Is Google Analytics Illegal Under the GDPR? What You Need to KnowPublished on: 2023-2-24
From France to Finland, regulators across the EU have decided that users of Google Analytics are breaking the law.
But does this mean that Google Analytics is illegal in the EU? What’s wrong with using Google Analytics under the GDPR? And is there a GDPR-compliant way to configure Google Analytics?
It’s complicated. This article explains everything you need to know about Google Analytics and the GDPR.
The Backstory: Surveillance, Snowden, and Schrems
Why is using Google Analytics a problem in the EU? Primarily because of how Google transfers personal data from the EU to the US.
The story begins in 2013, when Edward Snowden revealed how Google and other tech firms disclosed people’s data to US intelligence services. These revelations became a problem for US companies operating in Europe, where people have a fundamental right to privacy and data protection.
Under the GDPR (and its predecessor, the Data Protection Directive), organisations can’t transfer personal data out of the EU to a “third country” (including the US) without safeguards in place to prevent surveillance by foreign governments.
But here’s the problem: The international transfer safeguards provided under the GDPR don’t always work. This means countless illegal data transfers are taking place every day.
Schrems I and II
Over the decade following the Snowden revelations, the Court of Justice of the European Union (CJEU) has made transferring personal data from the EU to the US much more difficult.
CJEU cases prompted by Austrian privacy activist Max Schrems, known as “Schrems I” and “Schrems II”, have had major implications for Google and its users.
The cases invalidated two data transfer safeguard frameworks (“Safe Harbor” and “Privacy Shield”), each of which Google used to transfer data from the EU to the US.
Following Schrems II, Google continued its data transfers via a different safeguard called “standard contractual clauses” (SCCs). SCCs are contractual terms that oblige Google to protect the personal data it imports from the EU.
But SCCs are also problematic. As part of its Schrems II judgment, the CJEU found that SCCs don’t guarantee that data will be safe from US government surveillance.
This fundamental vulnerability is why EU companies using Google Analytics could be breaking the law—there are no effective safeguards in place to fully protect users’ privacy.
Decisions Against Google Analytics
A month after the Schrems II judgment, Max Schrems and his campaign group, noyb, made 101 complaints about websites using Google Analytics and the Facebook Pixel.
“The Court was explicit that you cannot use the SCCs when the recipient in the US falls under these mass surveillance laws,” Schrems said in a statement at the time. “It seems US companies are still trying to convince their EU customers of the opposite.”
Nearly 18 months later, data protection authorities (DPAs) across the EU started making decisions based on these complaints.
European Data Protection Supervisor
The first decision about Google Analytics came from the European Data Protection Supervisor (EDPS), which regulates data protection among EU institutions.
In January 2022, the EDPS ordered the European Parliament to stop using Google Analytics, as “no proper protections against US surveillance were in place”.
The regulator also noted that several more decisions on Google Analytics were expected in the coming months.
Later in January 2022, Austria’s “DSB” became the first national DPA to sanction a company using Google Analytics.
The Austrian DPA found that Google Analytics collects certain information that can qualify as “personal data” under the GDPR. These data points include unique IDs that Google assigns to each user, the user’s IP address, and browser information.
In addition to SCCs, Google argued it had put other safeguards in place to protect personal data from the US government.
But these “supplementary measures” did not satisfy the Austrian DPA. The regulator said it was unclear whether Google could “actually prevent or limit access” to personal data by US intelligence agencies and ordered the website to stop using Google Analytics.
In February 2022, France’s “CNIL” became the next DPA to issue a sanction for the use of Google Analytics. The CNIL issued two other Google Analytics decisions on the same day.
The French DPA also found that Google’s supplementary measures were “not sufficient to exclude the accessibility of this data for US intelligence services”.
“As long as Google LLC has the possibility to access the data of natural persons in clear text, such technical measures cannot be deemed effective…” the CNIL said in its first decision.
The CNIL ordered each website operator to comply with the GDPR—for example, by not using Google Analytics or “using a tool that does not involve a transfer outside the EU”.
In June 2022, the Italian DPA joined the list of regulators that had sanctioned the use of Google Analytics.
The Italian DPA drew similar conclusions to other regulators regarding Google Analytics and international transfers.
The regulator further highlighted that even with Google’s additional controls, such as IP address truncation, using Google Analytics was unlawful “given Google’s capabilities to enrich such data through additional information it holds”.
The Italian decision emphasises another problematic aspect of using Google tools.
Google has amassed a vast amount of personal data about billions of people. Providing the company with additional personal data—however seemingly low-risk—increases the likelihood that individuals can be identified.
In January 2023, the Finnish DPA became the latest regulator to issue a decision against the use of Google Analytics.
The regulator ordered several libraries to stop using Google Analytics on their websites and delete any personal data collected using the platform.
The Finnish decision is consistent with the others above: Using Google Analytics to transfer personal data to the US violates the GDPR.
Every DPA has been involved with Google Analytics decisions to some extent, as the complaints have been addressed through the European Data Protection Board (EDPD), where all EU data protection regulators have representatives.
The Danish DPA has published guidance to warn organisations against using Google Analytics, despite not having issued a decision against a specific organisation using the tool.
One Google Analytics complaint has been rejected, by the Spanish DPA. However, this appears to have been because the website had stopped using the tool before the DPA issued the decision.
Is Google Analytics Illegal in the EU?
Why doesn’t the EU simply ban Google Analytics outright?
Several DPAs have suggested that Google Analytics cannot be used in a legal way. However, data protection regulators do not have the power to issue Europe-wide bans on the use of specific products.
The Danish DPA, for example, has stated that Google Analytics “cannot… be used lawfully” unless the user puts additional measures in place—beyond those provided by Google.
Referring to the international data transfers that occur when using Google Analytics, the French DPA has stated that it “considers that these transfers are illegal”.
In a press release titled “Italian DPA bans Google Analytics”, the regulator said it wished to “draw the attention of all the Italian website operators, both public and private, to the unlawfulness of the data transfers to the US as resulting from the use of GA”.
The view across EU regulators is that—at least when using Google’s settings — it’s impossible to use Google Analytics legally under the GDPR.
Can Google Analytics Ever Be GDPR Compliant?
Assuming that it’s illegal to use Google Analytics with its default settings: Can users adjust the platform to make it GDPR compliant?
Since the Austrian DPA’s decision, Google Analytics has added new settings that provide users with more control over the data the tool collects. However, these do not appear to solve the platform’s GDPR problems.
Can You Configure Google Analytics to Be GDPR Compliant?
Using the settings available in the platform (and agreed upon by users when signing up), it appears that users cannot configure Google Analytics to be GDPR compliant.
The Danish DPA has provided some analysis of Google’s settings. The regulator concluded that even if Google Analytics “is configured to collect as little data as possible”, using the tool would still violate the GDPR.
As noted, users can configure Google Analytics to encrypt personal data.
However, according to the Danish DPA, “Google’s implementation of encryption does not constitute an effective supplementary technical measure, since the encryption is carried out by Google in the United States.”
Is Google Analytics 4 GDPR Compliant?
Google Analytics 4 includes additional settings that Google claims could solve the platform’s compliance issues.
However, the Danish DPA suggests because Google Analytics 4 still transfers some personal data to the US, “certain fundamental similarities remain” with the previous product, and that it will not be possible to use the new platform lawfully using Google’s settings.
Google Analytics 4 promises to discard IP addresses after using them to approximate the location of the user.
But the Danish DPA says that these IP addresses might be logged by Google’s US servers, where they can be “cross-referenced with (other) data collected by Google Analytics.”
Can You Make Google Analytics Compliant?
Users agree to run Google Analytics according to the terms they agree with Google. However, in theory, it might be possible to supplement Google’s own privacy measures and use the platform in a GDPR-compliant way.
The French DPA sets out a possible technical solution: implementing a “reverse proxy” and meeting seven specific conditions to ensure that no personal data leaves the EU.
But implementing this additional protection might be risky under Google’s terms and could affect performance.
Even the French DPA notes that its own proposed solution “can be costly and complex and may not always meet the operational needs of professionals.”
“To avoid these difficulties, it is also possible for professionals to use a solution that does not transfer personal data outside of the European Union”, the French DPA notes.
Alternatives to Google Analytics
As noyb said in a press release about its Google Analytics complaints:
“While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google…”
Try Wide Angle Analytics!
There are many legal, privacy-respecting alternatives to Google Analytics. Read our guide to the best Google Analytics alternatives in 2023 to learn more.