Flash news

Google Analytics cookies targeted by the CNIL

- Flash news

Google Analytics

The French data protection authority (Commission Nationale de l’Informatique et des Libertés or ‘CNIL’) has announced that it has ordered the operator of a French website to cease using Google Analytics cookies, which compile statistics on website traffic, within one month.

Summary:

In July 2020, the Court of Justice of the European Union invalidated the Privacy Shield, the treaty creating the legal framework for transfers of personal data from the European Union to the United States of America. Crucially, in this ruling, known as Schrems II, the Court found that the existence of surveillance programmes carried out by American authorities allowing them to access European citizens’ personal data was incompatible with the high level of data protection set by the GDPR. Since this ruling, such personal data transfers have still been possible but only if the data exporter implements appropriate safeguards to protect the data.

Although the CNIL does note in its press release that Google has adopted additional measures to regulate transfers of data obtained through Google Analytics cookies, the authority believes that these measures “are not sufficient to exclude the accessibility of this data for US intelligence services”. It has therefore ordered the website operator in question to remedy the violation, “if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU”.

In effect, the recipient of the CNIL’s order has no choice but to stop using Google Analytics cookies.

Impacts:

The CNIL states in its press release that its position is not isolated, and indeed that:

  • the CNIL has ordered other website operators to cease using Google Analytics cookies;
  • the CNIL is acting “in cooperation with its European counterparts”.

Regarding this last point, in a decision published on 13 January 2022, the Austrian data protection authority (the ‘Datenschutzbehörde’) expressed reservations on the compliance with the GDPR of personal data transfers to the United States enabled by Google Analytics cookies. The same day, the Dutch data protection authority (the ‘Autoriteit Persoonsgegevens’) alerted to a possible future prohibition of such cookies.

If the CNIL’s position were to be widely adopted in the EU, internet operators would be considerably impacted:

  • firstly, almost all website operators, including online stores, use Google Analytics cookies;
  • secondly, the grounds on which data protection authorities are prohibiting the use of Google Analytics cookies could also apply to many other tracing technologies provided by transatlantic companies;
  • finally, European tech actors are not currently capable of providing alternatives to all American digital products and services.

The most immediate solution would be to ensure that the main American cookie providers cease transferring personal data from the European union to the United States entirely. However, such a solution could be paralysing for some activities. It is therefore urgent that European and American authorities agree on a new framework to substitute the defunct Privacy Shield, invalidated now more than a year ago, compliant with the high level of protection afforded to privacy by European laws.

Incidentally, the CNIL’s position, as well as the position of its Austrian and Dutch counterparts, brings to light the limits of the new Standard contractual clauses, updated by the European Commission on 4 June 2021 to reflect the Schrems II ruling, which appear to have missed the mark.