CNIL (France) - Google Analytics (no case number)

From GDPRhub
CNIL (France) - Google Analytics (no case number)
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(7) GDPR
Article 4(22) GDPR
Article 4(23)(b) GDPR
Article 44 GDPR
Article 45 GDPR
Type: Complaint
Outcome: Upheld
Started: 19.08.2020
Decided: 10.02.2022
Fine: None
Parties: noyb
Google Analytics
National Case Number/Name: Google Analytics (no case number)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: Frederick Antonovics

The French DPA held that a French online respondent violated Chapter V of the GDPR by using Google Analytics, which led to unlawful transfers of personal data to Google LLC in the U.S.

English Summary


The respondent is an online retail company. The complainant is an individual represented by noyb - European Centre for Digital Rights.

In August 2020, the French DPA (CNIL) received a complaint regarding the transfer of personal data of the complainant to the US, collected during their visit to the respondent's website. This complaint was one of 101 filed by noyb against controllers that allegedly transfer personal data to the US without respecting the requirements set out by the CJEU in C-311/18. As such, the DPA opened an investigation into the company's processing activities.

First, the CNIL sent a questionnaire and a request for additional information to the respondent, both concerning the transfer of data from visitors to the French version of the respondent's website which integrates the Google Analytics functionality. The respondent replied that the statistics obtained via this service concerned people in several Member States, with the effect that this processing was of a cross-border nature (Article 4(23)(b) GDPR). The CNIL nonetheless remained the lead supervisory authority as the company's main establishment was in France.

Interestingly, after the CNIL submitted a draft decision to the authorities concerned (Article 60 GDPR), none of these submitted any reasoned objections. This may signal that future similar cases will have the same outcome.


Processing operation and Controllership

The CNIL first considered what the processing operation consisted of and who the controller was.

The processing operation consisted of the integration of the Google Analytics functionality on the company's website for the purpose of measuring the audience and performance of its media campaigns. This service allowed for the tracking of users by associating their unique identifier with data from a session launched from their devices. When this information is collected, it is transmitted to Google Analytics servers hosted in the US.

The respondent was found to be a controller within the meaning of Article 4(7) GDPR for this processing because it determined the means and purposes of the collection and processing of the data obtained through the integration of Google Analytics on its website.

Personal Data

The CNIL then assessed whether the data collected within the Google Analytics framework constituted personal data.

It cited Recital 30 GDPR to establish that online identifiers (e.g. IP addresses, information stored in cookies) can be used as a means to identify a user, especially when combined with other similar types of information, and that it is the responsibility of controllers to prove that these identifiers are anonymous. It therefore examined to what extent the implementation of Google Analytics on the respondent's website allowed it to make visitors identifiable.

The respondent argued that the personal data processed consisted of: visitors' Google Analytics "client ID"; an internal identifier (if they had a user account); order identifiers; and IP addresses. It claimed that IP addresses were anonymised, but provided no information as to the process underlying this.

The CNIL held that the combination of the Client ID with several elements (e.g. address of the site visited, metadata about the browser and operating system, time of visit, IP address) made the website's visitors identifiable. It highlighted that any other interpretation would narrow the scope of Article 8 Charter of Fundamental Rights of the European Union, lower the protection afforded to individuals, and go against the jurisprudence of the CJEU (e.g. C-439/19). Thus, the data described above was found to be personal data per Article 4 GDPR.

Unlawful Data Transfers

The CNIL then assessed whether the transfers of the data to the US comply with Article 44 GDPR. It considered whether the respondent could rely on any transfer mechanisms under Chapter V. of the GDPR and held:

  • The respondent could not rely on an adequacy decision following C-311/18.
  • The SCCs concluded between the respondent and Google LLC do not offer an adequate level of protection, because:
    • Google LLC qualifies as an "electronic communication service provider" under 50 U.S. Code § 1881(b)(4) and is subject to surveillance by US intelligence services, and
    • any contractual, organisational and technical measures which Google put into place to complement the SCCs were insufficient as they could not prevent US intelligence services from accessing the data subject's personal data
    • Notably, the CNIL rejected Google's argument that any Google Analytics data were pseudonymised, highlighting that Universal Unique Identifiers do not meet the definition of pseudonymisation under Article 4(5) GDPR, as their sole purpose is to identify users.
  • The respondent could not rely on other transfer mechanisms under Chapter V. of the GDPR.

As such, the French DPA held that the respondent failed to provide an adequate level of protection within the meaning of Articles 44 et seq. GDPR and gave it one month to bring its processing into compliance with the GDPR, "if necessary by ceasing to process personal data under the current version of Google Analytics."


This is the second decision that confirms the use of (the current version of) Google Analytics is unlawful under the GDPR.

See here for a summary of a similar decision by the Austrian DPA.

See here and here for statements published by noyb on the French and Austrian decisions respectively.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                  Decision No […] of […] giving formal notice […]

                                           (No […])

The President of the National Commission for Computing and Liberties,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to
the protection of personal data and the free movement of such data, in
in particular Articles 56 and 60;

Having regard to law n° 78-17 of January 6, 1978 as amended relating to data processing, files and

freedoms, in particular its article 20;

Considering the decree n° 2019-536 of May 29, 2019 taken for the application of the law n° 78-17 of January 6
1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the

National Commission for Computing and Liberties;

Vuladecision […]of the President of the National Commission for Computing and Liberties
to instruct the Secretary General to carry out or have carried out a verification mission
of any processing accessible from the "[...]" domain or relating to personal data
personnel collected from it;

Having regard to referral No. …;

Having regard to the other documents in the file;

I. The procedure

The company […] (hereinafter “the company” or “[…]”), whose registered office is located […], was created
in […] and has a distance selling business.

The National Commission for Computing and Liberties (hereinafter “CNIL”) was seized, the

August 19, 2020 of a complaint (no. …) relating to the transfer of personal data
of the complainant, represented by the association NOYB - European Center for Digital Rights,
to the United States of America, collected during his visit to the website […]. 101
complaints have also been filed by NOYB in the 27 Member States of the Union
European Union and the three other States of the European Economic Area (EEA) against 101

controllers who would transfer personal data to the United States

Pursuant to the decision […] of the President of the CNIL, a delegation from the CNIL
carried out a control mission on documents by sending the company […] a questionnaire
[…] and a request for additional information […]. The company responded by letter […]. Those

                                    FRENCH REPUBLIC
          3 Place de Fontenoy, TSA 80715 – 75334 PARIS CEDEX 07 – 01 53 73 22 22 –
 The personal data necessary for the performance of the CNIL's missions are processed in files intended for its exclusive use.
  Data subjects can exercise their IT rights and Freedoms by contacting the Data Protection Officer (DPO)
          from the CNIL via an online form or by post. For more information:
                                                                                             1, questionnaires related to the transfer of data from visitors to the French version of the site
web […] which integrates the Google Analytics functionality.

On […], the company informed the CNIL that it had made the decision to integrate the functionality
Google Analytics on its website […] and that the statistics obtained via Google Analytics

concerned persons in several Member States of the European Union.
resulting from the integration of the Google Analytics functionality on its website therefore appears
cross-border within the meaning of Article 4.23.b) of the GDPR.


In accordance with Article 56 of Regulation (EU) 2016/679 of the European Parliament and of the Council

of April 27, 2016 (hereinafter “GDPR” or “the Regulation”), the CNIL informed, […] all
European supervisory authorities without competence to act as a supervisory authority
leader concerning this cross-border processing implemented by the company, competence
drawn by the CNIL from the fact that the main establishment of the company is in France.

[…] authorities are considered to be concerned within the meaning of Article 4, point 22 of the GDPR:
authorities […].

On 4 January 2022, under the cooperation procedure, a draft decision was
submitted to the authorities concerned on the basis of Article 60 of the GDPR.

This project did not give rise to relevant and reasoned objections.

II. On the processing in question and the responsibility for processing

It appears from the responses of […] transmitted to the delegation of control that the company has integrated the
Google Analytics functionality on the website […] for the purposes of audience measurement and
performance of the company's media campaigns. The company clarified that Google Analytics
allowed in particular, when the user had not refused its use, to carry out a
individual follow-up. Indeed, by associating the unique identifier of a user to the

this user's data from one or more sessions launched from one or more
multiple devices, Google Analytics provides a more accurate user count
(by identifying a user as a separate user, even in a different session).


Google Analytics works by including a block of JavaScript code on the pages of a

website. When the user of a site visits a page, this JavaScript code causes the
loading a JavaScript file and then performs the tracking operation for Google Analytics.
The follow-up operation consists of retrieving data relating to the request through
different means and sending this information to Google Analytics servers.

Website managers who integrate the Google Analytics functionality can
transmit instructions to Google for the processing of data collected via Google

Analytics. These instructions are transmitted in particular through the tag management tool
that they have integrated into their site and through the configuration of the tool. In fact, the manager of
site can choose different parameters in order to set, for example, the retention period of
data. The Google Analytics feature also allows site managers to

                                                                                             2, monitor and maintain the stability of their site, for example by being informed of certain
events such as a peak in attendance or, on the contrary, the fact that there is no traffic on the
all. Google Analytics also allows site managers to evaluate and optimize
the effectiveness of advertising campaigns conducted using other Google tools.

In this context, Google Analytics collects, among other things, the http request of the user,
information about their browser and operating system. […] an http request, for
any page, contained details of the browser and terminal making the request,
such as the domain name and browser information such as its type, its
referent (“referer”) and its language. Google Analytics places and reads cookies on the browser
of the user to allow evaluation of the user's session and other information of
the page request.

When this information is collected, it is transmitted to Google Analytics servers.
[…] all of the data collected via Google Analytics was hosted in the United States.

Thus, data collected on the website […] via Google Analytics is transferred to
United States.

Regarding these transfers, it appears from the documents in the file that the contract between […] concerning
the Google Analytics functionality refers to an appendix entitled "Google Ads Data
Processing Terms”. This appendix contains standard contractual clauses intended to provide a framework
the transfer to the United States of America of personal data in the context of
Google Analytics functionality. The company indicated that it does not have in its possession
elements leading to the conclusion that these clauses had not been complied with.

[…] additional legal, organizational and technical measures to regulate
data transfers as part of the Google Analytics functionality are implemented

It emerges from all of these elements that the company managing the website […], in deciding
to implement the Google Analytics functionality on this site for evaluation purposes and

optimization, determined the means and purposes of the collection and processing of data
collected as part of the integration of Google Analytics on its website and must be
considered as data controller within the meaning of article 4.7 of the GDPR.

III. On the qualification of personal data

It should be established that the data collected as part of the Google functionality

Analytics and transferred to the United States of America constitute personal data

Article 4.1 of the GDPR defines personal data as "any information
relating to an identified or identifiable natural person (hereinafter referred to as "person
concerned”); is deemed to be an "identifiable natural person" a natural person who
can be identified, directly or indirectly, in particular by reference to an identifier, such as
a name, identification number, location data, online identifier, or

to one or more specific elements specific to its physical, physiological,
genetic, psychic, economic, cultural or social”.

                                                                                               3,It should be noted that online identifiers, such as IP addresses or information
stored in cookies can be used as a means to identify a user,
especially when combined with other similar types of information. this

is illustrated by recital 30 of the GDPR which provides that an online identifier associated with a
physical person, such as an IP address or a cookie, can “leave traces
which, especially when combined with unique identifiers and other information
received by the servers, can be used to create profiles of natural persons and to identify
These persons ".

In the event that the data controller claims not to have the capacity

to identify the user through the use of this type of identifier (alone or combined with
other data), he should demonstrate the means implemented to ensure the nature
anonymous identifiers collected. In the absence of such a demonstration, these identifiers
can be qualified as anonymous.

Therefore, it is worth examining to what extent Google's implementation
Analytics on a website allows the operator of the website […] to make a person

concerned (a visitor to the website in question) identifiable.

In its response, […] argues that the following categories of personal data
are processed as part of the Google Analytics functionality:
    - a visitor ID (ID of the Google Analytics visitor cookie, i.e.
        the Google Analytics “customer ID”);
    - for visitors who have authenticated to the website through a user account, a
        internal identifier […];

    - the order identifiers, if applicable;
    - IP addresses.

The company claims that IP addresses are "anonymized", without specifying
what process is applied to make these addresses anonymous. The company, however, qualifies
this personal data data.

With regard to visitor identifiers, it should be noted that these are identifiers
unique, which have the purpose of differentiating individuals. In this case, these identifiers can
also be combined with other information, such as the address of the site visited, the
browser and operating system metadata, time and data
relating to the visit to the website as well as the IP address. This combination strengthens

their discriminating character.

This is why, several elements when they are cross-checked, can make it possible to individualize
visitors to the website […], on which Google Analytics is implemented. He is not
necessary to know the name or postal address of the visitor since, in accordance with the
recital 26 of the GDPR, such individualization of persons may be sufficient for

make identifiable.
Should it be decided otherwise, the scope of the right to data protection, guaranteed by

Article 8 of the Charter of Fundamental Rights, would be diminished. Indeed, this would allow
companies to identify individuals and associate personal information with them
(such as their visit to a specific website) without affording individuals protection against
this individualization. Such an assessment, which would reduce the level of protection of

                                                                                                  4, individuals, would also be contrary to the case law of the Court of Justice of the Union
European Union which has repeatedly ruled that the scope of the GDPR has a definition
very broad (see, for example, C‑439/19, paragraph 61).

The CNIL also notes that for users of the website […] who have identified themselves at
through a user account, or those who made an order, the data is directly

linked to identifying data.

In addition, […] in the context of the use of Google Analytics, and under certain conditions
setting up the Google account, Google is informed that a user connected to his account
Google visited a specific site. Personal data relating to this account
are therefore collected.

Therefore, it must be considered that the data in question must be considered as
personal data within the meaning of Article 4 of the GDPR.

IV. On the breach of the obligation to regulate the transfer of personal data
staff outside the European Union

Article 44 of the GDPR provides: “A transfer, to a third country or to an organization
international, of personal data which are or are intended to be the subject of a
processing after such transfer may only take place if, subject to the other provisions of the
this regulation, the conditions defined in this chapter are complied with by the
of a personal nature from the third country or international organization to another

third country or another international organization. All provisions of this
chapter are applied in such a way that the level of protection of natural persons
guaranteed by this Regulation is not compromised. »

Chapter V of the Regulation provides for various instruments to ensure a level of protection
substantially equivalent to that guaranteed within the European Union, pursuant to
Article 44 of this text:

- adequacy decisions (Article 45);
- the appropriate guarantees (Article 46);
In the absence of an equivalent level of protection, it establishes derogations for situations
particular (section 49).

In the present case, it must be examined whether the data transfers in question to the United States
of America comply with Article 44 of the Regulations and, in particular, if these transfers are

based on one of the aforementioned instruments and whether appropriate measures have been adopted.

    4.1 Suitability decisions

In the judgment of July 16, 2020 (C-311/18), the Court of Justice of the European Union invalidated
Commission Implementing Decision (EU) 2016/1250 of 12 July 2016, in accordance

to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the
protection provided by the European Union-United States Privacy Shield, without
maintain its effects.

                                                                                                5. In the absence of another relevant adequacy decision, the transfers in question cannot
not be based on Article 45 of the GDPR.

    4.2 Appropriate safeguards

Rule 46.1 of the Rules provides “In the absence of a decision under Rule 45,
paragraph 3, the controller or processor may only transfer data
of a personal nature to a third country or to an international organization only if he has planned
appropriate safeguards and on condition that the data subjects have rights
enforceable and effective legal remedies. »

Article 46.2 of the Regulation provides that the “appropriate safeguards referred to in paragraph 1

may be provided, without this requiring specific authorization from a regulatory authority.
control, by: […] c) standard data protection clauses adopted by the Commission
in accordance with the examination procedure referred to in Article 93, paragraph 2; ".

            4.2.1 Standard data protection clauses

In this case, the company and Google have entered into standard contractual clauses for the transfer of

personal data to the United States ("Google AdsDataProcessingTerms:Model
Contract Clauses, Standard Contractual Clauses for Processors”). These clauses comply
those published by the European Commission in its decision 2010/87/EU.

In this context, it should be emphasized that the standard contractual clauses are an instrument
of transfer within the meaning of Chapter V of the Rules and have not been challenged as

such by the Court of Justice in its judgment of July 16, 2020 (C-311/18). However, the Court has
considered that it followed from the contractual nature of these clauses that they could not bind
the authorities of third countries. In particular, the Court considered that: “If there is, therefore,
situations in which, depending on the state of the law and the practices in force in the
third country concerned, the recipient of such a transfer is able to guarantee the protection
of data necessary on the basis of the standard data protection clauses alone, there are
others in which the stipulations contained in these clauses may not

constitute a sufficient means of ensuring, in practice, the effective protection of
personal data transferred to the third country concerned. This is the case,
in particular, where the law of that third country allows the public authorities of that country to
interference with the rights of data subjects relating to such data. »
(C‑311/18, paragraph 126).

However, it is not necessary to analyze in more detail the legal framework applicable to the United States.

States of America insofar as the Court has already carried out such an analysis in the Judgment
aforementioned. The Court found, first, that the surveillance programs at issue
did not correspond to the minimum requirements attached, in Union law, to the principle of
proportionality, so that it was not permissible to consider that the programs of
supervision based on these provisions are limited to what is strictly necessary (point 184). Else
hand, the Court found that the legal framework in question did not confer on persons
concerned rights enforceable against the US authorities in court, so that

these people did not have a right to an effective remedy (paragraph 192).

The analysis of the Court of Justice is relevant in this case insofar as Google LLC (in
as a data importer in the United States) must qualify as a provider of

                                                                                              6, electronic communications within the meaning of Section 50 US. Code § 1881(b)(4) and is, per
therefore, subject to surveillance by US intelligence services, pursuant to
of section 50 US. Code § 1881a (“FISA 702”). Google LLC therefore has an obligation to
provide the U.S. government with such personal data as may be required by
under FISA 702.

It appears from Google's transparency report that Google LLC is a regular recipient
such access requests by the intelligence services of the United States of America.

Thus, on the one hand, the Court of Justice declared the decision on adequacy with the United States invalid.
United States of America, due to the access possibilities of the American intelligence services.
On the other hand, standard contractual clauses cannot, on their own, ensure a level of

sufficient protection as required by Article 44 of the GDPR insofar as the guarantees
that they provide are left unapplied in the event of access by said services of
information. The Court of Justice drew the following conclusion: “It thus appears that the
standard data protection clauses adopted by the Commission under Article 46,
paragraph 2(c) of the same regulation are intended solely to provide those responsible for the
processing or to their subcontractors established in the Union of contractual guarantees
applying in a uniform manner in all third countries and, therefore, independently of the

level of protection guaranteed in each of them. Insofar as these standard clauses of
data protection cannot, given their nature, provide guarantees that go beyond
a contractual obligation to ensure that the level of protection required by the law of
the Union is respected, they may require, depending on the situation prevailing in one or more
such third country, the adoption of additional measures by the controller in order to
ensure compliance with this level of protection. (item 133).

        4.2.2 Adoption of additional safeguards

In his recommendations 01/2020 of 18 June 2021, the EDPS clarified that when
the assessment of the law or practice of the third country reveals that there are elements likely
undermine the effectiveness of the appropriate safeguards offered by the transfer instrument in question
in Article 46 of the GDPR to which the exporter has recourse in the context of a particular transfer –

which is the case here, following the assessment carried out by the CJEU – the exporter must
suspend the transfer or put in place additional measures. The EDPS notes in this
regard that “(a)ny additional measure cannot be deemed effective within the meaning of the judgment of
the CJEU in the Schrems II case only if and insofar as it remedies – taken in isolation
or in combination with others – the shortcomings identified in the assessment of the situation
law and applicable practices of the third country that the exporter has carried out. (item 75).

Measures to complement the standard data protection clauses can be
classified into three categories: contractual, organizational and technical (see, for this purpose,
point 47 of recommendations 01/2020).

With regard to contractual measures, the EDPS noted that such measures: “[…]
can complement and reinforce the guarantees that the transfer instrument and the
relevant legislation of the third country […]. Given the contractual nature of the measures, which

are generally not likely to bind the authorities of the third country when they are not
parties to the contract, these measures should be combined with other measures
technical and organizational to provide the required level of data protection.
[…]” (paragraph 99).

                                                                                               7.As regards the organizational measures, the EDPS considered that the “[…]
selection and implementation of one or more of these measures does not guarantee
necessarily and systematically that the transfer will satisfy the standard of equivalence
established by Union law. Depending on the specific circumstances of the

transfer and evaluation of third-country legislation, organizational measures are
necessary to complete the contractual and/or technical measures in order to guarantee a
level of protection of personal data essentially equivalent to that
guaranteed within the EEA” (point 128).

With regard to technical measures, the EDPS underlined that these “[…] measures will be
particularly necessary in the event that the law of that country requires the importer to

data of obligations that are contrary to the guarantees offered by the instruments of
transfer referred to in Article 46 of the GDPR and which are, in particular, likely to affect
the contractual guarantee of an essentially equivalent level of protection against
access by the public authorities of that country to that data” (point 77). He adds that "The
measures listed [in the guidelines] aim to ensure that access by authorities
public authorities of third countries to the data transferred does not affect the effectiveness of the
appropriate safeguards contained in the transfer instruments referred to in Article 46 of the

GDPR. These measures are necessary to guarantee a level of protection essentially
equivalent to that guaranteed within the EEA, even if access by public authorities is
in accordance with the legislation of the country of the importer, when this access goes beyond what is
necessary and proportionate in a democratic society. These measures are intended to prevent any
potentially illicit access, by preventing the authorities from identifying the persons concerned,
infer information about them, to distinguish them in another context or

associate the transferred data with other data sets that may contain,
including online identifiers provided by devices, applications, tools and protocols
used by data subjects in other contexts” (paragraph 79).

       4.2.3 Additional measures implemented by Google

Google LLC, as the recipient of the data, has adopted contractual measures,

organizational and technical to complete the standard data protection clauses.

As prescribed by the CJEU and the EDPS, it is necessary to verify whether the measures
supplements adopted by Google LLC are effective, i.e. they meet the
particular problem of the possibility of access by the American intelligence services
to the data in question.

With regard to the "legal and organizational measures" adopted, it should be noted
that neither the notification of users (if this is possible), nor the publication of a report of
transparency or a policy for managing government access requests (“policy
on handling government requests”) does not actually prevent or reduce access
US intelligence services. Moreover, it is not clear from the elements of the
record to what extent the careful examination of the legality of each request to which

Google LLC proceeds is an effective additional measure. Indeed, according to the CJEU, even
lawful requests by U.S. intelligence services do not comply with
requirements of European data protection law.

                                                                                             8. With regard to the “technical measures” adopted, it should be noted that it has not been
clarified, neither by Google LLC nor by the company how the described measures – such as the
protection of communications between Google services, protection of data in transit
between data centers, the protection of communications between users and sites
web or on-site security – prevent or reduce the possibilities of access by

US intelligence services based on the US legal framework.

With respect to encryption techniques, such as those for stored data
in data centers, mentioned in particular by Google LLC as a measure
technically, it should be noted that Google LLC, as a data importer has in all
the cases the obligation to grant access or to provide the data imported which are in its
possession, including the encryption keys necessary to make the data intelligible

(see recommendations 01/2020, point 81). In other words, as long as Google LLC has the
possibility of accessing the data of natural persons in clear text, such measures
techniques cannot be considered effective in this case.

Regarding Google LLC's argument that Google Analytics data
which are transferred by the site managers are pseudonymised, it should be noted that
universal unique identifiers (UUIDs) do not correspond to the definition of article 4.5

of the GDPR. Indeed, if pseudonymization can be a technique participating in the protection
of privacy, unique identifiers – as noted above – have the purpose of
specific purpose to individualize users, not to serve as a guarantee. Furthermore, he has
also pointed out above how the combination of unique identifiers with other
elements (such as browser or device metadata or IP address) and the
possibility of linking such information to a Google account or an account […] allow

in any case to be able to identify an individual.

Regarding the "optional technical measure" put forward by Google LLC, which
consists of an IP address anonymization function, it should first be noted that a
such measure is optional and is not applicable to all transfers. Furthermore, it does not appear
no response from Google if this anonymization takes place before the transfer or if the IP address
whole is, in any case, transmitted to the United States and is shortened only in a second

time, after the transfer to the United States. Thus, from a technical point of view, there is a
access to the entire IP address before it is shortened.

Therefore, the additional measures adopted, as presented by
Google, are not effective as none of them solve the problems
specific to the case. Indeed, none of them prevent the services from
US intelligence to access the data in question or render this access ineffective.

        4.3. Exceptions provided for in Chapter V of the Regulations

Article 49 of the Rules provides “1. In the absence of an adequacy decision pursuant to
Article 45(3) or appropriate safeguards under Article 46, including
binding corporate rules, a transfer or set of transfers of data to
personal character to a third country or to an international organization cannot take place

only under one of the following conditions:

                                                                                               9.a) the data subject has given explicit consent to the proposed transfer, after having
been informed of the risks that this transfer could entail for her due to the absence of
decision of adequacy and appropriate safeguards;

b) the transfer is necessary for the performance of a contract between the data subject and the

controller or the implementation of pre-contractual measures taken at the
request of the data subject; […]”

The company argues that the transfer could be based on Article 49.1.a of the GDPR in
indicating that the person concerned can refuse that Google can follow his visit to the site

However, the consent by a user to the deposit of tracers during his visit to the site
web cannot be considered equivalent to "explicit consent to the transfer
envisaged, after having been informed of the risks that this transfer could entail for her in
due to the absence of an adequacy decision and appropriate safeguards" within the meaning of Article
49.1.a of the Rules. In this regard, it may be noted that the company, far from establishing that such
consent has been obtained, does not put forward any information relating to these elements which
would be transmitted to visitors to the website.

The company also invokes Article 49.1.b of the Regulation insofar as these
functionalities are necessary for the proper functioning of the website and the detection of

This argument is nevertheless not supported by any precise element and, above all, the company does not establish

that there is a contractual relationship between it and all the users of its website.

Consequently, the company cannot rely on Article 49 of the Regulations to base the
transfers in question.

       4.4. Conclusion

Therefore, it must be concluded that the company cannot rely on any of the instruments
provided for in Chapter V of the Regulation to justify the transfer of personal data
personal details of visitors to its website, and in particular unique identifiers, IP addresses,
browser data and metadata, to Google LLC in the United States.

Thus, due to this transfer of data, the company compromises the level of protection of
personal data of data subjects, as guaranteed in Article 44 of the


Consequently, […] is given formal notice within a period of one (1) month from the
notification of this decision and subject to the measures that it could have already
adopt, of:

       • bring the processing relating to the Google Analytics functionality into compliance
            with articles 44 and following of Regulation (EU) 2016/679 of the Parliament
            European Parliament and of the Council of 27 April 2016, if necessary, ceasing to deal with
            personal data under the current version of Google

                                                                                           10, • justify to the CNIL that the aforementioned request has been complied with, and
           this within the time limit.

At the end of this period, if [...] has complied with this formal notice, it will be considered
that the present procedure is closed and a letter will be sent to him to this effect.

Conversely, if […] has not complied with this formal notice, he is reminded
that a rapporteur may be appointed to require the Restricted Committee to pronounce
one of the sanctions provided for by article 20 of the law of January 6, 1978 as amended.

                                                   The president

                                                   Marie-Laure DENIS