France: Second and third CNIL rulings on illegality of data transfers to US via Google Analytics

On 2 March 2022, the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection agency, issued two additional decisions regarding the non-compliance of Google Analytics's data transfers to the United States with the EU General Data Protection Regulation (GDPR). Particularly, the CNIL ordered two French websites to comply with the GDPR by stopping using Google Analytics services that involve data transfers outside the EU, giving them a one-month deadline for compliance. Previously, on 10 February 2022, the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection agency, issued two additional decisions regarding the non-compliance of Google Analytics's data transfers to the United States with the EU General Data Protection Regulation (GDPR). CNIL found that Google Analytics had not taken the sufficient additional safeguard required by Art.44 of the GDPR for data transfers to third countries. Specifically, the measures taken by Google Analytics remained insufficient to prevent US intelligence services from accessing transferred data. CNIL ordered a number of websites using Google Analytics to cease using the service or to use a service that does not involve data transfers outside the EU, giving them a one-month deadline for compliance.