An update on Google Analytics and GDPR

2023-08-17

This summer was indeed eventful. First, the Swedish Data Protection Authority ruled that four companies had to stop using Google Analytics as it violated GDPR. That made Sweden the fifth EU-country to directly or indirectly ban Google Analytics. Then, a week later, the European Commission announced their decision that the US could now provide an adequate level of data protection and introduced the EU-US Data Privacy Framework. This presumably overruled the previous bans, as they were based on the US not being able to protect personal data.

But does that mean that you can use Google Analytics again? Probably, but it’s difficult to give a decisive answer. There are still reasons to be cautious when it comes to using Google Analytics, and in this article, we’ll explain why.

 

Google Analytics and Schrems II

To understand what’s happening now, it helps to know a bit about the background. The General Data Protection Regulation (GDPR) came into effect in 2018. The purpose of the regulation is to protect personal data, and it regulates how such information is collected and where it is transferred and stored.

Remember Cambridge Analytica? Yeah, that’s why regulations such as GDPR are needed.

When personal data is transferred to a non-EU country, or stored in the EU by a non-EU country, the non-EU country needs to ensure that they are handling the data in accordance with GDPR. So far, the US has not been able to ensure that. In fact, Edward Snowden revealed in 2013 that the US routinely spies on other countries, friends as foes, which does not pair well with EU legislation.

To allow for data transfer to the US or US controlled servers in the EU, the European Commission passed the Privacy Shield in 2016. However, the EU Court of Justice ruled in 2020 that the Privacy Shield couldn’t sufficiently protect personal data, the case known as Schrems II. The reason being that the US intelligence services could access all personal data stored in the US, or by a US company. Therefore, the Privacy Shield was annulled and with that, all handling of EU personal data by a US company or organization would violate GDPR.

After the annulment of the Privacy Shield, several countries have investigated whether the use of Google Analytics have violated GDPR. This led to the Data Protection Authorities in five countries to directly or indirectly banning the use of Google Analytics: Austria, France, Italy, Denmark and lastly Sweden.

Austria was the first country to ban the use of Google Analytics in early 2022, and was soon followed by France, Italy and Denmark the same year. These decisions were based on Schrems II and the inability of the US to sufficiently protect personal data. In July 2023, the Swedish Data Protection Authority decided that in four specific cases, the use of Google Analytics violated GDPR. Unlike the other four countries, the authority didn’t ban Google Analytics in general, but instead focused on specific use cases. However, their decision was also based on Schrems II, and did therefore in effect ban Google Analytics.

 

The new framework

In July 2023, only a week after Google Analytics was effectively banned in Sweden too, the European Commission announced that with the introduction of the Data Privacy Framework, the US could ensure an adequate level of protection for personal data. Basically, the US could once again handle EU personal data without violating GDPR. Although, it’s not a general rule, and only companies and organisations on the Data Privacy Framework List are approved. To get on the list, the companies self-certify and write a purpose of data collection. Google is on that list, and therefore, Google Analytics is no longer banned. At least not in theory.

The issue highlighted by Schrems II was that US intelligence services could access personal data from the EU and use that to identify individuals. However, in October 2022, President Biden signed an executive order which limits the access by the US intelligence services, and they are now only allowed to access personal data if it is “necessary and proportionate to protect national security”[1].

Furthermore, a Data Protection Review Court has been established to make sure that the US doesn’t violate the framework. The court also has the authority to order deletion of data that has not been collected or handled in accordance with the new safeguards.

The framework will also be reviewed periodically, with the first review planned to take place next year. The purpose of the review is to verify that “all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice” [2]. Basically, the US has not yet made all the changes necessary to be fully GDPR-compliant.

noyb has called the Data Privacy framework “largely a copy of the failed ‘Privacy Shield’” and announced that they are going to challenge the European Commission’s decision[3]. It is also worth pointing out that an executive order by an American president is not legislation, and the executive order can therefore be overturned by the next president (or the current, if he were to change his mind). It’s only a year left until the next American election.

 

What is the future for Google Analytics in Europe?

Of course, that is hard to predict. What we know is that the Data Privacy Framework allows US companies and organizations to handle personal data for EU citizens again, which in turn allows for the use of Google Analytics. Probably. What we don’t know is if the framework will last, and there are for several reasons for that:

  1. noyb have announced that they are going to challenge the framework,
  2. the framework is to be reviewed in a year, and
  3. the framework depends on an executive order by the American president, not legislation, and the next election is in 2024.

Basically, there could be a Schrems III, the review could reveal that the US did not fulfil their promises, or the next American president could overturn the executive order. If any of this happens, Google Analytics is effectively banned again.

However, there is a possibility that even with the new framework, individual countries could potentially ban the use of Google Analytics again. The executive order is not yet legislation, and it is therefore difficult to predict if national Data Protection Authorities will consider Google Analytics to be fully GDPR-compliant now, or if they will require further actions or restrictions to be made.

If you are currently using, or considering using, Google Analytics, you have a few options. You can hope for the best and continue to use Google Analytics, but you’d risk a hefty fine if things change. You can also do an awful lot of coding to protect the personal data, but that can be very expensive and time consuming. You can anonymize everything, not just IP addresses, but that will restrict your analysis possibilities. Or you can replace Google Analytics with one of the GDPR compliant option already on the market. That way, you won’t have to worry about the future of the new Data Privacy Framework.

One of the GDPR safe options on the market is us, Extellio, and we even offer some of our services for free. You are also able to tour our platform with our demo account.

_______________________

 

[1] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 [Accessed 2023-08-22]

[2] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 [Accessed 2023-08-22]

[3] https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu [Accessed 2023-08-22]

Start your free license Try online demo

Img05_1x1-1-1

GDPR: 

EU law regulating the processing of personal data of individuals (regardless of citizenship or residency) in the EU and European Economic Area (EEA). It prohibits the transfer of that data outside the EU and EEA without adequate safeguards.

PRIVACY SHIELD: 

An international agreement that allowed for personal data to be legally transferred to the US. It enabled organizations transferring data to use self-certification for GDPR compliance and was invalidated by Schrems II. 

 

SCHREMS II:
Legal ruling in the Schrems II case (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) that found US laws could not properly protect personal data under GDPR standards, meaning the EU-US Privacy Shield agreement was invalid. It also required that companies using SCCs must verify the privacy protection in the country receiving the data.

 

TRANS-ATLANTIC DATA PRIVACY FRAMEWORK:

A new international agreement that addresses the issues of Schrems II and allows for personal data to be legally transferred to the US under GDPR. The EU and US announced a tentative agreement to it in principle, but it is yet to be finalized.