It’s no news to anyone that the use of the U.S. service Google Analytics (“G.A.”) in the European Economic Area (“EEA”) has become controversial over time, primarily because of the safety concerns about personal data transfers, storage, and access. The use of G.A. in the EEA over the past several months has become a bit hit and miss, with member states Supervisory Authorities slowly coming out and publicly stating that it is a breach of GDPR to use it.
Four member states have now done exactly that, Austria, Denmark, France and Italy. I am sure more will follow. The answer is not the latest document President Biden has signed in relation to the transfer of data between the E.U. & U.S., that has months of scrutiny before it even hits the Courts for approval. Then it will have to go through the Schrems test.
It will be a long way off before we have a legal mechanism in place to transfer data to the U.S.
As a brief recap on what has happened so far…
On the 13th of January 2022, the Austrian data protection authority (“DSB”) ruled that the use of Google Analytics (Cookies) violates the GDPR due to the transfer of personal data to the U.S., which does not meet the GDPR requirements, specifically regarding the violation of Article 44 of the General Data Protection Regulation for exporting personal data to an importer in the U.S., Google LLC, through ongoing use of Google Analytics without ensuring an adequate level of protection, as required under chapter V of the GDPR.
The French data protection authority CNIL’s guidance suggests only very few EU-based site owners use Google’s analytics tool legally — either by applying additional encryption where keys are held under the exclusive control of the data exporter itself; or by using a proxy server to avoid direct contact between the user’s terminal and Google’s servers.
In February 2022, the CNIL released the following statement regarding the use of Google analytics;
[T]he CNIL concludes that transfers to the United States are currently not sufficiently regulated. Indeed, in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.
However, the CNIL found that this was not the case. Indeed, although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services.
There is, therefore a risk for French website users who use this service and whose data is exported.
The CNIL notes that the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR. The CNIL, therefore, ordered to the website manager to bring this processing into compliance with the GDPR, if necessary, by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the E.U. The website operator in question has one month to comply.
Another strike against the use of Google Analytics in Europe: The Italian data protection authority has found a local web publisher’s use of the popular analytics tool to be non-compliant with E.U. data protection rules owing to user data being transferred to the U.S.
The Garante found the web publisher’s use of Google Analytics resulted in the collection of many types of user data, including device I.P. address, browser information, O.S., screen resolution, language selection, plus the date and time of the site visit, which were transferred to the U.S. without adequate supplementary measures being applied to raise the level of protection to the necessary GDPR standard.
Protections applied by Google were not sufficient to address the risk, it added, echoing the conclusion of several other EU DPAs who have also found use of Google Analytics violates data protection rules over the data export issue.
Italy’s DPA has given the publisher in question 90 days to fix the compliance violation. But the decision has wider significance as it has also warned other local websites that are using Google Analytics to take note and check their own compliance, writing in a press release [translated from Italian with machine translation]:
[T]he Authority draws the attention of all Italian managers of websites, public and private, to the illegality of transfers made to the United States through G.A. [Google Analytics], also in consideration of the numerous reports and questions that are being received by the Office, and invites all data controllers to verify the compliance of the methods of use of cookies and other tracking tools used on its websites, with particular attention to Google Analytics and other similar services, with the legislation on the protection of personal data.
The use of Google Analytics in Germany has been deemed legal by the data protection Authorities, but with conditions. This seems to go against the decisions made by some of the other Supervisory Authorities and removes the consistent approach GDPR was meant to bring to the E.U. The guidelines for German website operators to follow are set out below.
A few simple rules should ensure that the requirements of the German data protection authorities are met:
- Website operators should mention in their privacy policy that Google Analytics is used on their websites.
- Website operators should implement the I.P. mask function, which tells Google Analytics not to save the full I.P. address of the users or to process them.
- Website operators should instruct in their privacy policies on the possibility of disabling the feature via a Google Analytics Browser Add-on. End users can, if desired, prevent sending data to Google very easily by installing this specific browser add-on.
Denmark has become the fourth country to. This decision was stated in a press release from the DPA itself (Datatilsynet) and is a result of a coordinated approach at the European level. It’s not the first time the Danish DPA has been on the use of Google products. A few months ago, it issued a statement declaring the use of Google Workspace (formerly G-suite) for municipalities in violation of GDPR.
In a statement, the Danish DPA addresses the use of Google Analytics specifically and on a much broader scale. The Danish DPA concluded that the use of Google Analytics is unlawful. The decision is based on an individual case but represents a common European position toward processing personal data.
Unlike the other DPAs, the Danish DPA did not act on a complaint but instead looked into G.A.’s data transfers at its own discretion. It stated that the GDPR is made to protect the privacy of E.U. citizens. This means that you should be able to visit a website without your data being misused. In this light, they have carefully examined Google Analytics, in particular, after other Member States’ previous decisions.
They stated that you must stop using the tool if it’s impossible to implement additional measures that safeguard website visitors’ privacy. If that’s not possible, you should find another analytics tool that does comply with GDPR and does not transfer data to “unsafe” third countries like the U.S.
Why do you need a GEO-Cookie Blocking Feature?
CookieScan™ has been working hard on a solution to this problem for its current and future customers. Google Analytics is such an important tool for many website developers and owners. It has been used for 15 plus years, and with the new GA4, it is not going to just stop getting used.
CookieScan wants to deliver its promise that website owners can be confident that wherever their site is being viewed and with whatever that country’s cookie law or Supervisory Authority requires about cookies.
What can CookieScan do for you?
With this in mind, CookieScan™ has developed a Geo-Cookie Blocking feature that blocks specific cookies for specific countries. This means as an account holder, once you turn on the Geo-Cookie Blocker, all Google Analytical cookies will be blocked for the website when viewed in Austria, Denmark, France and Italy. The rest of the member states will have G.A. cookies working on the site as normal, requiring the site user’s consent before being loaded.
This is a big step in the compliance features for CookieScan and the only Cookie Management System offering this feature.
Make sure your website is as compliant as it can be GLOBALLY by using CookieScan™ now. For only £5 a month for a Standard account or £15 a month for a premium account, why wouldn’t you?
Don’t risk non-compliance with the Cookie Laws and requirements for the sake of £15 per month, max.
Try use for free with our 30-day trial.