mission of any processing accessible from the "[...]" domain or relating to personal data personnel collected from it; Having regard to referral No. …; Having regard to the other documents in the file; I. The procedure The company […] (hereinafter “the company” or “[…]”), whose registered office is located […], was created in […] and has a distance selling business. The National Commission for Computing and Liberties (hereinafter “CNIL”) was seized, the August 19, 2020 of a complaint (no. …) relating to the transfer of personal data of the complainant, represented by the association NOYB - European Center for Digital Rights, to the United States of America, collected during his visit to the website […]. 101 complaints have also been filed by NOYB in the 27 Member States of the Union European Union and the three other States of the European Economic Area (EEA) against 101 controllers who would transfer personal data to the United States United. Pursuant to the decision […] of the President of the CNIL, a delegation from the CNIL carried out a control mission on documents by sending the company […] a questionnaire […] and a request for additional information […]. The company responded by letter […]. Those FRENCH REPUBLIC 3 Place de Fontenoy, TSA 80715 – 75334 PARIS CEDEX 07 – 01 53 73 22 22 – www.cnil.fr The personal data necessary for the performance of the CNIL's missions are processed in files intended for its exclusive use. Data subjects can exercise their IT rights and Freedoms by contacting the Data Protection Officer (DPO) from the CNIL via an online form or by post. For more information: www.cnil.fr/donnees-personnelles. 1, questionnaires related to the transfer of data from visitors to the French version of the site web […] which integrates the Google Analytics functionality. On […], the company informed the CNIL that it had made the decision to integrate the functionality Google Analytics on its website […] and that the statistics obtained via Google Analytics concerned persons in several Member States of the European Union. resulting from the integration of the Google Analytics functionality on its website therefore appears cross-border within the meaning of Article 4.23.b) of the GDPR. […] In accordance with Article 56 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “GDPR” or “the Regulation”), the CNIL informed, […] all European supervisory authorities without competence to act as a supervisory authority leader concerning this cross-border processing implemented by the company, competence drawn by the CNIL from the fact that the main establishment of the company is in France. […] authorities are considered to be concerned within the meaning of Article 4, point 22 of the GDPR: authorities […]. On 4 January 2022, under the cooperation procedure, a draft decision was submitted to the authorities concerned on the basis of Article 60 of the GDPR. This project did not give rise to relevant and reasoned objections. II. On the processing in question and the responsibility for processing It appears from the responses of […] transmitted to the delegation of control that the company has integrated the Google Analytics functionality on the website […] for the purposes of audience measurement and performance of the company's media campaigns. The company clarified that Google Analytics allowed in particular, when the user had not refused its use, to carry out a individual follow-up. Indeed, by associating the unique identifier of a user to the this user's data from one or more sessions launched from one or more multiple devices, Google Analytics provides a more accurate user count (by identifying a user as a separate user, even in a different session). […] Google Analytics works by including a block of JavaScript code on the pages of a website. When the user of a site visits a page, this JavaScript code causes the loading a JavaScript file and then performs the tracking operation for Google Analytics. The follow-up operation consists of retrieving data relating to the request through different means and sending this information to Google Analytics servers. Website managers who integrate the Google Analytics functionality can transmit instructions to Google for the processing of data collected via Google Analytics. These instructions are transmitted in particular through the tag management tool that they have integrated into their site and through the configuration of the tool. In fact, the manager of site can choose different parameters in order to set, for example, the retention period of data. The Google Analytics feature also allows site managers to 2, monitor and maintain the stability of their site, for example by being informed of certain events such as a peak in attendance or, on the contrary, the fact that there is no traffic on the all. Google Analytics also allows site managers to evaluate and optimize the effectiveness of advertising campaigns conducted using other Google tools. In this context, Google Analytics collects, among other things, the http request of the user, information about their browser and operating system. […] an http request, for any page, contained details of the browser and terminal making the request, such as the domain name and browser information such as its type, its referent (“referer”) and its language. Google Analytics places and reads cookies on the browser of the user to allow evaluation of the user's session and other information of the page request. When this information is collected, it is transmitted to Google Analytics servers. […] all of the data collected via Google Analytics was hosted in the United States. Thus, data collected on the website […] via Google Analytics is transferred to United States. Regarding these transfers, it appears from the documents in the file that the contract between […] concerning the Google Analytics functionality refers to an appendix entitled "Google Ads Data Processing Terms”. This appendix contains standard contractual clauses intended to provide a framework the transfer to the United States of America of personal data in the context of Google Analytics functionality. The company indicated that it does not have in its possession elements leading to the conclusion that these clauses had not been complied with. […] additional legal, organizational and technical measures to regulate data transfers as part of the Google Analytics functionality are implemented work. It emerges from all of these elements that the company managing the website […], in deciding to implement the Google Analytics functionality on this site for evaluation purposes and optimization, determined the means and purposes of the collection and processing of data collected as part of the integration of Google Analytics on its website and must be considered as data controller within the meaning of article 4.7 of the GDPR. III. On the qualification of personal data It should be established that the data collected as part of the Google functionality Analytics and transferred to the United States of America constitute personal data staff. Article 4.1 of the GDPR defines personal data as "any information relating to an identified or identifiable natural person (hereinafter referred to as "person concerned”); is deemed to be an "identifiable natural person" a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, identification number, location data, online identifier, or to one or more specific elements specific to its physical, physiological, genetic, psychic, economic, cultural or social”. 3,It should be noted that online identifiers, such as IP addresses or information stored in cookies can be used as a means to identify a user, especially when combined with other similar types of information. this is illustrated by recital 30 of the GDPR which provides that an online identifier associated with a physical person, such as an IP address or a cookie, can “leave traces which, especially when combined with unique identifiers and other information received by the servers, can be used to create profiles of natural persons and to identify These persons ". In the event that the data controller claims not to have the capacity to identify the user through the use of this type of identifier (alone or combined with other data), he should demonstrate the means implemented to ensure the nature anonymous identifiers collected. In the absence of such a demonstration, these identifiers can be qualified as anonymous. Therefore, it is worth examining to what extent Google's implementation Analytics on a website allows the operator of the website […] to make a person concerned (a visitor to the website in question) identifiable. In its response, […] argues that the following categories of personal data are processed as part of the Google Analytics functionality: - a visitor ID (ID of the Google Analytics visitor cookie, i.e. the Google Analytics “customer ID”); - for visitors who have authenticated to the website through a user account, a internal identifier […]; - the order identifiers, if applicable; - IP addresses. The company claims that IP addresses are "anonymized", without specifying what process is applied to make these addresses anonymous. The company, however, qualifies this personal data data. With regard to visitor identifiers, it should be noted that these are identifiers unique, which have the purpose of differentiating individuals. In this case, these identifiers can also be combined with other information, such as the address of the site visited, the browser and operating system metadata, time and data relating to the visit to the website as well as the IP address. This combination strengthens their discriminating character. This is why, several elements when they are cross-checked, can make it possible to individualize visitors to the website […], on which Google Analytics is implemented. He is not necessary to know the name or postal address of the visitor since, in accordance with the recital 26 of the GDPR, such individualization of persons may be sufficient for make identifiable. Should it be decided otherwise, the scope of the right to data protection, guaranteed by Article 8 of the Charter of Fundamental Rights, would be diminished. Indeed, this would allow companies to identify individuals and associate personal information with them (such as their visit to a specific website) without affording individuals protection against this individualization. Such an assessment, which would reduce the level of protection of 4, individuals, would also be contrary to the case law of the Court of Justice of the Union European Union which has repeatedly ruled that the scope of the GDPR has a definition very broad (see, for example, C‑439/19, paragraph 61). The CNIL also notes that for users of the website […] who have identified themselves at through a user account, or those who made an order, the data is directly linked to identifying data. In addition, […] in the context of the use of Google Analytics, and under certain conditions setting up the Google account, Google is informed that a user connected to his account Google visited a specific site. Personal data relating to this account are therefore collected. Therefore, it must be considered that the data in question must be considered as personal data within the meaning of Article 4 of the GDPR. IV. On the breach of the obligation to regulate the transfer of personal data staff outside the European Union Article 44 of the GDPR provides: “A transfer, to a third country or to an organization international, of personal data which are or are intended to be the subject of a processing after such transfer may only take place if, subject to the other provisions of the this regulation, the conditions defined in this chapter are complied with by the controllerandprocessor,includingforsubsequenttransfersofdata of a personal nature from the third country or international organization to another third country or another international organization. All provisions of this chapter are applied in such a way that the level of protection of natural persons guaranteed by this Regulation is not compromised. » Chapter V of the Regulation provides for various instruments to ensure a level of protection substantially equivalent to that guaranteed within the European Union, pursuant to Article 44 of this text: - adequacy decisions (Article 45); - the appropriate guarantees (Article 46); In the absence of an equivalent level of protection, it establishes derogations for situations particular (section 49). In the present case, it must be examined whether the data transfers in question to the United States of America comply with Article 44 of the Regulations and, in particular, if these transfers are based on one of the aforementioned instruments and whether appropriate measures have been adopted. 4.1 Suitability decisions In the judgment of July 16, 2020 (C-311/18), the Court of Justice of the European Union invalidated Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, in accordance to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the European Union-United States Privacy Shield, without maintain its effects. 5. In the absence of another relevant adequacy decision, the transfers in question cannot not be based on Article 45 of the GDPR. 4.2 Appropriate safeguards Rule 46.1 of the Rules provides “In the absence of a decision under Rule 45, paragraph 3, the controller or processor may only transfer data of a personal nature to a third country or to an international organization only if he has planned appropriate safeguards and on condition that the data subjects have rights enforceable and effective legal remedies. » Article 46.2 of the Regulation provides that the “appropriate safeguards referred to in paragraph 1 may be provided, without this requiring specific authorization from a regulatory authority. control, by: […] c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93, paragraph 2; ". 4.2.1 Standard data protection clauses In this case, the company and Google have entered into standard contractual clauses for the transfer of personal data to the United States ("Google AdsDataProcessingTerms:Model Contract Clauses, Standard Contractual Clauses for Processors”). These clauses comply those published by the European Commission in its decision 2010/87/EU. In this context, it should be emphasized that the standard contractual clauses are an instrument of transfer within the meaning of Chapter V of the Rules and have not been challenged as such by the Court of Justice in its judgment of July 16, 2020 (C-311/18). However, the Court has considered that it followed from the contractual nature of these clauses that they could not bind the authorities of third countries. In particular, the Court considered that: “If there is, therefore, situations in which, depending on the state of the law and the practices in force in the third country concerned, the recipient of such a transfer is able to guarantee the protection of data necessary on the basis of the standard data protection clauses alone, there are others in which the stipulations contained in these clauses may not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. This is the case, in particular, where the law of that third country allows the public authorities of that country to interference with the rights of data subjects relating to such data. » (C‑311/18, paragraph 126). However, it is not necessary to analyze in more detail the legal framework applicable to the United States. States of America insofar as the Court has already carried out such an analysis in the Judgment aforementioned. The Court found, first, that the surveillance programs at issue did not correspond to the minimum requirements attached, in Union law, to the principle of proportionality, so that it was not permissible to consider that the programs of supervision based on these provisions are limited to what is strictly necessary (point 184). Else hand, the Court found that the legal framework in question did not confer on persons concerned rights enforceable against the US authorities in court, so that these people did not have a right to an effective remedy (paragraph 192). The analysis of the Court of Justice is relevant in this case insofar as Google LLC (in as a data importer in the United States) must qualify as a provider of 6, electronic communications within the meaning of Section 50 US. Code § 1881(b)(4) and is, per therefore, subject to surveillance by US intelligence services, pursuant to of section 50 US. Code § 1881a (“FISA 702”). Google LLC therefore has an obligation to provide the U.S. government with such personal data as may be required by under FISA 702. It appears from Google's transparency report that Google LLC is a regular recipient such access requests by the intelligence services of the United States of America. Thus, on the one hand, the Court of Justice declared the decision on adequacy with the United States invalid. United States of America, due to the access possibilities of the American intelligence services. On the other hand, standard contractual clauses cannot, on their own, ensure a level of sufficient protection as required by Article 44 of the GDPR insofar as the guarantees that they provide are left unapplied in the event of access by said services of information. The Court of Justice drew the following conclusion: “It thus appears that the standard data protection clauses adopted by the Commission under Article 46, paragraph 2(c) of the same regulation are intended solely to provide those responsible for the processing or to their subcontractors established in the Union of contractual guarantees applying in a uniform manner in all third countries and, therefore, independently of the level of protection guaranteed in each of them. Insofar as these standard clauses of data protection cannot, given their nature, provide guarantees that go beyond a contractual obligation to ensure that the level of protection required by the law of the Union is respected, they may require, depending on the situation prevailing in one or more such third country, the adoption of additional measures by the controller in order to ensure compliance with this level of protection. (item 133). 4.2.2 Adoption of additional safeguards In his recommendations 01/2020 of 18 June 2021, the EDPS clarified that when the assessment of the law or practice of the third country reveals that there are elements likely undermine the effectiveness of the appropriate safeguards offered by the transfer instrument in question in Article 46 of the GDPR to which the exporter has recourse in the context of a particular transfer – which is the case here, following the assessment carried out by the CJEU – the exporter must suspend the transfer or put in place additional measures. The EDPS notes in this regard that “(a)ny additional measure cannot be deemed effective within the meaning of the judgment of the CJEU in the Schrems II case only if and insofar as it remedies – taken in isolation or in combination with others – the shortcomings identified in the assessment of the situation law and applicable practices of the third country that the exporter has carried out. (item 75). Measures to complement the standard data protection clauses can be classified into three categories: contractual, organizational and technical (see, for this purpose, point 47 of recommendations 01/2020). With regard to contractual measures, the EDPS noted that such measures: “[…] can complement and reinforce the guarantees that the transfer instrument and the relevant legislation of the third country […]. Given the contractual nature of the measures, which are generally not likely to bind the authorities of the third country when they are not parties to the contract, these measures should be combined with other measures technical and organizational to provide the required level of data protection. […]” (paragraph 99). 7.As regards the organizational measures, the EDPS considered that the “[…] selection and implementation of one or more of these measures does not guarantee necessarily and systematically that the transfer will satisfy the standard of equivalence established by Union law. Depending on the specific circumstances of the transfer and evaluation of third-country legislation, organizational measures are necessary to complete the contractual and/or technical measures in order to guarantee a level of protection of personal data essentially equivalent to that guaranteed within the EEA” (point 128). With regard to technical measures, the EDPS underlined that these “[…] measures will be particularly necessary in the event that the law of that country requires the importer to data of obligations that are contrary to the guarantees offered by the instruments of transfer referred to in Article 46 of the GDPR and which are, in particular, likely to affect the contractual guarantee of an essentially equivalent level of protection against access by the public authorities of that country to that data” (point 77). He adds that "The measures listed [in the guidelines] aim to ensure that access by authorities public authorities of third countries to the data transferred does not affect the effectiveness of the appropriate safeguards contained in the transfer instruments referred to in Article 46 of the GDPR. These measures are necessary to guarantee a level of protection essentially equivalent to that guaranteed within the EEA, even if access by public authorities is in accordance with the legislation of the country of the importer, when this access goes beyond what is necessary and proportionate in a democratic society. These measures are intended to prevent any potentially illicit access, by preventing the authorities from identifying the persons concerned, infer information about them, to distinguish them in another context or associate the transferred data with other data sets that may contain, including online identifiers provided by devices, applications, tools and protocols used by data subjects in other contexts” (paragraph 79). 4.2.3 Additional measures implemented by Google Google LLC, as the recipient of the data, has adopted contractual measures, organizational and technical to complete the standard data protection clauses. […] As prescribed by the CJEU and the EDPS, it is necessary to verify whether the measures supplements adopted by Google LLC are effective, i.e. they meet the particular problem of the possibility of access by the American intelligence services to the data in question. With regard to the "legal and organizational measures" adopted, it should be noted that neither the notification of users (if this is possible), nor the publication of a report of transparency or a policy for managing government access requests (“policy on handling government requests”) does not actually prevent or reduce access US intelligence services. Moreover, it is not clear from the elements of the record to what extent the careful examination of the legality of each request to which Google LLC proceeds is an effective additional measure. Indeed, according to the CJEU, even lawful requests by U.S. intelligence services do not comply with requirements of European data protection law. 8. With regard to the “technical measures” adopted, it should be noted that it has not been clarified, neither by Google LLC nor by the company how the described measures – such as the protection of communications between Google services, protection of data in transit between data centers, the protection of communications between users and sites web or on-site security – prevent or reduce the possibilities of access by US intelligence services based on the US legal framework. With respect to encryption techniques, such as those for stored data in data centers, mentioned in particular by Google LLC as a measure technically, it should be noted that Google LLC, as a data importer has in all the cases the obligation to grant access or to provide the data imported which are in its possession, including the encryption keys necessary to make the data intelligible (see recommendations 01/2020, point 81). In other words, as long as Google LLC has the possibility of accessing the data of natural persons in clear text, such measures techniques cannot be considered effective in this case. Regarding Google LLC's argument that Google Analytics data which are transferred by the site managers are pseudonymised, it should be noted that universal unique identifiers (UUIDs) do not correspond to the definition of article 4.5 of the GDPR. Indeed, if pseudonymization can be a technique participating in the protection of privacy, unique identifiers – as noted above – have the purpose of specific purpose to individualize users, not to serve as a guarantee. Furthermore, he has also pointed out above how the combination of unique identifiers with other elements (such as browser or device metadata or IP address) and the possibility of linking such information to a Google account or an account […] allow in any case to be able to identify an individual. Regarding the "optional technical measure" put forward by Google LLC, which consists of an IP address anonymization function, it should first be noted that a such measure is optional and is not applicable to all transfers. Furthermore, it does not appear no response from Google if this anonymization takes place before the transfer or if the IP address whole is, in any case, transmitted to the United States and is shortened only in a second time, after the transfer to the United States. Thus, from a technical point of view, there is a access to the entire IP address before it is shortened. Therefore, the additional measures adopted, as presented by Google, are not effective as none of them solve the problems specific to the case. Indeed, none of them prevent the services from US intelligence to access the data in question or render this access ineffective. 4.3. Exceptions provided for in Chapter V of the Regulations Article 49 of the Rules provides “1. In the absence of an adequacy decision pursuant to Article 45(3) or appropriate safeguards under Article 46, including binding corporate rules, a transfer or set of transfers of data to personal character to a third country or to an international organization cannot take place only under one of the following conditions: 9.a) the data subject has given explicit consent to the proposed transfer, after having been informed of the risks that this transfer could entail for her due to the absence of decision of adequacy and appropriate safeguards; b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the request of the data subject; […]” The company argues that the transfer could be based on Article 49.1.a of the GDPR in indicating that the person concerned can refuse that Google can follow his visit to the site web. However, the consent by a user to the deposit of tracers during his visit to the site web cannot be considered equivalent to "explicit consent to the transfer envisaged, after having been informed of the risks that this transfer could entail for her in due to the absence of an adequacy decision and appropriate safeguards" within the meaning of Article 49.1.a of the Rules. In this regard, it may be noted that the company, far from establishing that such consent has been obtained, does not put forward any information relating to these elements which would be transmitted to visitors to the website. The company also invokes Article 49.1.b of the Regulation insofar as these functionalities are necessary for the proper functioning of the website and the detection of anomalies. This argument is nevertheless not supported by any precise element and, above all, the company does not establish that there is a contractual relationship between it and all the users of its website. Consequently, the company cannot rely on Article 49 of the Regulations to base the transfers in question. 4.4. Conclusion Therefore, it must be concluded that the company cannot rely on any of the instruments provided for in Chapter V of the Regulation to justify the transfer of personal data personal details of visitors to its website, and in particular unique identifiers, IP addresses, browser data and metadata, to Google LLC in the United States. Thus, due to this transfer of data, the company compromises the level of protection of personal data of data subjects, as guaranteed in Article 44 of the GDPR. Consequently, […] is given formal notice within a period of one (1) month from the notification of this decision and subject to the measures that it could have already adopt, of: • bring the processing relating to the Google Analytics functionality into compliance with articles 44 and following of Regulation (EU) 2016/679 of the Parliament European Parliament and of the Council of 27 April 2016, if necessary, ceasing to deal with personal data under the current version of Google Analytics; 10, • justify to the CNIL that the aforementioned request has been complied with, and this within the time limit. At the end of this period, if [...] has complied with this formal notice, it will be considered that the present procedure is closed and a letter will be sent to him to this effect. Conversely, if […] has not complied with this formal notice, he is reminded that a rapporteur may be appointed to require the Restricted Committee to pronounce one of the sanctions provided for by article 20 of the law of January 6, 1978 as amended. The president Marie-Laure DENIS 11