This largely depends on whether the French website is a paying customer hosting their own images in a deliberate fashion (e.g. Amazon being responsible for facilitating GDPR compliance of S3 logs), or if it's a randomly hotlinked non-owned image.
In the latter (hotlinking) case the French website would almost certainly be entirely responsible if they operate at scale (excepting user generated content). In the former, it's obviously less clear cut (and also as mentioned revenue & scale are going to be very relevant).
Practical example: a private individual posts a hotlinked image on a French forum. Relevant questions:
- is that user profiting at large scale from data logged on the image server? No.
- is the forum website owner? No.
- is the image host deriving revenue directly from proactively collecting, analysing and profiling user data from readers of that forum post who are based in the EU? Possibly.
- is the image host doing so at large scale? Maybe.
3 & 4 are definitely true of Google Analytics, but broadly won't be true of many image hosts, so your image linking example won't be an issue most of the time.
In the latter (hotlinking) case the French website would almost certainly be entirely responsible if they operate at scale (excepting user generated content). In the former, it's obviously less clear cut (and also as mentioned revenue & scale are going to be very relevant).
Practical example: a private individual posts a hotlinked image on a French forum. Relevant questions:
- is that user profiting at large scale from data logged on the image server? No.
- is the forum website owner? No.
- is the image host deriving revenue directly from proactively collecting, analysing and profiling user data from readers of that forum post who are based in the EU? Possibly.
- is the image host doing so at large scale? Maybe.
3 & 4 are definitely true of Google Analytics, but broadly won't be true of many image hosts, so your image linking example won't be an issue most of the time.