In early March, the Norweigan data protection authority (DPA) joined several other European regulators to declare that websites running Google Analytics violated the General Data Protection Regulation (GDPR).
Is Google Analytics illegal under the GDPR? The answer is not entirely straightforward. This article will discuss the platform’s data protection issues and consider possible solutions.
Which regulators have commented on Google Analytics?
The Norweigan DPA is just the latest European regulator to decide on a Google Analytics case. Here are the others:
- The European Data Protection Supervisor (EDPS), which oversees data protection among the EU’s institutions
- Austria’s “DSB” (across two cases, one of which was against Google itself)
- France’s “CNIL” (across three cases)
- Italy’s Garante
- Hungary’s NAIH
- Finland’s Data Protection Ombudsman.
- Spain’s “AEPD”
These regulators each investigated websites that used Google Analytics, and they all came to the same conclusion: the websites’ use of Google Analytics violated the GDPR. The only exception is in Spain, where the website operator stopped using the tool before the investigation closed.
Other Google Analytics investigations are pending across the EU, including in Belgium and Germany.
The Danish DPA, while having yet to decide a Google Analytics case, has provided guidance stating that EU-based websites cannot legally use the tool based on the settings that Google provides. Elsewhere, Czech government websites have stopped using Google Analytics.
So why are all these regulators drawing the same conclusion? What exactly is the problem with Google Analytics under the GDPR?
Google’s data transfers
There are several issues with Google Analytics under the GDPR. But the main problem is how the tool transfers personal data (such as IP addresses) to Google’s servers in the US.
The GDPR requires European companies to implement safeguards whenever they “export” personal data to a “third country”, such as the US. The problem is that these safeguards are ineffective in many cases.
Google previously relied on self-certification schemes known as “Safe Harbor” and “Privacy Shield” to import data from the EU. Participants in these schemes were required to protect personal data to EU standards.
But both schemes were invalidated by the Court of Justice of the European Union (CJEU). The court essentially found that neither Safe Harbor nor Privacy Shield effectively protected Europeans from surveillance by the US government.
Standard contractual clauses
After the Privacy Shield scheme ended, Google switched to an alternative transfer safeguard known as “standard contractual clauses” (SCCs).
SCCs are contractual terms that Google places in service agreements with its European customers. The European Commission wrote these clauses requiring the data importer to protect personal data transferred from the EU to the US.
However, the CJEU has also found that SCCs are insufficient to protect personal data from the US government. Protecting against surveillance would also require technical measures prohibiting government access to imported data.
Whenever European regulators investigate Google Analytics, they find that Google has not implemented these technical measures. They find that websites using the tool are, therefore, violating the GDPR by enabling the illegal transfer of personal data to the US.