Can you use Google Analytics in Sweden?
The short version
There are a lot of uncertainties regarding the use of Google Analytics in Sweden. The Swedish Authority for Privacy Protection found that using Google Analytics and only anonymizing IP addresses was not a sufficient measure for protecting personal data sent to the US, and in July 2023, four companies had to stop using Google Analytics. However, that was based on the US intelligence services being able to access all personal data.
A week later, and because of an executive order by Biden back in 2022 that limits the data US intelligence services can access, the European Commission decided that with the introduction of the Data Privacy Framework, the US can ensure an adequate level of protection. This is by some seen as a green light for Google Analytics, but there are a few reasons to be cautious:
- noyb has announced that they will challenge the framework, like they did the Privacy Shield.
- The framework will be reviewed in a year to see that what the US has promised is also functioning in practice.
- This framework rests on an executive order from a president, which can be overturned by the next (or current) president. The next election is 2024.
Basically, there could be a Schrems III that annuls the framework, the review might find that the US didn’t fulfill their promises, or the executive order could be overturned. If either of those things were to happen, Google Analytics would effectively be banned again.
So, can you use Google Analytics in Sweden now? Probably. But with the threat of a hefty fine if things change, why risk it? There are already GDPR-safe alternatives on the market.
The longer answer
The honest answer is that we don’t know, and as of yet, nobody does. But there are some things that we know.
A quick summary of events is that in 2020, the EU Court of Justice ruled that the US could not protect personal data in accordance with GDPR (the case known as Schrems II). If you wanted to send personal data to the US, for example because you were using Google Analytics, extra measures were needed to ensure the protection of the personal data.
In July 2023, the Swedish Authority for Privacy Protection ruled that four Swedish companies had to stop using Google Analytics as they could not sufficiently protect personal information[1]. The reason for their ruling was that even though the IP addresses had been anonymized, there was still sufficient information about the users that it would be possible to identify individuals. A week later, the European Commission introduced the “EU-US Data Privacy Framework”, which suddenly allowed for data transfers to the US again and potentially contradicted the ruling against the four companies.
The big question now is if the framework is a green light for Google Analytics. Well, not necessarily. Let’s look at why.
The problem with transferring data to the US
To better understand what’s happening now, we need to start a few years back. In 2018, the General Data Protection Regulation (GDPR) came into effect. The purpose of the regulation is to protect personal data, and it regulates how such information is collected and where it is transferred and stored.
Remember Cambridge Analytica? Yeah, that’s why regulations such as GDPR are needed.
When personal data is transferred outside of the EU, the recipient country needs to ensure that they are handling the data in accordance with GDPR. So far, the US has not been able to ensure that. In fact, Edward Snowden revealed in 2013 that the US routinely spies on other countries, friends as foes, which does not pair well with EU legislation. Although the US might be interested in protecting the personal data of its own citizens, they are most certainly not interested in protecting the personal data of others.
To allow for data transfer to the US, the European Commission passed the Privacy Shield in 2016. However, the EU Court of Justice ruled in 2020 that the Privacy Shield couldn’t sufficiently protect personal data (Schrems II), as the US intelligence services could access all personal data, and it was annulled. And with that, most transfers of personal data to the US would violate GDPR. However, not only data transfers to the US are affected. Data stored on EU servers by American companies are also affected as the headquarters in the US are able to access the data, and therefore, so are the US intelligence services.
The introduction of the Data Privacy Framework
As you can imagine, or maybe have experienced, not being able to transfer certain data to the US or store on US controlled servers can be problematic in a world of global trade. In October 2022, US President Biden signed an executive order that limits the US intelligence services’ access to personal data from the EU[2]. In July 2023, the European Commission decided that the US “ensures an adequate level of protection for personal data transferred from the EU to organizations in the US that are included in the ‘Data Privacy Framework List’”[3].
To be included in the Data Privacy Framework List, the companies self-certify and write their purpose of data collection. This information is available for all companies on the list, and Google writes that:
“We currently do not rely on the EU-U.S. and Swiss-U.S. Data Privacy Frameworks and the UK Extension to transfer EEA, Swiss and UK personal information to the U.S. but continue to apply the Data Privacy Frameworks’ Principles to personal data we received from the EEA, Switzerland and UK in reliance on the Data Privacy Frameworks.”[4]
Is this a riddle?
Anyway, the problem so far has been that the US intelligence services can access personal data of EU citizens, which is why the Privacy Shield was annulled. Schrems’ organization noyb (none of your business) has called the new framework “a copy of the failed ‘Privacy Shield’”[5]. noyb also announced that they will challenge the decision.
There are, however, some safety measures included in this framework. The executive order signed by Biden limits how much data the US intelligence services can access to only that which is “necessary and proportionate” to protect national security. A Data Protection Review Court has also been created to investigate and resolve complaints, and if the court finds that data violated the framework, the court has the authority to order the deletion of the data[6].
The framework will also be reviewed periodically by the European Commission, to verify that “all relevant elements have been fully implemented in the US legal framework and are functioning effectively in practice”[7]. The first review will be after a year, and what that will reveal, we can only guess.
Which brings us back to the big question.
Can you use Google Analytics in Sweden?
Well, probably, but also, maybe not. The rulings by the Swedish Authority for Privacy Protection in July 2023 were based on the EU decision that the US could not sufficiently protect personal data. The key is not what the US intelligence services do, but what they can do. Basically, it’s not a question of if they are accessing personal data from the EU, but if they can.
The safeguard that limits the data the US intelligence service can access is based on the executive order “Enhancing Safeguards for United States Signals Intelligence Activities”. However, an executive order is not legislation, and it can easily be overturned by the next US president (or the current one, if he’d be so inclined). A new president might be elected next year, and we don’t know if that person will agree with Biden.
It’s difficult to tell exactly how this new framework will affect the use of Google Analytics in Sweden, especially since the Swedish Authority for Privacy Protection makes case-by-case assessments. What we do know was that before the Data Privacy Framework was agreed upon, the version of Google Analytics used by the four companies and how they specifically were used violated GDPR.
Another point made by the Swedish Authority for Privacy Protection was that anonymizing IP addresses wasn’t a sufficient measure to protect personal data. With all the additional data available, it could be possible to single out individuals, and therefore identify them. To work around that restriction, you’d either have to do an awful lot of coding, or you’d have to anonymize your data until you lost all connections between your data points, and therefore severely limits your analysis possibilities.
At the moment, it’s probably safe to use Google Analytics. But, it all rests on the new framework which a) will be challenged by noyb, b) will be reviewed in a year, and c) is based on an executive order by a president who might be replaced in a year. These are three things that can make the framework fall, and if it does, you won’t be allowed to use Google Analytics again.
You have to decide that it’s worth the risk of a hefty fine. You might be able to use Google Analytics for another year at least, or you might not. The easiest choice is to remove this uncertainty and use one of the GDPR-safe options for web analytics that are already on the market.
GDPR:
EU law regulating the processing of personal data of individuals (regardless of citizenship or residency) in the EU and European Economic Area (EEA). It prohibits the transfer of that data outside the EU and EEA without adequate safeguards.
SCHREMS II:
Legal ruling in the Schrems II case (Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) that found US laws could not properly protect personal data under GDPR standards, meaning the EU-US Privacy Shield agreement was invalid. It also required that companies using SCCs must verify the privacy protection in the country receiving the data.
The Cambridge Analytica scandal:
It was revealed in 2018 that the british consulting firm Cambridge Analytica had harvested Facebook user data without consent, allegedly using it to influence voters in 2016 US Presidential election and other campaigns including Brexit and UK's EU Referendum in 2016. Public outrage and investigations led to closure of the firm and its parent company, SCL Group.
Sources
[1] https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/ [Accessed 2023-08-18]
[2] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 [Accessed 2023-08-21]
[3]https://edpb.europa.eu/system/files/2023-07/edpb_informationnoteadequacydecisionus_en.pdf [Accessed 2023-08-18]
[4]https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active [Accessed 2023-08-21]
[5] https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu [Accessed 2023-08-18]
[6] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 [Accessed 2023-08-21]
[7] https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721 [Accessed 2023-08-21]