Quick reminder around the “Schrems II” case and its aftermath
Following the ruling in the so-called "Schrems II" case (CJEU C-311/18 of July 17, 2020, Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems), when one considers making personal data accessible from Europe to recipients located in countries outside of Europe and wishes to rely on "appropriate safeguards" such as the famous European Commission standard contractual clauses, one must first assess the level of data protection in the third country. In the absence of a sufficient level of protection, as when the third country is the United States, it is necessary to put in place "additional safeguards" to effectively protect the data at destination.
Various European bodies, courts and supervisory authorities have drawn the consequences of this ruling in a particularly rigorous manner.
After the Verwaltungsgericht Wiesbaden (Administrative Court of Wiesbaden in Germany) on December 6, 2021, the European Data Protection Supervisor (EDPS) on January 5, 2022 and the Datenschutz behörde (Austrian data protection supervisory authority) on December 22, 2021, the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés ("CNIL"), has now given its opinion.
CNIL adopts a strict position on Google Analytics
Among the 101 complaints filed on Google Analytics and Facebook Connect integrations in webpages of European controllers by NOYB - European Center for Digital Rights (the non-profit association promoted by Mr. Schrems), 6 were filed against French companies, including some of the best-known names in the French market (Auchan, Leroy Merlin, Decathlon, Free, Sephora, Huffington Post).
Three of them were targeted for their use of the Google Analytics solution (the complaints concerning the other four are related to the use of Facebook Connect and are still awaiting a decision from CNIL).
CNIL has given them all 3 formal notices to stop using the Google Analytics solution, in almost identical decisions.
The publishers of these sites tried to convince the CNIL that (i) the contractual and organizational measures and (ii) the technical measures implemented by Google LLC in the USA met the requirements set by the CJEU. But they failed.
i. Regarding the contractual and organizational additional measures, Google undertakes to:
- Notify users in the event of an access request by U.S. intelligence agencies;
- Publish a transparency report or policy for handling government access requests;
- Ensure the lawfulness of requests made by U.S. authorities before responding.
- CNIL believes that these measures do not "in practice prevent or reduce access by U.S. intelligence agencies”, even when they are lawful under US laws, which does not make any difference.
ii. With respect to technical additional measures, Google says that:
- It protects communications between its services;
- It protects data in transit between data centers;
- It protects communications between users and websites;
- It ensures on-site security;
- It encrypts the data stored on its servers;
- The identification of users by a universal unique identifier (called "UUID" for Universally Unique Identifier) is a pseudonymization operation.
- Again, CNIL considers that this is insufficient since, "as far as Google LLC has the possibility to access the data of natural persons in clear text, such technical measures cannot be deemed effective in the present case". This is in line with the position of the EDPS (EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data).
It is also worth noting that CNIL did not apply the risk-based approach adopted by part of the doctrine and US-originating editors based on the above-mentioned EDPB recommendation (see §54) to assess the suitability of additional safeguard they propose. In the present instances, CNIL did not even seem to take into consideration the sensitivity of the transferred data or its volume to assess the robustness of the additional measures put in place by Google LLC.
In order to give maximum impact to its decisions, CNIL has translated and published one of them. If you are an English-speaking reader, you can have a look here: decision in ENG.
Article provided by INPLP member: Charlotte Barraco-David and Marie-Hélène Tonnellier (OYAT, France)
Dr. Tobias Höllwarth (Managing Director INPLP)