On September 21, 2022, Denmark’s data protection authority (DPA) Datatilsynet announced its decision that Google Analytics is not compliant with the EU General Data Protection Regulation (GDPR).
New Rules of the Danish Data Protection Agency Regarding Data Transfer
Google Analytics (GA) is a web analytics service that collects statistics data from websites and apps for search engine optimization (SEO) and creates reports and analytical tools for marketing purposes. The GDPR requires users' consent to collect and process their personal data, otherwise, GA would not comply with the GDPR. To comply with the GDPR and other privacy laws, Google recently introduced Google Analytics 4 (GA4), which, among other things, is heavily focused on data privacy. However, despite implementing extra privacy features, GA4 is still not fully GDPR compliant. GA4 still has not reached a consensus with the European regulators regarding data transfer between the EU and the USA. There are also other features like data sharing between Google products, which could breach the GDPR law.
The Danish DPA’s recent decision follows those of Austria, France, and Italy. Dataltilsynet informed that the latest guidance represents "a pan-European attitude among the supervisory authorities" and the supervisory authorities need a harmonized approach towards data transfer between the EU and the USA.
The basis for the decision of Denmark’s DPA
The GDPR was made to protect the personal data of European citizens. Google Analytics with its current settings can't ensure it since the data of European citizens is sent to the United States which, does not offer an adequate level of data protection after the EU-U.S. Privacy Shield Framework was invalidated.
“This has been particularly relevant as Google, following the first Austrian decision, has begun to provide additional settings in relation to what data can be collected by the tool. However, our conclusion is that the tool cannot, without more, be used lawfully”, concludes Denmark’s DPA.
The decision to outlaw Google Analytics represents a common European position among the Europe supervisory authorities. According to them, it is necessary that European data protection law is interpreted uniformly across the EU/EEA. As the subject matter of the submitted complaints about personal data privacy has been the same as in other EU countries, the outcome was also reached the same with data protection authorities in Austria, France, and Italy.
Consequences for Danish organizations
Under the guidance of Denmark’s DPA, organizations must evaluate whether their current use of Google Analytics complies with the GDPR. If their use does not comply, then they must either remediate the noncompliance with supplementary measures or stop using the tool.
An important task for Denmark’s DPA is to give guidance to Danish organizations and citizens about their rights and how to comply with the data protection law.
However, Denmark’s DPA does not promote or ban particular products or services: “As is the case with data protection law, we at the Danish Data Protection Agency are neutral to technology, and therefore have no interest in either approving or banning certain products”.
What should you do if you use Google Analytics?
The GDPR compliance issue regarding data transfer between the EU and the USA is not new for organizations. On 16 July 2020, the European Court of Justice announced that the EU – US Privacy Shield became invalid. As a result of that decision, the EU – US Privacy Shield framework is also no longer valid to comply with EU data protection requirements when transferring personal data from the EU to the United States.
If you are using Google Analytics, to be GDPR compliant you should choose between these two options:
- Remediate the noncompliance with supplementary measures, or
- Stop using the tool.
Therefore, one way to be GDPR compliant is by implementing supplementary measures. One possible technical solution was proposed by the French Data Protection Authority CNIL. Such a technique when using Google Analytics is called pseudonymization. Effective pseudonymization could be reached by means of a so-called reverse proxy. Read the guidance about how to properly configure a proxy server, proposed by CNIL.
If it is not possible to implement effective supplementary measures, you must stop using Google Analytics. Find another analytics tool that complies with the EU data protection law by not transferring personal data outside of Europe.
Keep in mind that the guidance on transferring personal data from the EU to the United States is also valid for other internet products as well. For example, if you are using a Consent Management Platform (CMP) to create cookies and get the Cookie Consent through a service provider, which sends users' data to the US, you could also be breaching the GDPR. Switch to CookieScript, which is a CMP, that ensures your website compliance with the latest privacy laws, like GDPR, CCPA, LGPD, CNIL, and others. CookieScript is based in the EU, all website users' data is stored locally in the EU, and the data is not transferred to third countries (USA).
Is there a transition period?
The Danish Data Protection Agency does not provide a transition period for businesses to legitimize their data processing activities. On the contrary, judgments of the Court of Justice of the European Union have previously shown the decision being taken retroactively. This is due to similar judgments not being new legislation, but rather an interpretation of existing law.
However, the Danish DPA takes into account to what extent an organization or a business is actively taking steps in bringing their activities in compliance with the EU data privacy law. It will also take into account how soon after the judgment such a process of bringing their personal data processing activities in compliance has started.
Settings of Google Analytics
You may be wondering if something could be done to comply with the EU data privacy law by changing the settings of Google Analytics (GA). For example, is it possible to configure GA in such a way that personal data is not transferred to the United States? Unfortunately, at the moment there is not possible to configure GA in such a way that personal data is not transferred to the United States. Google has replied to the European supervisory authorities regarding this issue that all data collected through Google Analytics is processed and stored in the United States. Further, the Danish DPA is not aware of any changes to Google’s technical characteristics that Google Analytics can provide the analytics tool without any transfer of personal data to the United States.
So maybe Google Analytics 4, which focuses heavily on data privacy, complies with the EU data privacy law? Google introduced Google Analytics 4 (GA4) with the aim to solve data privacy issues. It introduced many new features, like IP anonymization, decreased data storage duration, a possibility for users' personal data deletion, and others. However, despite implementing extra privacy features, GA4 is still not fully GDPR compliant. GA4 still has not reached a consensus with the European regulators regarding data transfer between the EU and the USA.
From the users' side, GA4 doesn't allow users to choose where their data will be stored. Your website must have a Privacy Policy, which clearly discloses the action of international data transfers.
Is it possible to use Google Analytics based on the consent of website users? According to the Danish DPA, the transfer of personal data to third countries, in general, does not comply with the GDPR but should be assessed in a case-by-case manner. So there could be specific situations for the derogations from the general conditions for third-country transfers. One such derogation could be if the data subject explicitly consents to the data transfer to third countries. This consent can only be given once the data subject has been informed about such a data transfer and has provided explicit consent to it. In addition, the supervisory authorities consider that these derogations regarding explicit user consent should be used restrictively as exceptions, and do not become the general rule.
The problem of unlawful data transfer theoretically could be solved by the new agreement between the EU and the US on the transfer of personal data. Is the new agreement between the EU and the US on the transfer of personal data under the way?
In March 2022, the European Commission and the United States announced that a new Trans-Atlantic Data Privacy Framework is being discussed that would allow the transfer of personal data between the EU and the US. However, the agreement does not provide yet any specific guidelines for the transfer of personal data to the United States. Thus, there is no new transfer basis and adequacy decision yet.
Want to be GDPR compliant? Use CookieScript CMP for managing Google Consent Mode and other Google Analytics settings to be GDPR and other privacy laws compliant. CookieScript can also create a unique and professional Privacy Policy for your business or website, which informs, among others, about GA and international data transfers, required by the GDPR.
Frequently Asked Questions
Is it allowed to use Google Analytics in the EU?
On September 21, 2022, Denmark’s DPA announced that Google Analytics (GA) is not compliant with the GDPR due to the personal data transfer between the EU and the USA. The decision follows those of Austria, France, and Italy. Other countries' DPA does not limit the usage of GA.
What should Danish organizations do if they use Google Analytics?
If you are using Google Analytics, to be GDPR compliant you should choose either to remediate the noncompliance with supplementary measures or stop using GA. One possible technical solution could pseudonymization, which could be reached by means of a so-called reverse proxy.
Is it possible to configure GA in such a way that personal data is not transferred to the United States?
No, at the moment such a possibility is not present. Google has replied to the European supervisory authorities regarding this issue that all data collected through Google Analytics is processed and stored in the United States.
Does Google Analytics 4, which focuses heavily on data privacy, complies with the EU data privacy law?
Google introduced Google Analytics 4 (GA4) introduced many new features, like IP anonymization, decreased data storage duration, users' personal data deletion, and others, to solve data privacy issues. However, despite implementing extra privacy features, GA4 is still not fully GDPR compliant. GA4 still has not reached a consensus with the European regulators regarding data transfer between the EU and the USA.
Is it possible to use Google Analytics based on the consent of website users?
According to the Danish DPA, the transfer of personal data to third countries, in general, does not comply with the GDPR but should be assessed in a case-by-case manner. One such situation could be if the data subject explicitly consents to the data transfer to third countries.
Is the new agreement between the EU and the US on the transfer of personal data under the way?
In March 2022, the European Commission and the United States announced that a new Trans-Atlantic Data Privacy Framework is being discussed that would allow the transfer of personal data between the EU and the US. However, the agreement does not provide yet any specific guidelines, thus, there is no new transfer basis and adequacy decision yet.