Google Analytics GDPR FAQ

2.

Will I continue to get the data I need if I use a proxy solution with my Google Analytics account?

Most of the collected information will not be altered. You will for example continue to get information about the users’ navigation on your web site and where people make a purchase or leave the site. You will, however, lose out on personal information such as the precise geographic area of a user, since Google bases the geographical location of the user on the user’s IP number which must not be sent to Google.

3.

Why does Google Analytics violate the GDPR?

A user visiting a site with GA (Google Analytics) embedded will have PII (Personally Identifiable Information) sent to Google servers. Authorities in the US might ask Google to hand over any information it holds related to the user and even require Google to assist to have such information decrypted (if relevant). This also applies to data stored on servers located outside of the US belonging to American/US companies. US authorities like the FBI or CIA have a legal right to do this because of FISA Section 702 legislation. The EU courts have judged that US authorities have more power than strictly necessary, and that EU citizens have too few legal rights when investigated by US authorities. This violates the GDPR.

See in Danish here p.21 or see in English here p.20

4.

Will all information sent by Google Analytics violate GDPR?

Only the sending of PII (Personally Identifiable Information) to Google (as a US company) is a violation of GDPR. If the information is sent in such a way, that it can be argued that even clever people from Google/FBI/CIA with access to all their resources will not be likely to identify the user, then the sent information will not be in GDPR violation.

See https://www.gdpreu.org/the-regulation/key-concepts/personal-data/

5.

Is it possible to configure Google Analytics to be compliant with GDPR?

No. Google Analytics cannot be used unless additional actions are taken to protect end-user privacy. The French Data Protection Authority (CNIL) has made an in depth legal and technical analysis of GA with respect to the GDPR, see https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics. Their conclusion is that GA cannot be configured in such a way that it fulfils the GDPR. The Danish Data Protection Agency states that if you want to use GA legally and you believe you have configured GA in such a way that it has become GDPR compliant then you must document this and be able to demonstrate how the various issues identified by the supervisory authority are irrelevant.

See https://www.datatilsynet.dk/english/google-analytics in english or https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics in danish

6.

Which countries consider Google Analytics to be non-compliant with GDPR?

The Data protection agencies in Austria, France, Italy, and Denmark have ruled to halt using Google Analytics (GA) for data transfer to the United States without further safeguards. See https://www.contentgrip.com/eu-countries-ban-google-analytics. The European Data Protection Supervisor (EDPS) has indicated that GA is not GDPR compliant. Other European countries are likely to follow these decisions.

See https://www.loyensloeff.com/insights/news--events/news/data-protection-authorities-say-no-to-google-analytics-whats-next

7.

What about other tracking technologies, are they GDPR compliant?

Some tracking technologies are GDPR compliant. It is important that these technologies do not store and/or process the data in the US (or other non-secure third-party countries) or are owned by companies from non-secure third-party countries.

8.

Does this problem apply to other technologies besides tracking/statistics?

Yes, if they send personal data to the US or to a US company.

9.

Is there a grace period?

No, there is no grace period.

See https://techcrunch.com/2022/02/10/cnil-google-analytics-gdpr-breach or in Danish https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internet-medier-og-apps-/google-analytics.

Sooner or later, it should be expected that fines are going to be given. See in Danish https://finans.dk/tech/ECE14425154/ekstremt-populaert-googlevaerktoej-er-ikke-laengere-tilladt-i-standardindstilling-millioner-af-danske-websider-ramt and see https://www.techzine.eu/news/privacy-compliance/76885/france-bans-google-analytics-fines-rise-to-20-million-euros/.

It is a good idea to at least begin planning how to become GDPR compliant and to transition without undue delay.

10.

I am with a small company. Do the data protection authority issue fines to small companies?

Yes. The data authorities also issue fines to small companies.

See in Danishhttps://www.datatilsynet.dk/hvad-siger-reglerne/myter-om-gdpr. See https://www.enforcementtracker.com. Note that any person believing that their privacy rights have been violated has a right to submit a complaint to the data protection authority.

11.

Can I continue to use Google Analytics, if I obtain explicit consent from all my users?

No. Article 49 of the GDPR would have made this possible if the use was non-systematic and the use was not long-term or permanent. The use of GA is systematic and mostly long-term or permanent.

See https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics

12.

Will the coming new Trans-Atlantic Data Privacy Framework between the US and the EU makes the problem go away?

Yes, most likely. But the Trans-Atlantic Data Privacy Framework is not in effect and will not be for several months. The Trans-Atlantic Data Privacy Framework is likely to be challenged just as the earlier privacy shield agreement was challenged. It is very likely that the Trans-Atlantic Data Privacy Framework will also be judged to provide inadequate GDPR compliance, just as the earlier privacy shield agreement between the US and EU was judged to provide inadequate compliance.

See https://iapp.org/news/a/a-view-from-brussels-the-latest-on-the-dsa-dma-and-privacy-shield/ and https: //www.mondaq.com/unitedstates/privacy-protection/1239198/mark-your-calendars-for-schrems-iii-key-takeaways-from-the-latest-developments-in-the-eu-us-data-deal

13.

Can a risk-based approach be used in the GA case, by considering the likelihood of data access requests by US authorities?

No.

See See https://fpf.org/blog/what-happened-to-the-risk-based-approach-to-data-transfers and https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics

14.

Can Google be expected to come up with a fix that will make the problem go away?

Google has earlier made several improvements on GA to better comply with the GDPR. These improvements have not been enough to make GA GDPR compliant. An essential problem is that a request cannot be made directly to Google’s servers without revealing the end-user’s IP number, which is one of the core reasons for the data authorities to declare Google Analytics to be non-compliant, no matter how it is configured. Thus, it seems impossible to construct a solution unless it involves an independent third-party (e.g., a proxy server) not operated by Google.

15.

If a Danish company has a website in Germany, do they need our proxy on the German website?

Yes, they do. The location of a company's head office determines where a case should be raised. Therefore, for a Danish company, the Danish Data Protection Authority would handle the case. The Danish Data Protection Authority must also assess any activities that the company may have in other countries, such as Germany.

Furthermore, decisions made in any EU country apply throughout the entire EU. Therefore, the use of Google Analytics is also illegal in Germany due to GDPR regulations.

See in Danish: https://www.datatilsynet.dk/hvad-siger-reglerne/vejledning/internationalt-/danmark-eu-og-resten-af-verden/internationale-virksomheder