Google Analytics and GDPR: What’s the problem?
Posted: March 14, 2023
In early March, the Norweigan data protection authority (DPA) joined several other European regulators to declare that websites running Google Analytics violated the General Data Protection Regulation (GDPR).
Is Google Analytics illegal under the GDPR? The answer is not entirely straightforward. This article will discuss the platform’s data protection issues and consider possible solutions.
Which regulators have commented on Google Analytics?
The Norweigan DPA is just the latest European regulator to decide on a Google Analytics case. Here are the others:
- The European Data Protection Supervisor (EDPS), which oversees data protection among the EU’s institutions
- Austria’s “DSB” (across two cases, one of which was against Google itself)
- France’s “CNIL” (across three cases)
- Italy’s Garante
- Hungary’s NAIH
- Finland’s Data Protection Ombudsman.
- Spain’s “AEPD”
These regulators each investigated websites that used Google Analytics, and they all came to the same conclusion: the websites’ use of Google Analytics violated the GDPR. The only exception is in Spain, where the website operator stopped using the tool before the investigation closed.
Other Google Analytics investigations are pending across the EU, including in Belgium and Germany.
The Danish DPA, while having yet to decide a Google Analytics case, has provided guidance stating that EU-based websites cannot legally use the tool based on the settings that Google provides. Elsewhere, Czech government websites have stopped using Google Analytics.
So why are all these regulators drawing the same conclusion? What exactly is the problem with Google Analytics under the GDPR?
Google’s data transfers
There are several issues with Google Analytics under the GDPR. But the main problem is how the tool transfers personal data (such as IP addresses) to Google’s servers in the US.
The GDPR requires European companies to implement safeguards whenever they “export” personal data to a “third country”, such as the US. The problem is that these safeguards are ineffective in many cases.
Google previously relied on self-certification schemes known as “Safe Harbor” and “Privacy Shield” to import data from the EU. Participants in these schemes were required to protect personal data to EU standards.
But both schemes were invalidated by the Court of Justice of the European Union (CJEU). The court essentially found that neither Safe Harbor nor Privacy Shield effectively protected Europeans from surveillance by the US government.
Standard contractual clauses
After the Privacy Shield scheme ended, Google switched to an alternative transfer safeguard known as “standard contractual clauses” (SCCs).
SCCs are contractual terms that Google places in service agreements with its European customers. The European Commission wrote these clauses requiring the data importer to protect personal data transferred from the EU to the US.
However, the CJEU has also found that SCCs are insufficient to protect personal data from the US government. Protecting against surveillance would also require technical measures prohibiting government access to imported data.
Whenever European regulators investigate Google Analytics, they find that Google has not implemented these technical measures. They find that websites using the tool are, therefore, violating the GDPR by enabling the illegal transfer of personal data to the US.
Cookie compliance for mobile
Our guide is designed to help you understand the distinctions between cookie compliance on desktop and mobile devices. You will discover the advantages of cookie compliance on mobile, the security of mobile devices against unwanted cookies, and the challenges marketers face in tracking returning visitors due to changes implemented by mobile browsers. Learn how Consent Management Platforms can assist you in achieving cookie compliance, regardless of the device used.
Read the full guide by following the below:
Is Google Analytics banned in the EU?
Some sources say that Google Analytics is “banned” or “illegal” in the EU. This assessment is not strictly correct.
The Danish DPA, for example, has stated that it “does not have the power to ban certain products” – the regulator merely assesses whether a given organization is processing personal data in compliance with the law.
However, it might be impossible to use Google Analytics without violating the GDPR, unless you implement some additional safeguards that are not provided by Google.
The French DPA has suggested a potential technical solution which it calls a “reverse proxy”. The idea is to prevent any information about a website visitor from making contact with Google’s servers by passing it through an EU-based server and applying technical safeguards.
However, the regulator warns that adjusting Google Analytics in this way might be “costly and complex” and could affect the tool’s performance.
What about Google Analytics 4?
Google has implemented some new privacy safeguards in Google Analytics 4 (GA4). Could Google’s new safeguards solve the company’s GDPR problems?
No regulator has issued a decision about Google Analytics 4 yet. However, the Danish DPA and the Norweigan DPA have both warned that GDPR compliance issues remain with Google Analytics 4.
The reasoning is complicated, but these two Scandinavian supervisory authorities suggest that Google Analytics 4 could transfer people’s IP addresses to its US servers even with its new safeguards.
European regulators take a strict interpretation of the GDPR. As such, the mere possibility of Google transferring an IP address to the US could be deemed to violate the GDPR’s data transfer rules.
As an alternative to Google Analytics, some data protection authorities suggest using an analytics tool that can be self-hosted, or that is provided by a company based in Europe.
It’s also important to note that the EU and the US are in the process of setting up a new international transfer self-certification scheme called the “EU-US Data Privacy Framework”.
This new framework could render Google’s data transfers legal once again – but it might also eventually be overturned by the EU’s top court.
