Electronic transfers

Data transfer from the EU: what to remember from the recent GDPR decisions of Google Analytics | Stikeman Elliott LLP

Companies using Google Analytics (“Analytics”) or similar platforms may be interested in recent rulings by several European data protection authorities which concluded that Analytics data transfers to the United States were not compliant. to EU law. General Data Protection Regulation (“GDPR”). Authorities’ concerns about the identifiability of information and its potential vulnerability to FISA requests could apply more broadly.


In August 2020, following the Decision of the European Court of Justice invalidating the Privacy Shield (“Schrems II”, decided July 16, 2020), privacy rights organization None of Your Business (“NOYB”) has brought cases before 27 European data protection authorities alleging that Analytics transfers personal information from the European Union to the United States in a manner that does not comply with the GDPR. As it did in Schrems II, NOYB argued that the personal information of Europeans collected by sites using Analytics was not sufficiently protected as it was susceptible to disclosure to US intelligence services.

Although Google has argued that the information in question is not personal information and has implemented sufficient additional safeguards, the Austrian Data Protection Authority and the National Commission for Information and Freedoms (“CNIL”) recently ruled in favor of NOYB.

The conclusions of the CNIL

The following observations, based on the findings of the CNIL, reiterate: (i) the EU’s broad definition of “personal information”, (ii) the EU’s desire to see effective security measures implemented to protect personal information against US government requisitions; and (iii) the importance of explicit, informed and informed consent.

A broad definition of “personal information”

The CNIL decision confirms an inclusive definition of personal information (or personal data) which extends to any identifier that can be combined with other information in order to create a profile. In the French case, a company whose name is omitted from the judgment (“Company”), used Analytics to carry out an analysis of the Internet traffic of its website. The information collected included:

  • A visitor ID (the Analytics visitor cookie ID, i.e. the Analytics client ID);
  • For visitors who have logged in to the website through a user account, an internal company identifier;
  • Order identifiers, if any; and
  • An IP address.

The CNIL noted that since they could be combined with other information, such as the address of the website visited, the metadata relating to the browser and the operating system, the time and the data relating to the consultation of the website, the IP address, the identifiers provided a certain level of identification of an individual and were therefore qualified as personal information. Specifically, the French data protection authority stated:

“When several elements are combined, they can make it possible to individually identify the visitors of the […] website, on which Google Analytics is implemented. It is not necessary to know the name or the actual (physical) address of the visitor because, according to recital 26 of the GDPR, such identification of persons is sufficient to make the visitor identifiable”.

The CNIL has also clarified that universal unique identifiers (“UUIDs”) are not considered pseudonymised data within the meaning of the GDPR and are therefore not, in themselves, privacy-enhancing techniques.

Insufficiency of standard contractual clauses

As with Schrems II, the heart of this case lies in the fact that Analytics transfers the personal information it collects on the French company’s site to the United States for storage. The GDPR only allows transfers of personal information from the EU to a third party if That is the third party (i) is governed by the laws of a country which the EU has deemed adequate – as is the case of Canada – Where (ii) has implemented a number of other measures, such as Standard Contractual Clauses (“SCC”), containing an adequate level of protection for personal information in transit from the EU to an entity in another country.

Since the American legislation was not considered adequate, the EU and the United States successively implemented two special arrangements – the Safe Harbor and the Privacy Shield – which aimed to allow the flow of personal information between the entities of these two jurisdictions. These mechanisms were struck down, respectively in 2016 and 2020, by the European Court of Justice (“ECJ”) on the grounds that they did not provide adequate protection for personal information. Although on March 25, 2022, the EU and the United States announced another agreement in principle allowing cross-border transfers of personal information, since the Schrems II ruling, these transfers have become increasingly complicated from the point of view of view of compliance.

It is in this context that the CNIL and other European data protection authorities have deemed the protection of personal information of Analytics non-compliant with the GDPR. The CNIL has ruled that Analytics’ transfer of Europeans’ personal information to the United States and its storage in the United States is not GDPR compliant, as the information cannot be effectively protected against disclosure requests. Americans. According to the CNIL, Google LLC is qualified as a provider of electronic communications services and as such is subject to Foreign Intelligence Surveillance Act (“FISA”) requests. Such a request is incompatible with the protection of personal information offered by the GDPR for two reasons:

  • A request for FISA information is not limited to what is strictly necessary and therefore violates the requirement to minimize collection; and
  • FISA proceedings are secret, denying an effective remedy to those who are the subject of such a request.

This denial of an effective remedy runs counter to the rights protected by the EU Charter of Fundamental Rights.

In addition, although the European Data Protection Board agreed in 2021 that if an entity adopted “additional measures” to protect personal information, such an entity could potentially share the information in question with a US entity, the CNIL. found that the contractual, organizational, and technical measures implemented by Analytics were insufficient to protect against a FISA request. In particular, he found that:

  • The contractual and organizational measure which consisted in disclose the fact that personal information could be requested by the U.S. government was not the same as protect information against such a request.
  • The proposed technical measures – namely (i) securing data in transit between data centers, (ii) protecting communications between users and websites, or (iii) “on-premises security” – do not did not in fact address the issue of preventing or reducing access opportunities for US intelligence services.
  • Encryption of data at rest in the United States was not a form of protection because, as the CNIL stated, “Google LLC as a data importer nevertheless has an obligation to grant access or to return the personal data imported into his possession, including any cryptographic keys necessary to make the data intelligible […]. In other words: as long as Google LLC has the possibility of accessing the data of natural persons in clear text, such a technical measure cannot be considered effective in the present case. »

Consent as an alternative

The third point underlined by the CNIL decision is that in the absence of explicit consent to the transfer of personal information to the United States, a company cannot take advantage of the GDPR consent exception to data transfers. ‘personal informations. The French data protection authority clarifies that a user’s consent to store cookies should not be confused with a user’s explicit consent to have their personal information transferred to the United States after receiving notice. information that includes information about the risks involved and the steps an individual can take to reduce them. Consent to the transfer must be explicit, express and informed.


The decisions of European data protection authorities in response to NOYB’s challenge to Analytics’ data transfer practices are further proof that the European Union requires that clear and effective measures to protect personal information are implemented. before any personal information can be transferred to the United States. Standard data protection claims of “encryption of data in transit” or disclosure that personal information is subject to requests from US government agencies will not be accepted as substitutes for genuine protection.