In the fight between GDPR and Google Analytics, GDPR is winning
There’s probably no bigger name on the internet than Google. And there’s probably no bigger name in web analytics than Google Analytics. The tech giant’s service for tracking, reporting, and analyzing website traffic is perhaps the most used in the world. It’s also the subject of increasing legal scrutiny in the European Union, with a growing number of courts and government agencies declaring Google Analytics violates EU law.
Google is no stranger to conflict with EU data protection rules. The company or its subsidiaries have been fined almost a dozen times since the union began enforcing the General Data Protection Regulation (GDPR) in 2018. But this is different. The recent trend of rulings regarding Google Analytics puts companies that use it (or similar non-European services) at risk for potential hefty fines.
Almost since its launch in 2006, Google Analytics has dominated the market for web analytics. While there are a multitude of different services today, more than half of the 100,000 most popular websites use Google Analytics to get general stats about their traffic — how many visitors came to what pages, what was the average time they spent there, etc. And that includes stats about the visitors, like their geographic regions and web browsers.
How Google Analytics processes data
Google Analytics has had several updates and versions over the years, but it’s essentially operated in the same basic way:
-
- The website owner or manager installs the Google Analytics Tracking Code, which runs in a visitor’s web browser when they visit any page where the code is installed.
- The code assigns a unique identifier to the visitor and collects data about their visit.
- The code sends the data to Google’s servers in the United States, where it is processed and stored.
- The website owner or manager installs the Google Analytics Tracking Code, which runs in a visitor’s web browser when they visit any page where the code is installed.
Google Analytics was deemed GDPR-compliant for years when visitor’s personal data was legally transferred to the US under the terms of the Privacy Shield agreement. In addition, those who used the service were offered contracts with the European Commission’s Standard Contractual Clauses (SCCs), which specifically provided safeguards and rights to data subjects whose personal data was being transferred outside the EU and EEA.
On July 16, 2020, the European Court of Justice (ECJ) set a new legal precedent in regard to the use of personal data transfers to the US, which also likely affected several US-based cloud services. The Schrems II-ruling essentially put many transfers of personal data to the US from the EU and EEA in violation of the GDPR. What’s more, it clarified that companies may have a legal responsibility where they utilize services for collecting data which are in violation of the GDPR.
The cases against Google Analytics
While Schrems II applies to any data service that sends personal data to servers in the US, Google Analytics is one of the most prominent. A simple HTML inspection of a website by any visitor in the EU and EEA will reveal if it has the tracking code or not. And since Google Analytics transfers all visitor data to the US, the presence of the tracking code can be seen as evidence that the website’s owner violated the GDPR.
A month after the Schrems II ruling, the non-profit privacy group None of Your Business (NOYB) — whose founder is Max Schrems, the original legal complainant in the Schrems II case — filed GDPR complaints against 101 European companies in all 30 EU and EEA member states. The basis for their complaints? The presence of Google Analytics or Facebook tracking codes on the companies' websites.
What followed was a slew of rulings by various national agencies confirming Google Analytics was illegal based on Schrems II:
-
-
The Austrian Data Protection Authority (Datenschutzbehörde) was the first in January 2022.
-
Then the French Data Protection Authority (CNIL) followed suit in February 2022.
-
The Italian Data Protection Authority (Garante) in June 2022.
-
Denmark’s Data Protection Authority (Datatilsynet) gave its ruling in September 2022.
- Sweden's Data Protection Authority (Integritetsskyddsmyndigheten) ruled in June 2023.
- EU Commission launched the EU-US Privacy Framework, allowing for data transfer to the USA under certain conditions. Read more here.
-
What to do if you use Google Analytics
Throughout the rulings, both by the ECJ and the data protection agencies, two core points have become clear:
1) companies that use the Google Analytics may be legally liable if their use of the service violates the provisions of the GDPR and
2) the platform's standard anonymization techniques are not enough to prevent what can be considered personal data (due to the use of unique identifiers) from being transferred to the US.
It's also clear that the issue will not resolve on its own and if your company uses Google Analytics, you may need to take steps to protect yourself. This can be done by implementing supplementary measures, such as pseudonymization, to bring your use of Google Analytics into compliance. The French Data Protection Authority has published a detailed guide for how organizations can apply pseudonymization by means of a reverse proxy.
But there’s no guarantee that any such efforts will satisfy the data protection authority in your specific country, today or later on down the road. This was evident in Sweden's recent ruling where the pseudonymization steps through a proxy one company took were ruled to not be enough protection.
The most effective and best future-proof option is to stop using Google Analytics and switch to another web analytics platform that is vigilant about complying with GDPR and does not transfer visitor’s personal data to the US.
But whatever you do, it’s vital to stay informed. GDPR and Schrems II have the potential to affect every facet of operating a business in the digital age, and "not knowing" is not an acceptable excuse.
Extellio offers totally free and GDPR future-proof analytics (yes, it's true). We won't use your data for our own purposes. There's really no catch at all. Try us for free today!
GDPR:
EU law regulating the processing of personal data of individuals (regardless of citizenship or residency) in the EU and European Economic Area (EEA). It prohibits the transfer of that data outside the EU and EEA without adequate safeguards.
PRIVACY SHIELD:
An international agreement that allowed for personal data to be legally transferred to the US. It enabled organizations transferring data to use self-certification for GDPR compliance and was invalidated by Schrems II.
SCHREMS II:
Legal ruling in the Schrems II case (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) that found US laws could not properly protect personal data under GDPR standards, meaning the EU-US Privacy Shield agreement was invalid. It also required that companies using SCCs must verify the privacy protection in the country receiving the data.
TRANS-ATLANTIC DATA PRIVACY FRAMEWORK:
A new international agreement that addresses the issues of Schrems II and allows for personal data to be legally transferred to the US under GDPR. The EU and US announced a tentative agreement to it in principle, but it is yet to be finalized.