Early in 2022 Austrian and French privacy watchdogs have declared that using Google Analytics is illegal for European companies due to privacy violations. Now the Norwegian and Danish Data Protection Authorities have explained how companies may keep using Google Analytics in a legally compliant way.
The Norwegian Data Protection Authority explains:
"Since the decisions of our European colleagues, we have taken a closer look at the tool and the specific settings you can use if you want to use Google Analytics. It has been particularly relevant since, in the wake of the first decision from Austria, Google has started to make additional settings available in relation to what information can be collected via the tool. However, the conclusion is still that the tool cannot be used legally."
Yes, and no. It is illegal for European companies to use Google Analytics "as is". By applying technical measures like pseudonymisation it is still possible to use Google Analytics in compliance with the GDPR.
A possible technical measure that must be taken into account when using Google Analytics is pseudonymisation. It is required by the European GDPR that Google must not be able to find out whose data they are seeing. This includes people's IP addresses, but also other information that allows conclusions to be drawn about the identity of a person.
To clean the data before sending it to Google, European companies must therefore send it via a reverse proxy.
Here is a detailed instruction by the French CNIL on how to send your analytics data to Google via a proxy.
However, this is easier said than done. The solution described by the CNIL - Commission Nationale de l'Informatique et des Libertés - is a convoluted technical mess.
The idea is that instead of sending all Google Analytics' traffic to Google's servers directly, companies could pass it through a server that they control and that is located in the EU.
To become compliant with the GDPR privacy requirements, EU companies must also scrub the data from any personally identifiable information.
Notably, the recommendation by the CNIL also states that you need to scrub all UTM query parameters a.k.a. campaign identifiers. This requirement renders the use of Google Analytics pointless. Why would a company use Google Analytics if they can not use the data to find out which ad campaign is running well and which isn't?
Fortunately, there are loads of Google Analytics alternatives based here in Europe, for instance Matomo, Piwik, Plausible or Econda.
After the Austrian ruling that was issued in February 2022, France's privacy watchdog, the CNIL, has also declared that Google Analytics breaches the GDPR and must therefore be banned. The CNIL published a statement:
"The CNIL, in cooperation with its European counterparts, analysed the conditions under which the data collected through this service [Google Analytics] is transferred to the United States. The CNIL considers that these transfers are illegal and orders a French website manager to comply with the GDPR and, if necessary, to stop using this service under the current conditions."
When the Privacy Shield legislation was invalidated in 2020, this had far-reaching consequences for US online services operating in Europe: They were no longer allowed to transfer data of European citizens to the US as this would make data of European citizens vulnerable to American mass surveillance - a clear violation of the European GDPR.
However, the Silicon Valley tech industry largely ignored the ruling. This has now led to the ruling that Google Analytics is banned in Europe. NOYB says:
"While this (=invalidation of Privacy Shield) sent shock waves through the tech industry, US providers and EU data exporters have largely ignored the case. Just like Microsoft, Facebook or Amazon, Google has relied on so-called "Standard Contract Clauses" to continue data transfers and calm its European business partners."
Now, the Austrian Data Protection Authority strikes the same chord as the European court when declaring Privacy Shield as invalid: It has decided that the use of Google Analytics is illegal as it violates the General Data Protection Regulation (GDPR). Google is "subject to surveillance by US intelligence services and can be ordered to disclose data of European citizens to them". Therefore, the data of European citizens may not be transferred across the Atlantic.
On August 14, 2020, a Google user had accessed an Austrian website about health issues. This website used Google Analytics, and data about the user was transmitted to Google in the USA. Based on this data, Google was able to deduce who he or she was.
On August 18, 2020, the Google user complained to the Austrian data protection authority with the help of the data protection organization NOYB.
Now, the Austrian court has declared this data transfer of Google Analytics as illegal in Europe.
The issue at hand is that due to the American CLOUD Act US authorities are able to demand personal data from Google, Facebook and other US providers, even when they are operating outside of the US, so in Europe for instance.
Thus, Google cannot provide an adequate level of protection under Article 44 GDPR - a clear violation of European data protection guarantees. The standard contractual clauses invoked by the website operator do not help, as recognized in 2020 by the European Court of Justice (ECJ) in its decision on the "Privacy Shield" (Schrems II).
The decisive factor for the legal assessment of the use of Google Analytics is not whether a U.S. intelligence agency actually obtained the data or whether Google actually identified the user. The mere fact that this was theoretically possible already was a violation of the GDPR.
Google users can, however, make a setting in their Google accounts to stop Google from evaluating their use of third-party websites in detail. But that this feature exists is proof that Google is able to merge usage data with the individual.
This ruling is one of the biggest successes of the data protection organization NOYB to date. Consequently, the NOYB and Max Schrems are very happy about the decision by the Austrian court:
"This is a very detailed and sound decision. The bottom line is: Companies can't use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced."
This ruling is the first among 101 lawsuits by Schrems' non-profit NOYB in most member states of the European Union.
Similar decisions on the ban of Google Analytics are now expected to drop in Germany, the Netherlands and other EU member states.
Tutanota - as a secure email service that focuses on users' privacy - has never used Google Analytics.
But now, many companies in Europe must ask themselves whether they should remove Google Analytics from their websites or risk a penalty for violating the GDPR.
In the long run, there will be two options: Either the United States change their surveillance laws to strengthen their tech businesses, or US providers will have to host data of European users in Europe.
The Dutch Authority for Personal Data (AP) - where two decisions on the use of Google Analytics are still pending - has now updated its own guidance on the "privacy-friendly setup of Google Analytics".
With the update, the AP has issued a warning:
"Please note: The use of Google Analytics may soon no longer be allowed."
While the Danish and Norwegian Data Protection Authorities now explain how Google Analytics can be used in a legally compliant way in Europe, the solution presented is not feasible due to its incredible complexity.
While Silicon Valley tech companies will find a way to still offer their services in Europe - one way or another - the approach that they took after the invalidation of Privacy Shield must raise several red flags to European businesses:
As a European company it is no longer possible to trust sensitive user data to companies such as Google that deliberately ignore European privacy legislation and risk hefty fines for their European business customers.
The fines against the Austrian health website in the discussed case have not been decided upon, yet, but in the worst case, the fine is 20 million Euros or 4% of annual sales.
As privacy is becoming increasingly important to consumers around the world, it is a logical step for any European business to choose services that focus on protecting their users' privacy.
European alternatives for Google Analytics are Matomo, Piwik, Plausible or Econda - to name a few.
If you are looking to replace other Google services as well check out our guide to take back your privacy online with lots of Google alternatives.
A great Gmail alternative, for instance, is Tutanota, the secure German email provider that is in full compliance with the GDPR. 😉