The complaint argued, and the CNIL agreed, that because of the way Google Analytics was implemented, there were not sufficient supplemental protection measures in place when transferring personal data to the US. Although Google had adopted additional measures, the CNIL concluded these measures could not prevent US intelligence services from accessing the personal data and are therefore insufficient. The website operator in question has one month to comply. Supplemental measures may be needed if a company is relying on standard contractual clauses as a basis for transferring personal data to the US. The EDPB has provided direction on what those measures might look like.
Following the earlier Austrian decision, Google indicated that to address the EDPB’s direction on “supplemental security measures” it had several security features that companies could put in place when configuring Google Analytics. They also disagreed with the EU DPAs conclusions that US law enforcement would likely gain access to EU individuals’ information. This French decision suggests that other EU DPAs may also disagree with Google’s current position.
The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.
In the bleak aftermath of Brexit this is a positive development for many businesses on both sides of the English Channel and provides for much needed legal certainty for data flows between the EU and the UK without the need to implement any additional transfer mechanism such as the newly issued EU standard contractual clauses.
A European adequacy decision was expected not least as the UK only recently implemented its Data Protection Act 2018 which is broadly in line with the GDPR. There continue to be concerns that the UK will eventually diverge from EU standards not least given the ongoing political debate in the UK post-Brexit to alleviate UK businesses from the requirements of the GDPR. For now the European Commission was not convinced that these concerns were justified.
Putting It Into Practice: The UK now joins the group of other 12 countries (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay) which so far have benefited from an EU adequacy decision.