Recent decisions by the French Data Protection Authority (DPA), the CNIL and the Austrian DPA, the Datenschutzbehörde (or DSB), have thrown tracking activities into sharp focus. 

CNIL Cookie Decisions  

On 6 January, the CNIL found that on both Google and Facebook’s websites it was harder to reject cookies than to accept them and fined the companies 150 million euros and 60 million euros, respectively. The CNIL noted that “several clicks are required to refuse all cookies, against a single one to accept them.”  

This was held to be an infringement of Article 82 of the French Data Protection Act, which provides that any action through which an electronic communication service accesses or enters information in a user’s terminal equipment (such as the storage of cookies) requires the user’s consent. In its decision, the CNIL references Article 4(11) of the GDPR and recital 42, which states “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” 

DSB Google Analytics Decision 

 On 13 January, the Austrian Data Protection Authority, the DSB, released its decision on complaints brought by Max Schrems organisation None of Your Business (‘noyb’) in relation to the use of Google Analytics by an Austrian company. The data subject, an Austrian national, visited a website on health issues hosted by an Austrian company while logged into his Google account. According to the website, the website owner was the controller and Google was the processor in relation to Google Analytics. The website owner and Google entered into Standard Contractual Clauses (SCCs) to legitimise transferring personal data in relation to Google Analytics. The data subject complained that this was a breach of Chapter V GDPR, which contains the requirements for transferring personal data outside of the EU. 

In its decision, the DSB held that, in light of the ECJ’s Shrems II ruling, the SCCs did not provide sufficient protection because Google is an “electronic communication service provider” under section 50 of the U.S. Code § 1881(b)(4) and is therefore subject to surveillance by US intelligence services. Because of this, the additional safeguards put in place (such as fences around data centres and baseline encryption) were insufficient as they did not prevent US intelligence services from accessing the data subject’s personal data. 

To note that the DSB did not impose any fines or corrective measures on the Austrian controller as they merged with a German company and the DSB’s view is that this issue will have to be addressed by the relevant German authority. In any event, prudent operators can pre-emptively take some actions to prepare for potential corrective measures imposed to those using Google Analytics. 

How should companies respond: 

  • If you haven’t already done this, speak to your marketing department to understand exactly which analytics tools are used by your company – don’t just focus on Google Analytics.  
  • Review how you use analytics tools to understand the level of risk to individuals, considering what type of personal data can be collected or inferred via visits to your website and your company’s risk appetite. In the case before the DSB, the website provided information on health issues. Such sensitive data can lead to more restrictions on the use of analytical technologies.  
  • Speak to your IT department to evaluate cookie permission settings on websites in line with the risk assessment carried out 
  • Introduce facility to reject all cookies with just one click. 
  • Take a risk-based approach to marketing activities in consultation with your DPO.