Google Analytics has been on the front page of the privacy news lately. Austria, France, Italy, Denmark, Finland, and Sweden have taken a stance against Google Analytics, and the Norwegian data protection authority also provisionally ruled against Google Analytics in a still-pending case. The rulings are part of a coordinated effort on a European level and have been in the works for a long time.
GA is the default analytics tool, and it's used by 55% of all the websites on the web. It has long been a monopolist on the web analytics market, and its legal troubles are sending waves across the marketing landscape in Europe. In this climate of general panic, it can be challenging to understand what European authorities are ruling exactly. Is Google Analytics really illegal in Europe?
Let's dive in!
- The background on Google Analytics and GDPR
- What did the authorities actually say?
- Where is Google Analytics illegal?
- Where else will Google Analytics be illegal?
- What about the new data transfer framework?
- Final Thoughts
The background on Google Analytics and GDPR
Google Analytics came under fire because it requires transferring personal data to the U.S. for processing. Data transfers to the U.S. are a legal puzzle right now. It's a long story, and you can read all about it here. In a nutshell:
- The Schrems II ruling of the Court of Justice requires companies to implement adequate safeguards (commonly referred to as supplementary measures) when transferring data to the U.S. to protect data from State surveillance
- NGO noyb filed 101 complaints against Google Analytics and Facebook Connect to nudge European authorities towards stricter enforcement of the Schrems II ruling.
- The board of European supervisory authorities (EDPB) coordinated the response to the complaints at a European level.
- Several European Data Protection Authorities (DPAs) have "banned" GA from the respective countries1.
What did the authorities actually say?
The GDPR only allows personal data to leave the EU safely. This is why data transfers require safeguards for the data. This goes for any data transfer, not just Google Analytics.
The problem is, the US intelligence doesn't exactly have the best track record when dealing with foreign data. The Snowden files uncovered large scale, invasive, systematic surveillance programs over foreigner data (and even US citizen data- it's a long story).
In every complaint, the DPAs have examined the safeguards in place and found that they do absolutely nothing to protect European data against surveillance. This is why they held the data transfers to be illegal.
In theory, a company could implement stronger safeguards and use Google Analytics legally. But in the real world, companies can do absolutely nothing to protect the data they forward to Google Analytics. The only safeguards are those set by Google, and the DPAs have declared, over and over again, that they are not enough.
These decisions are not technically bans against Google Analytics. But in practice, they are- because all other cases will be similar and will be decided according to the same reasoning.
Where is Google Analytics illegal?
So far, privacy watchdogs have ruled against GA in Austria, France, Italy, Finland, and Sweden. In practice, you can add Denmark: the Danish authority did not decide a complaint, but essentially embraced the position of the other authorities on its website.
The Norwegian authority also decided against the use if Google Analytics in a preliminary ruling (Norway is not an EU Country but is part of the EEA and follows the GDPR). The final outcome of the case is not known.
There is a debate going on whether the statements apply to every version of Google Analytics or only to the current version (universal analytics). The short answer is that it applies to every Google Analytics setup or version. We've written about this more extensively in this blog.
Where else will Google Analytics be illegal?
The Italian and French authority are quite influential, so other EU/EEA countries are likely to follow suit.
What about the new data transfer framework?
In July 2023 the European Commission adopted an adequacy decision for the US. An adequacy decision is a unilateral act that enables the free flow of personal data to a non-EU Country.
Is the whole data transfer drama over? Not really. Schrems (yup, the guy from Schrems I and II) will certainly challenge the new framework in the Court of Justice, and will likely win.
Adequacy decisions are not merely political decision. The Commission cannot sanction data flows towards a Country solely because they like it, or because it is a strategic ally. They need to make sure that the data are kept safe outside the EU, and this is not the case with the new data transfer framework in place between the EU and the US.
This is not the first attempt at a trans-atlantic data transfer framework, either. Two older frameworks (Safety Harbor and Privacy Shield) were both invalidated by the Court of Justice over surveillance concerns. This will probably happen again, as the new framework does not really offer the safeguards required to keep EU data safe against US surveillance
Long story short, Schrems III will come at some point, and the EU will be back to square one.
In the meantime, European companies must live with the uncertainty or invest in localization. And by the way, Microsoft is pouring billions into its EU Data Boundary Boundary program- they expect thousands of companies to rush to their EU-based cloud after Schrems III comes around.
Final Thoughts
Aside from being illegal, Google Analytics is a privacy-invasive tool. From an ethical standpoint, we believe that Google is not helping to create an independent web that is friendly to website visitors. And why should they? They are raking in billions with Google Analytics.
This is the reason why we built Simple Analytics. A web analytics tool that provides you the insights you need without any tracking or collecting personal data.
Feel free to give us a try if you want to support an independent business that is trying to create a web that is friendly to website visitors.