Let’s break it to you directly: no, Google Analytics is not illegal in Switzerland. Google Analytics came under fire from several European authorities because it is not compliant with the GDPR rules on extra-European data transfers. The GDPR does not apply in the Swiss Confederation as it is not a member of the European Union or the European Economic Area.
However, Swiss companies still need to comply with the GDPR if they target the European market or monitor behaviors in the EU (this includes using Google Analytics on a website targeting a European audience). Hence, it is worthwhile to dig deeper here.
- Swiss privacy legislation
- What rules apply to Google Analytics in Switzerland?
- Can I transfer personal data from Europe to Switzerland?
- What is all the fuss around Google Analytics about?
- Final Thoughts
Let’s dive in!
Swiss privacy legislation
The Swiss Constitution recognizes data protection and privacy as fundamental rights. Swiss law includes a comprehensive data protection framework, including the 1992 Federal Data Protection Act. The Swiss DPA (the Data Protection and Information Commissioner) enforced this data protection framework at a federal level.
What rules apply to Google Analytics in Switzerland?
Can I transfer personal data from Europe to Switzerland?
The European Commission adopted an adequacy decision for Switzerland, essentially declaring it a safe destination for data transfers. You can transfer personal data to Switzerland with no compliance burdens as if you were forwarding the data to an EU Member State.
Please note that the Commission periodically reviews adequacy decisions. If you plan on relying on an adequacy decision, make sure it’s still valid.
What is all the fuss around Google Analytics about?
The recent trend of decisions against Google Analytics is part of a larger legal puzzle about data transfers between the EEA and the US. The issue does not involve Switzerland directly, but it does involve Swiss websites using Google Analytics if they target the European market or audience. We wrote about this extensively already on our blog, so here’s a short version.
The core issue is State surveillance. Under the GDPR, European personal data can only be transferred outside the EEA when this can be done safely. This is difficult for US data transfers because the US legal framework allows extensive and invasive surveillance of the data of foreign citizens.
Two different data transfer frameworks (Safe Harbor and Privacy Shield) between the EU and the US made GDPR-compliant data transfers possible in the past, but both frameworks were invalidated by the EU Court of Justice in the Schrems I and II cases. A third framework is on the way but will certainly face legal challenges. With a Schrems III ruling already on the horizon, the future of EU-US data flows remains uncertain.
In the meantime, companies must resort to different legal tools (typically standard contractual clauses) to lawfully transfer data to the US under the GDPR. However, the issue with these tools is that they offer no protection against State surveillance. For this reason, the Schrems II ruling clarified that they need to be supplemented by additional privacy-safeguarding measures whenever data is sent to “unsafe” countries. This is difficult and entirely impossible for the transfers required by certain cloud-based services such as Google Analytics (we wrote about this here).
After the Schrems II ruling in 2020, most companies kept doing business as usual with US-based service providers. In the meantime, NGO noyb filed 101 complaints about data transfers against European websites using Google Analytics and Facebook Connect to nudge authorities toward stricter enforcement of the Schrems II ruling.
Data protection authorities coordinated their approach at a European level to handle the complaints coherently. As a result, the Austrian, French, Italian, and Hungarian DPAs ruled against the use of Google Analytics in very similar decisions, and the Danish DPA essentially did the same in a press release. While the decisions address an individual controller, they all set a precedent that practically amounts to a State-wide ban, as we explained here.
With coordination at a European level and the influential French and Italian authorities leading the way, other DPAs will likely follow the example and adopt a harder stance on Google Analytics.
Whether Google Analytics is illegal in Switzerland or not, it’s definitely not privacy-friendly to your website visitors. We believe you can gather website insights while respecting your visitor's privacy. This is why we started building Simple Analytics as a privacy-friendly Google Analytics alternative.
With Simple Analytics, you can still gather insights and discover opportunities from your website analytics without using cookies or collecting personal data. Want to see what that looks like? Check out our live dashboard here. If this resonates with you, feel free to give us a try.