Let’s break it to you: no, Google Analytics is not illegal in Canada. The recent legal troubles of Google Analytics stem from European authorities ruling that the use of Google Analytics is a violation of GDPR rules on extra-European data transfers.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it is worthwhile to dig a bit deeper here and explore the changing landscape.
- What rules apply to Google Analytics in Canada?
- Can I transfer personal data from Europe to Canada?
- What is all the fuss around Google Analytics about?
- Privacy legislation in Canada, in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in Canada?
The GDPR does not apply in Canada as it is not a Member State of the European Union or the European Economic Area. However, Canadian companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics for a website targeting a European audience).
Under Canadian law, cookies can be processed based on the user’s consent, whether it is explicit or implied. Websites are required to provide a cookie notice and an immediate opt-out mechanism.
Can I transfer personal data from Europe to Canada?
The European Commission adopted an adequacy decision for Canada, essentially declaring the country a safe destination for data transfers. This decision only covers commercial organizations- you cannot rely on it to transfer personal data to a Canadian public body.
Because of the Commission’s adequacy decision, data transfers to a Canadian company are treated the same way as, say, transfers to a Slovenian or Dutch company. You can transfer data this way without any extra compliance burden.
Please note that the Commission periodically reviews adequacy decisions. If you plan on relying on an adequacy decision, make sure it’s still valid.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve Canada directly, but it does involve Canadian websites using Google Analytics, provided that they target the European market and audience. We wrote about this extensively on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens. Suppose a Canadian company collects users' personal data in the EU with Google Analytics. In that case, the data will be transferred to in the US for Google to process, which creates a risk that the data will be subject to surveillance from US agencies.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will undoubtedly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here). So State surveillance is the reason transferring data to Canada is typically less tricky than transferring it to the US, even though an adequacy decision covers neither country.
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, data protection authorities coordinated their approach to data transfers at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions practically amount to a State-wide ban, as we explained here. Other DPAs will likely follow the example and adopt a more rigid stance on Google Analytics.
Privacy legislation in Canada, in general
Canada has a comprehensive legal framework for data protection. The 1983 Federal Privacy Act and the 2000 Personal Information Protection and Electronic Documents Act play a crucial role in the Canadian privacy framework.
Whether Google Analytics is illegal in Canada or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here.
If this resonates with you, give us a try. It's free.