By Matt Rotert

In the immediate aftermath of the landmark Schrems II decision, which invalidated the EU-U.S. Data Privacy Shield, the noyb, a non-profit organization established by Maximilian Schrems in 2017, began laying the groundwork for the next “big” decision regarding the transfer of personal data related to EU residents to the United States.  According to the French Data Protection Authority (in French Commission Nationale de l'Informatique et des Libertés) (“CNIL”), noyb “has filed 101 complaints in the 27 Member State of the European Union and the three other members of the European Economic Area (EEA) against 101 data controllers” regarding the transfer of data to the United States.[1]  This response includes the complaint filed with the CNIL on August 19, 2020, which was the basis for the February 10, 2022, CNIL decision regarding the use of Google Analytics and data transfers to the United States.[2]

In its February 10, 2022, decision, the CNIL determined that the use of Google Analytics by website managers/operators constituted an unlawful transfer of personal data related to EU residents to the United States.  The CNIL found, like the Austrian Data Protection Authority (in German Datenschutzbehörde) (“DSB”) did in January 2022, that 1) the use of Google Analytics meant data was transferred to the United States; 2) the type of information transferred was “personal;” and 3) that the supplemental measures implemented by Google in conjunction with Standard Contractual Clauses (“SCCs”) did not provide adequate protection against the access afforded U.S. intelligence operations.[3]

For now, the impact of the January 2022 DSB decision and this February 2022 CNIL decision is limited to those jurisdictions.  And neither data protection authority issued fines or other sanctions against a website manager/operator or Google.  The DSB dismissed Google as a party and found that the onus for ensuring adequate protection was on the website operator.[4]  That said, these decisions are unlikely to stay financially benign.  As part of its February 2022 decision, the CNIL gave website managers/operators one month (by March 10, 2022) to comply.[5]  Complaints of continued violations of that order may be harshly addressed.

Perhaps these should not be seen as landmark decisions – both use the same rationale as outlined in Schrems II – but both represent the application of that rationale to properly executed SCCs supported by supplemental measures, and both found them deficient. 

If it was not clear before, compliance with GDPR following Schrems II cannot mean pro forma execution of SCCs – even when supported by stringent data security protocols.  This standard is unlikely to change in the immediate term as the final agreement on Trans-Atlantic Data Privacy Framework (the “Framework”) is likely months away.  Even once the Framework is finalized, remaining GDPR compliant likely means a wholesale review of what data is being transferred, why that data is being transferred, and whether there are alternatives to executing that transfer.

For additional information on this topic, please contact Matt Rotert at mrotert@redgravellp.com.

The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.