Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

France says tool for EU-U.S. data transfers is unsafe

Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons France GDPR EU

Privacy, Cyber Risk & Data Security

On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the number of user visits, assigns a unique identifier to each visit (which constitutes personal data). The identifier and associated data are then transferred by the company to the U.S. CNIL stated that it received numerous complaints related to the transfer of the collected data and noted that complaints were filed against 101 data controllers for allegedly transferring personal data to the U.S. The agency analyzed the conditions under which the collected data was being transferred, and assessed the risk potential for individuals raising the concerns. According to CNIL, the company’s trans-Atlantic data transfers “are currently not sufficiently regulated” in spite of “additional measures” adopted by the company to regulate these data transfers. These measures “are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” CNIL determined, noting that “in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.”

CNIL stated that these data transfers violate Article 44 et seq. of the GDPR (which governs the transfer of personal data to a third country or to an international organization), and ordered a “website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the [analytics tool] functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.” The website operator must comply within one month. Additional compliance orders were also issued to other website operators using the analytics tool. CNIL also recommended that the analytics tool should only be used to produce anonymous statistical data, and stated that it has launched an evaluation program to determine solutions that are exempt from consent.