- The French CNIL classified the use of Google Analytics as unlawful on February 10, 2022.
- The decision is based on NOYB/Max Schrems’ Dalmatian complaints and discussions in a European task force.
- CNIL considers Google’s protective measures to be inadequate; there is therefore a risk for affected persons.
- CNIL pursues an absolute approach against data transfers to the USA, in contradiction to EDPB recommendations and standard contractual clauses.
After the Data Protection Authority of Austria The French regulatory authority CNIL has also Use of Google Analytics classified as unlawfulThe decision is based on a complaint by NOYB, the NGO of Max Schrems, more precisely on his 101 “Dalmatian” complaints. In the framework of a task force set up for this purpose, the European authorities exchange views on this, with the participation also of the CNIL.
The CNIL now concludes that no suitable safeguards are currently in place for the transfer of data. Although Google has taken additional measures to protect the data collected by Google Analytics, these are not sufficient. There is therefore a risk for the data subjects. For the measurement and analysis of Internet traffic, it is preferable to use tools that make do with anonymous data.
The wording of the CNIL indicates that it takes an absolute approach and does not permit the disclosure of personal data to the U.S. if access by authorities cannot be ruled out:
Il existe donc un risque pour les personnes utilisatrices du site français ayant recours à cet outil et dont les données sont exportées.
However, this approach is not in line with the Recommendations of the EDSA and with the wording of the current standard contractual clausesboth of which take into account the likelihood of access by the authorities.