Is Google Analytics Now Legal in the EU? Not Necessarily…
The Danish data protection authority (DPA) has issued a press release in response to some misleading news reports about Google Analytics.
“Several media outlets have recently written that, according to the (Danish DPA), Google Analytics has become legal again,” reads a translation of the Danish DPA’s statement.
“However, the Data Protection Authority has not decided whether Google Analytics is legal,” the statement continues.
So is Google Analytics now legal in the EU? Was it ever illegal? What’s changed? Let’s clear up the confusion.
How did this Google Analytics confusion arise?
Some publications have been making oversimplified claims about the status of Google Analytics in the EU and the wider European Economic Area (EEA) over the past few years.
The issue began after the “Schrems II” case at the Court of Justice of the European Union (CJEU) in July 2020.
Following the CJEU’s Schrems II judgment, most transfers of personal data from the European Economic Area (EEA) to the US became illegal under the General Data Protection Regulation (GDPR).
A privacy group called “noyb” (None of Your Business) submitted 101 complaints accusing European companies of violating the GDPR by using the popular tracking tools Google Analytics and Meta Pixel.
Since then, regulators across EU countries—including Austria, France, Italy, Denmark, Finland, Norway, and Sweden—have determined that website operators broke the law by using Google Analytics.
What happened in the Google Analytics decisions?
These European regulators investigated whether Google Analytics broke the GDPR’s rules on “international data transfers”.
Simply put, an international data transfer occurs when an organisation in the EEA shares personal data with an organisation outside the EEA.
When a website or app operator uses Google Analytics, they collect various pieces of personal data from visitors. That data is sent to Google and can be analysed on Google’s US servers.
Is it illegal to transfer personal data outside of the EEA?
No, making an international data transfer is permitted under the GDPR under certain conditions, most importantly:
- If the recipient is in a country that has received an “adequacy decision” from the European Commission, or
- If the parties have put safeguards in place to protect the personal data.
As noted, most transfers of personal data to the US were made illegal after the July 2020 “Schrems II case”, which: 1. Invalided the US adequacy decision and 2. Found that most safeguards were ineffective for data transfers to the US.
This meant that every company fully investigated for using Google Analytics was found to be breaking the law.
The Swedish DPA says Tele2 violated Article 44 of the GDPR, which provides the general rule that international data transfers are only allowed under certain conditions:
For violating this part of the GDPR, Tele2 received a €1 million fine.
So was Google Analytics illegal in the EU?
At the time of these DPA decisions it was practically impossible to use Google Analytics legally in the EEA.
But regulators stopped short of banning Google Analytics, and they were generally careful when discussing their views on the tool.
For example, look at this September 2022 statement from the Danish DPA:
The DPA said that Danish companies “cannot use the tool in its current form without implementing supplementary measures”. However, the regulator also found that the default settings provided by Google did not enable the tool to be used lawfully.
The French DPA even suggested a convoluted method of modifying Google Analytics, by using a proxy server to avoid transferring personal data to the US (while admitting that the process could be “costly and complex”).
So is Google Analytics now legal in the EEA?
Again, it’s complicated.
In July 2023, the European Commission adopted a new “adequacy decision” in respect of the US.
EEA companies can now legally transfer personal data to companies that have signed up to the EU-US Data Privacy Framework (DPF) - including Google.
But the Danish DPA points out that it’s an oversimplification to say that Google Analytics is now “legal”.
But does the EU-US DPF fixes the Google Analytics data transfer problem?
Yes, thanks to the DPF, using Google Analytics to transfer personal data from the EEA to Google is no longer illegal in itself—for now.
The DPF is the third attempt at a data transfer framework by the European Commission and the US government.
The previous two US adequacy decisions were invalidated by the CJEU (which is why Google Analytics had been violating the GDPR for nearly three years…)
Max Schrems, who brought the cases that killed the previous two US adequacy decisions. And he is planning to challenge the EU-US DPF in court, too.
So the legality of data transfers via Google Analytics might only last a couple of years.
And as the Danish DPA points out, you can use Google Analytics illegally in other ways, too. The GDPR covers all processing of personal data—not just data transfers.
But does Google Analytics collect personal data?
Yes, or rather, Google Analytics users collect personal data.
Google Analytics collects information such as IP addresses and information about a visitor’s browser, device, and website activity.
Such information is not always personal data. But information is personal data when used to identify an individual, as is the case with Google Analytics.
But doesn’t Google Analytics anonymise IP addresses?
Google Analytics users can delete part of a visitor’s IP address before Google receives it.
But enabling this setting doesn’t necessarily mean that you aren’t collecting personal data — an “anonymised” IP address can be personal data when combined with other information.
Here’s how the Swedish DPA explains this in the Tele2 decision:
If even part of the IP address is used, in combination with other data, to identify an individual, then it is personal data and is covered by the GDPR.
What are some of the other Google Analytics GDPR concerns?
The Danish DPA points out that there are many other legal issues you must consider before using Google Analytics.
The Danish DPA mentions, “among other things”:
- Legal basis
- Data processing agreement
- Shared responsibilities
- Data subject rights
Let’s consider how each of these GDPR concepts applies to Google Analytics.
Legal basis for Google Analytics
The GDPR requires “data controllers” (which includes any company using Google Analytics) to have a “legal basis” for processing personal data.
There are six legal bases under the GDPR, including:
- Consent: You have a person’s informed, unambiguous, freely given permission to process personal data.
- Contract: You need to process personal data to meet your contractual obligations.
- Legitimate interests: You can process personal data in your own company’s interests under certain conditions, as long as your interests are not overridden by people’s rights and freedoms.
Because of the GPDR’s interaction with another law, the ePrivacy Directive, it is well-established that Google Analytics requires consent. This means “real” consent: No “dark patterns” are allowed under the GDPR.
Google Analytics data processing agreement
Under the GDPR, you can appoint a “processor” to process personal data on your behalf. But you must have a “data processing agreement” to ensure the processor complies with your instructions and the GDPR in general.
If you use Google Analytics, Google is your processor—for some data, in some contexts.
Google has a standardised data processing agreement. But as the data controller, it’s your responsibility to ensure that the agreement complies with the GDPR.
Shared responsibilities with Google
The Danish DPA mentions “shared responsibilities” under the GDPR.
When Google acts as your processor, you’re liable for whatever Google does with the data you share via Google Analytics (provided that Google sticks to the data processing agreement). These responsibilities are not shared with Google—they’re yours.
But Google also acts as a separate controller—and, possibly, a “joint controller”—in other contexts.
To enable Google to use personal data collected via Google Analytics for its own purposes (Google Analytics is free for a reason, after all…) users can enter into the company’s “Measurement Controller-Controller Data Protection Terms”.
“This means Google can access and analyse the Analytics data customers share with us to better understand online behaviour and trends, and improve our products and services,” says Google.
But according to a German court decision from 2020, Google is also in a “joint controller” relationship with its users.
This decision (which has been suspended pending an appeal) could have major implications for Google Analytics users.
Joint controllers must establish which aspects of GDPR compliance are carried out by which controller. If it is established that Google Analytics are “joint controllers” with Google, then the absence of such an agreement could be a significant problem for both parties.
Data Subject Rights
Because Google Analytics collects personal data, you must comply with the GDPR’s data subject rights in respect of this data.
If a person visits your website and you collect their personal data via Google Analytics, they are entitled to request that you provide a copy of the data or delete the data, among other things.
For most companies, receiving a data subject rights request for Google Analytics data is relatively unlikely. But you must be prepared for this possibility, and you must explain people’s rights in your privacy notice.
The bottom line: There are still GDPR concerns around Google Analytics
The recent progress on EU-US data transfers means it is no longer illegal to transfer personal data to the US.
But as the Danish DPA indicates, you must consider many other aspects of the GDPR before using Google Analytics, including:
- What types of personal data do you intend to collect via Google Analytics?
- Are you using Google Analytics to collect unnecessary personal data?
- Do you have a legal basis for using Google Analytics?
- Have you reviewed the mandatory agreements with Google?
- Are you prepared to facilitate people’s data subject rights over Google Analytics data?
- Do you have a backup plan in case the EU-US DPF is invalidated?
Try Wide Angle Analytics!