Let’s break it to you: no, Google Analytics is not illegal in India. The recent legal troubles of Google Analytics stem from European authorities ruling that the use of Google Analytics is a violation of GDPR rules on extra-European data transfers.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it is worthwhile to dig a bit deeper here and explore the changing landscape.
- What rules apply to Google Analytics in India?
- Can I transfer personal data from Europe to India?
- What is all the fuss around Google Analytics about?
- Privacy legislation in India in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in India?
The GDPR does not apply in India as it is not a member of the European Union or the European Economic Area. However, Indian companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics for a website targeting a European audience).
Currently, there are no hard-and-fast rules on cookie policies and consent. As a result, cookies can be placed and read without collecting consent and without providing any information.
Can I transfer personal data from Europe to India?
At the moment, there is no adequacy decision for India. In other words, the European Commission has not “green-lighted” India as a safe country for data transfers.
You can still transfer personal data to India, but it will be trickier than transferring data to an EU/EEA country or a country covered by an adequacy decision.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve India directly, but it does involve Indian websites using Google Analytics, provided that they target the European market and audience. We wrote about this extensively on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens. Suppose an Indian company collects users' personal data in the EU with Google Analytics. In that case, the data will be transferred to the US for Google to process, which creates a risk that the data will be subject to surveillance by US agencies.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will certainly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here). So State surveillance is the reason transferring data to India is typically less tricky than transferring it to the US, even though an adequacy decision covers neither country.
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, data protection authorities coordinated their approach to data transfers at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions practically amount to a State-wide ban, as we explained here. Other DPAs will likely follow the example and adopt a harder stance on Google Analytics.
Privacy legislation in India in general
The Case law of the Supreme Court of India recognizes privacy as a fundamental right. However, India has no comprehensive data protection law at the moment. Various statutes, including the Information Technology Act, provide for some data protection rules.
A federal privacy law was introduced in the Parliament earlier this year and withdrawn. The Indian government recently published the draft for a new federal privacy law.
Whether Google Analytics is illegal in India or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here.
If this resonates with you, give us a try. It's free.