News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | CNIL is latest authority to rule Google Analytics violates GDPR Related reading: The Austrian Google Analytics decision: The race is on

rss_feed

""

Just weeks after the Austrian Data Protection Authority’s ruling that Google Analytics use violates the EU General Data Protection Regulation, France’s data protection authority, the Commission nationale de l'informatique et des libertés, has reached a similar decision.

The rulings are the first stemming from 101 complaints filed by advocacy group NOYB throughout EU Member States following the “Schrems II” decision that invalidated the EU-U.S. Privacy Shield in July 2020 and are anticipated to set off a wave of decisions from other authorities.

In its decision, the CNIL said data collection and transfers to the United States using Google Analytics “are illegal,” violating Article 44 of the GDPR. The CNIL ordered an unidentified French website manager to bring its processing into compliance with the GDPR within one month and stop using the service under current conditions, if necessary.

The CNIL said transfers to the United States “are currently not sufficiently regulated” and the absence of an EU-U.S. adequacy decision presents “a risk for French website users who use this service and whose data is exported.” The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”

The CNIL said its investigation “also extends to other tools used by sites that result in the transfer of data of European Internet users to the United States,” adding, “Corrective measures in this respect may be adopted in the near future.”

In addition to noting its investigation goes further than Google Analytics, IAPP Vice President and Chief Knowledge Officer Caitlin Fennessy, CIPP/US, said the CNIL makes it clear its decision reflects a collective analysis by European DPAs.

“The risks U.S. businesses face in Europe are escalating rapidly, while their workable compliance options plummet,” Fennessy said. “A diplomatic solution cannot come quickly enough.”

NOYB’s Max Schrems, who believes other authorities will “decide similarly” to the French and Austrian DPAs, agreed.

“In the long run we either need proper protections in the US, or we will end up with separate products for the US and the EU,” Schrems said in a written statement. “I would personally prefer better protections in the US, but this is up to the US legislator — not to anyone in Europe.”

But at this point, Fieldfisher Partner Phil Lee, CIPP/E, CIPM, FIP, said it feels as if the “situation is becoming somewhat farcical.” He said, “it seems bizarre” that data protection authorities are concerned about the transfer of analytics data when there is much more sensitive information flowing back and forth across the Atlantic, and around the world.

“Take emails sent between EU and U.S. organizations, for example, these are unencrypted communications that could contain highly sensitive data about the sender or third parties mentioned in the communication,” he said. “Billions of emails are sent on a daily basis, and yet no one is seriously suggesting we shut down email communications. So why so much excitement about transfers of analytics data?”  

With “regulatory incongruities,” Lee said, “it’s difficult to dispel the notion that there is a certain level of EU protectionism at play against U.S. tech companies.”

He noted there will be a lot of attention paid to reports that the EU and U.S. are nearing a replacement Privacy Shield agreement, and said many companies are “sincerely hoping that this time around it will be "Schrems"-proof.

Google has not yet issued a response to the CNIL’s decision, but in a previous statement on Austria’s ruling, President of Global Affairs and Chief Legal Officer Kent Walker urged EU and U.S. governments to finalize a Privacy Shield successor agreement.

“We urge quick action to restore a practical framework that both protects privacy and promotes prosperity,” he said.

In the meantime, Europcar Mobility Group Data Protection and Compliance Officer Aurélie Banck, CIPP/E, CIPM, FIP, noted organizations or websites using Google Analytics should pay attention to compliance.

“So, if we have to fix the data transfer issue, select another service provider other than Google Analytics,” she said adding, “It seems to be difficult to use an American service provider.”

Fox Rothschild Partner Odia Kagan, CIPP/E, CIPP/US, CIPM, FIP, PLS, said the decision does not give practitioners reasoning to use when trying to assess how to configure services or which services to use moving forward.

“In the absence of detailed reasoning, it is difficult for companies to analyze the services that they use and see whether they can be differentiated from the facts of these cases. Does the decision apply across the board to all possible Google Analytics implementations? Regardless of the type of data processed? Regardless of other considerations? What about other services,” she said.

Further, Kagan said EU controllers, in many cases, are left without an alternative to a U.S. service, and neither EU controllers or U.S. providers “have any control over the issue which is at the crux of this matter — namely, the access by U.S. authorities.”

“This is an issue which is above our collective paygrades and is in the hands of the European Commission and the U.S. State Department to find a satisfactory solution for redress, hopefully soon,” she said.

Photo by Markus Winkler on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Jennifer Bryant IAPP Staff Contributor
Tags
Europe
U.S.
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment Alex Wall • Feb 10, 2022 
    It seems as though France's CNIL indicated in 2020 that anonymized visitor metrics enabled by Google Analytics could be managed in compliance with the law.  It is dismaying to see this news, particularly for marketing teams who are simply trying to generally understand how well their websites are attracting engagement and not link that information to personal profiles.  I hope the powers that be can work out an agreement.
  • comment Dennis Arnold-Grade • May 12, 2022 
    @Alex Wall: I understand it being very dismaying for marketers. But, it is also important to see the field of marketing as what it is in this context: an ill-advised practise that does not give the consumer any advantage and in most cases only diminishes the individual's human and fundamental EU-rights, and therefore must be seen as being anti-privacy in and of itself (from the current state of it). If privacy is the goal here, the discipline of marketing will need to detach itself from tracking, surveilling, etc and operate with privacy by design and default (or, data protection by design and default). 
Within privacy, there is no "simply trying to generally understand how well their websites are attracting engagement", if this means breaching/violating the privacy of others. Just like a shop-owner does not have the right to see ID of any person coming in to his shop, websites shouldn't look at their site as something they have the right to surveil in regards to who comes in and out. 
If I would be you, I would stop looking for foreign cases that may or may not have understood the problem correctly, and may or may not have made a judgment that is in line with EDPB, EUCJ, etc, but instead concentrate on looking at Privacy-Enhancing Technology, in order to make sure to legally have a steady stream of data coming your marketing-department's way once again.
Related Stories
The Austrian Google Analytics decision: The race is on
1
Last month, the Austrian data protection authority fired the starting gun by issuing the most impactful post-“Schrems II” enforcement decision to date. Privacy professionals are racing – to assess, to comply, to enforce, and to find a more workable long-term solution for data transfers. The many r...
Read More queue Save This
French DPA asked to rule on Google Analytics use
France’s data protection authority, the Commission nationale de l'informatique et des libertés, has been asked to determine whether Google Analytics violates the EU General Data Protection Regulation, Euractiv reports. In a letter to the CNIL, nonprofit Interhop criticized e-health care companies’ u...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Transborder Data Flow
Recent Comments