Madam President of the CNIL,

Following the Schrems II ruling, and the opinion rendered by the Commission Nationale de l’Informatique et des Libertés in October 2020 before the Council of State, under number 444937, we remind you that health data are sensitive data.

Following the decision of the Austrian data protection authority having ruled on the use of Google Analytics, deemed illegal and contrary to the RGPD.

That is why we ask the CNIL :

  • To analyze the consequences of the Schrems II jurisprudence on the use of the Google Analytics service concerning all e-health actors and more specifically on those under-mentioned
  • ASKS the regulator to stop the processing that would be illegal.

We have decided to make this letter public.

This publicity contributes to the objective of transparency defended by your Commission.

Thanking you for your attention to our request, please accept, Madam President, our most respectful regards.

Done in Paris, January 28, 2021


Long letter

Title: Referral to the CNIL concerning the use of Google Analytics by many e-health actors

Regarding the C-311/18 ruling (Schrems II)

“The EU General Data Protection Regulation was adopted with a dual purpose :

  • To facilitate the free flow of personal data within the European Union,
  • while safeguarding the fundamental rights and freedoms of individuals, including their right to the protection of personal data.”1

“In its recent ruling C-311/182 (Schrems II) the Court of Justice of the European Union (CJEU) recalls that the protection afforded to personal data in the European Economic Area (EEA) must apply to data wherever they are located.”1. The transfer of personal data to third countries cannot be a way to weaken the protection that is afforded to European citizens under the GDPR. “The Court also states that the level of protection in third countries must be equivalent to that guaranteed in the EEA” 1.

The Court had also held that “the requirements of US law […] entail limitations on the protection of personal data which are not circumscribed in such a way as to satisfy requirements substantially equivalent to those required by EU law” 2.

Regarding the CNIL opinion3

In its opinion rendered on the occasion of a dispute opened in October 2020 before the Conseil d’Etat 4, the CNIL questions at length the consequences of two US laws. These texts govern the powers of the intelligence services.

The first is the Foreign Intelligence Surveillance Act (FISA). It concerns the targeting of “persons reasonably believed to be outside the United States” and applies “to providers of electronic communications services.” This opaque text applies to Microsoft.

The second is called the Executive Order. This text is a presidential decree that legalizes the interception techniques of signals “from” or “to” the United States.

According to the CNIL, and on the basis of these two texts, Microsoft remains subject to the injunctions of the American intelligence services, which can force it at any time to transfer all the data hosted.

On November 10, 2020, the European Data Protection Committee therefore recalled that, in light of recent European case law, the supervisory authorities (“European CNILs”) “will suspend or prohibit data transfers in cases where, following an investigation or a complaint, they find that a substantially equivalent level of protection cannot be ensured” 1.

Regarding the recent decision of the Austrian Data Protection Authority (Datenschutzbehörde)

During the proceedings Google admitted 5 that :

all data collected by Analytics […] is hosted (i.e. stored and further processed) in the United States.

The Austrian Data Protection Authority has ruled that this behavior is a violation of EU law6.

Currently, many companies in the EU still use Google Analytics. By sending their collected data to Google in the United States they are illegally doing so.

According to Max Schrems, data protection activist and president of noyb.eu7

Instead of actually adapting their services to comply with the GDPR, American companies have tried to simply add text to their privacy policies and ignore the Court’s ruling. Many European companies have followed suit instead of turning to legal options. Companies can no longer use U.S. cloud services in Europe. It’s now been a year and a half since the Court of Justice confirmed this a second time, so it’s long past time that the law was enforced as well.

Concerning French e-health actors using Google Analytics

What about digital health companies? Many use this service provided by Google and named Google Analytics. Here is a non-exhaustive list: Recare, Qare8, HelloCare9, Alan10, Therapixel11, Implicity12, Medaviz13, Medadom14, KelDoc15, Maiia16

On its website Recare even mentions that “[personal] data may be processed outside the EEA, including in the United States of America. We have concluded EU standard contractual clauses with the service provider to ensure an adequate level of data protection”17.

E-health actors must ensure that they are not subject, in whole or in part, to injunctions from third-party courts or administrative authorities requiring them to transfer data to them.

Regarding the recommendations of the InterHop association

The InterHop Association

  • RECALLS that health data are sensitive data as defined by the CNIL 18.
  • ASKS the CNIL to analyze the consequences of the Schrems II case law on the use of the Google Analytics service for all e-health actors and more specifically for those mentioned above
  • ASKS the regulator to stop the processing that would be illegal.

We have decided to make this letter public. This publicity contributes to the objective of transparency defended by your Commission 19.

Yours sincerely

Done in Paris, January 28, 2021