CNIL (France) - Google Analytics (no case number)
|CNIL (France) - Google Analytics (no case number)|
|Relevant Law:||Article 4(7) GDPR|
Article 4(22) GDPR
Article 4(23)(b) GDPR
Article 44 GDPR
Article 45 GDPR
|National Case Number/Name:||Google Analytics (no case number)|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
|Initial Contributor:||Frederick Antonovics|
The French DPA held that a French online respondent violated Chapter V of the GDPR by using Google Analytics, which led to unlawful transfers of personal data to Google LLC in the U.S.
English Summary[edit | edit source]
Facts[edit | edit source]
The respondent is an online retail company. The complainant is an individual represented by noyb - European Centre for Digital Rights.
In August 2020, the French DPA (CNIL) received a complaint regarding the transfer of personal data of the complainant to the US, collected during their visit to the respondent's website. This complaint was one of 101 filed by noyb against controllers that allegedly transfer personal data to the US without respecting the requirements set out by the CJEU in C-311/18. As such, the DPA opened an investigation into the company's processing activities.
First, the CNIL sent a questionnaire and a request for additional information to the respondent, both concerning the transfer of data from visitors to the French version of the respondent's website which integrates the Google Analytics functionality. The respondent replied that the statistics obtained via this service concerned people in several Member States, with the effect that this processing was of a cross-border nature (Article 4(23)(b) GDPR). The CNIL nonetheless remained the lead supervisory authority as the company's main establishment was in France.
Interestingly, after the CNIL submitted a draft decision to the authorities concerned (Article 60 GDPR), none of these submitted any reasoned objections. This may signal that future similar cases will have the same outcome.
Holding[edit | edit source]
Processing operation and Controllership[edit | edit source]
The CNIL first considered what the processing operation consisted of and who the controller was.
The processing operation consisted of the integration of the Google Analytics functionality on the company's website for the purpose of measuring the audience and performance of its media campaigns. This service allowed for the tracking of users by associating their unique identifier with data from a session launched from their devices. When this information is collected, it is transmitted to Google Analytics servers hosted in the US.
The respondent was found to be a controller within the meaning of Article 4(7) GDPR for this processing because it determined the means and purposes of the collection and processing of the data obtained through the integration of Google Analytics on its website.
Personal Data[edit | edit source]
The CNIL then assessed whether the data collected within the Google Analytics framework constituted personal data.
It cited Recital 30 GDPR to establish that online identifiers (e.g. IP addresses, information stored in cookies) can be used as a means to identify a user, especially when combined with other similar types of information, and that it is the responsibility of controllers to prove that these identifiers are anonymous. It therefore examined to what extent the implementation of Google Analytics on the respondent's website allowed it to make visitors identifiable.
The respondent argued that the personal data processed consisted of: visitors' Google Analytics "client ID"; an internal identifier (if they had a user account); order identifiers; and IP addresses. It claimed that IP addresses were anonymised, but provided no information as to the process underlying this.
The CNIL held that the combination of the Client ID with several elements (e.g. address of the site visited, metadata about the browser and operating system, time of visit, IP address) made the website's visitors identifiable. It highlighted that any other interpretation would narrow the scope of Article 8 Charter of Fundamental Rights of the European Union, lower the protection afforded to individuals, and go against the jurisprudence of the CJEU (e.g. C-439/19). Thus, the data described above was found to be personal data per Article 4 GDPR.
Unlawful Data Transfers[edit | edit source]
The CNIL then assessed whether the transfers of the data to the US comply with Article 44 GDPR. It considered whether the respondent could rely on any transfer mechanisms under Chapter V. of the GDPR and held:
- The respondent could not rely on an adequacy decision following C-311/18.
- The SCCs concluded between the respondent and Google LLC do not offer an adequate level of protection, because:
- Google LLC qualifies as an "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services, and
- any contractual, organisational and technical measures which Google put into place to complement the SCCs were insufficient as they could not prevent US intelligence services from accessing the data subject's personal data
- Notably, the CNIL rejected Google's argument that any Google Analytics data were pseudonymised, highlighting that Universal Unique Identifiers do not meet the definition of pseudonymisation under Article 4(5) GDPR, as their sole purpose is to identify users.
- The respondent could not rely on other transfer mechanisms under Chapter V. of the GDPR.
As such, the French DPA held that the respondent failed to provide an adequate level of protection within the meaning of Articles 44 et seq. GDPR and gave it one month to bring its processing into compliance with the GDPR, "if necessary by ceasing to process personal data under the current version of Google Analytics."
Comment[edit | edit source]
This is the second decision that confirms the use of (the current version of) Google Analytics is unlawful under the GDPR.
See here for a summary of a similar decision by the Austrian DPA.
See here and here for statements published by noyb on the French and Austrian decisions respectively.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.