Let’s break it to you: No, Google Analytics is not illegal in Japan. The recent legal troubles of Google Analytics stem from European privacy watchdogs ruling that the use of Google Analytics violates GDPR rules on extra-European data transfers.
However, since multiple EU Member States have found the use of Google Analytics unlawful, it is worthwhile to dig a bit deeper here and explore the changing landscape.
- What rules apply to Google Analytics in Japan?
- Can I transfer personal data from Europe to Japan?
- What is all the fuss around Google Analytics about?
- Privacy legislation in Japan, in general
- Final Thoughts
Let’s dive in!
What rules apply to Google Analytics in Japan?
The GDPR does not apply in Japan as it is not a member of the European Union or the European Economic Area. However, Japanese companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics for a website targeting a European audience).
Cookies are regulated strictly in Japan and can only be processed with the user’s active consent. Therefore, sites using Google Analytics need to implement a cookie banner with an opt-in mechanism to collect consent.
Can I transfer personal data from Europe to Japan?
The European Commission adopted an adequacy decision for Japan, essentially “greenlighting” the country as a safe destination for data transfers. EU-Japan data transfers are treated the same way as data transfers within the EU and don’t require any additional compliance burden.
Please note that the Commission periodically reviews adequacy decisions. If you plan on relying on an adequacy decision, make sure it’s still valid.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve Japan directly, but it does involve Japanese websites using Google Analytics, provided that they target the European market and audience. We wrote about this extensively on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred safely outside the EEA. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens. Suppose a Japanese company collects users' personal data in the EU with Google Analytics. In that case, the data will be transferred to the US for Google to process, which creates a risk that the data will be subject to surveillance by US agencies.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will undoubtedly face a legal challenge. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Court of Justice clarified in the Schrems II case that they must be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, data protection authorities coordinated their approach to data transfers at a European level. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in similar decisions. The Danish DPA also took a strict stance in a press release. All decisions amount to a State-wide ban, as we explained here. Other DPAs will likely follow the example and adopt a harder stance on Google Analytics.
Privacy legislation in Japan, in general
The primary Japanese data protection law is the Protection of Personal Information Act. The law was amended in 2015. The APPI is mainly enforced by the Japanese data protection agency (the Personal Information Protection Commission).
Whether Google Analytics is illegal in Japan or not, it’s definitely not privacy-friendly to your website visitors. In a world where state surveillance and monopolistic misconduct are more apparent than ever, we strive for an independent internet.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here.
If this resonates with you, give us a try. It's free.