The complaint argued, and the CNIL agreed, that because of the way Google Analytics was implemented, there were not sufficient supplemental protection measures in place when transferring personal data to the US. Although Google had adopted additional measures, the CNIL concluded these measures could not prevent US intelligence services from accessing the personal data and are therefore insufficient. The website operator in question has one month to comply. Supplemental measures may be needed if a company is relying on standard contractual clauses as a basis for transferring personal data to the US. The EDPB has provided direction on what those measures might look like.
Following the earlier Austrian decision, Google indicated that to address the EDPB’s direction on “supplemental security measures” it had several security features that companies could put in place when configuring Google Analytics. They also disagreed with the EU DPAs conclusions that US law enforcement would likely gain access to EU individuals’ information. This French decision suggests that other EU DPAs may also disagree with Google’s current position.