The supplemental measures adopted by Google to regulate data transfers within the framework of the Google Analytics functionality are not sufficient to exclude the possibility of access by American intelligence services to this data.

That is what the Commission Nationale de l’Informatique et des Libertés (CNIL) recently announced in a news release about one of the 101 GA complaints.

The news release does not set out any reasoning to distract us from our full-on “cry and pray,” but here are some additional points.


  • recommends that websites use audience measurement and analysis tools only to produce anonymous statistical data, thus allowing an exemption from consent if the data controller ensures that there are no illegal transfers.
  • has launched an evaluation program to determine the solutions exempt from consent.
  • gave formal notice to the site manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under current conditions) or by using a tool that does not lead to transfer outside the EU. The site manager in question has one month to comply.
  • has initiated formal notice procedures against site managers using Google Analytics.

The CNIL and its counterparts also are investigating other tools used by sites that give rise to the transfer of data from European Internet users to the United States. Stay tuned.