Let’s break it to you: no, Google Analytics is not illegal in Australia. The recent legal troubles of Google Analytics stem from European authorities ruling that the use of Google Analytics is a violation of GDPR rules on extra-European data transfers.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it is worthwhile to dig a bit deeper here and explore the changing landscape.
- What rules apply to Google Analytics in Australia?
- Can I transfer personal data from Europe to Australia?
- What is all the fuss around Google Analytics about?
- Privacy legislation in Australia, in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in Australia?
The GDPR does not apply in Australia as it is not a Member State of the European Union or the European Economic Area. However, Australian companies still need to comply with the GDPR if they target the European market or monitor behaviors of users in the EU (this includes using Google Analytics for a website targeting a European audience).
Can I transfer personal data from Europe to Australia?
The European Commission has not adopted an adequacy decision for Australia. This means that the country was not “green lighted” as a safe destination for data transfers.
Data transfers to Australia are still possible, but they are more burdensome compared to countries covered by an adequacy decision. Transfers to Australia require the implementation of one of several legal mechanisms listed under Chapter V GDPR (the most common one are the standard contractual clauses from the European Commission, which need to be implemented in a contract with the recipient). A data transfer impact assessment (DTIA) must also be performed.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve Australia directly, but it does involve Australian websites using Google Analytics, provided that they target the European market and audience. We wrote about this extensively on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens. Suppose a Australian company collects users' personal data in the EU with Google Analytics. In that case, the data will be transferred to the US for Google to process, which creates a risk that the data will be subject to surveillance from US agencies.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will undoubtedly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, data protection authorities coordinated their approach to data transfers at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions practically amount to a State-wide ban, as we explained here. Other DPAs will likely follow the example and adopt a more rigid stance on Google Analytics.
Privacy legislation in Australia, in general
At a federal level, the main privacy law of Australia is the 1988 Privacy Act. The Act is complemented by State legislation and by other Acts regulating specific sectors such as financial services. The Australian Information Commissioner is the country’s independent data protection authority and plays an important role in enforcing privacy legislation.
It should be noted that Australian law does not recognize breach of privacy as a tort (that is, as a specific cause or type of legal action in private law). For this reason, enforcing privacy rights in Australia can be more complicated than in other common law countries such as the US and the UK.
Whether Google Analytics is illegal in Australia or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Have a look at our live dashboard here.
If this resonates with you, give us a try. It's free.