Media Unleashed

Unleash your media. Run.


By: McKenna Timoneri    March 31, 2022

The EU-U.S. Google Analytics data transfer cases continue. On February 10, 2022, France’s data protection authority (DPA), Commission Nationale de l’Informatique et des Libertés (CNIL), ruled that the use of Google Analytics on French websites to transfer data to the United States is a violation of the General Data Protection Regulation (GDPR). The case in France was filed by the European privacy advocacy group None of Your Business (NOYB), which filed this same data privacy complaint against Austria. NOYB has filed 101 complaints in 27 EU Member States and the three European Economic Area (EEA) states regarding violations of personal data transfers to the United States through Google Analytics.

The issue remains that personal user data from EU websites is being transferred to the United States by Google Analytics, which in these two cases has been found to be a violation of Article 44 of the GDPR. Article 44 of the GDPR requires companies to protect personal data when transferred outside of the EU. France’s CNIL found concern that despite Google’s efforts to regulate data transfers through Google Analytics, those measures were not sufficient to eliminate the risk of United States intelligence services accessing personal data. Without using approved data transfer means, the transfer can be ruled unlawful, which is what we are seeing in the case of Austria and France.

Following France’s CNIL ruling of unregulated data transfers to the United States, the DPA granted website operators one month to adjust their data processing methods to comply with the GDPR, whether that be by eliminating their use of Google Analytics or seeking out other tools that do not transfer data outside of the EU. The CNIL also urges website operators to use analytics tools that anonymize data, though this proposal may render data less useful in analysis.

Seeing that this is now the second NOYB case that has found the use of Google Analytics between the EU and U.S. to be a violation of the GDPR, it is certainly becoming more of a possibility that this trend will continue throughout the EU, among other countries facing these same data protection complaints.