In January 2022, the Austrian Data Protection Authority issued a decision on the use of Google Analytics by an Austrian organisation. Since then, the Austrian Data Protection Authority has issued another decision on the use of the tool and several decisions have also been issued by the French Data Protection Authority. Most recently, in June 2022, the Italian Data Protection Authority issued a decision on the use of the tool. In all of these cases, the supervisory authorities found that the use of Google Analytics under the given circumstances was unlawful.
A pan-European analysis
Although the individual cases have been decided individually by the respective supervisory authorities that received the original complaint, the decisions represent a common European position among the supervisory authorities. It is essential – both for the organisations that process personal data and for the citizens whose personal data is processed – that European data protection law is interpreted uniformly across the EU/EEA. As the subject-matter of the submitted complaints has been exactly the same, the cases have been handled together by a working group under the auspices of the European Data Protection Board. Here the legal issues as well as how they should be assessed have been discussed.
“The GDPR is made to protect the privacy of European citizens. This means, among other things, that you should be able to visit a website without your data ending up in the wrong hands. We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures,” said Makar Juhl Holst, Senior Legal Advisor at the Danish Data Protection Agency, and elaborated:
“Since the decisions by our European colleagues, we have looked into the tool and the specific settings available to you when you intend to use Google Analytics. This has been particularly relevant as Google, following the first Austrian decision, has begun to provide additional settings in relation to what data can be collected by the tool. However, our conclusion is that the tool cannot, without more, be used lawfully.”
Consequences for Danish organisations
The fact that the cases convey a pan-European position among the supervisory authorities also means that, in a specific case with similar circumstances, the Danish Data Protection Agency will reach the same result as our European colleagues.
Organisations in Denmark that use Google Analytics must therefore assess whether their possible continued use of the tool takes place in compliance with data protection law. If this is not the case, the organisation must either bring its use of the tool into compliance, or, if necessary, discontinue using the tool.
A very important task for the Danish Data Protection Agency is to give guidance to citizens about their rights and to give guidance to Danish organisations in how they comply with data protection law. As is the case with data protection law, we at the Danish Data Protection Agency are neutral to technology, and therefore have no interest in either approving or banning certain products. We are not at all empowered to do so,” added Makar Juhl Holst and continued:
“Following the decisions of our European colleagues, however, we have experienced a great demand for guidance in relation to specifically Google Analytics, and we have therefore made an effort to look into this specific tool more closely.”
What should you do if you use Google Analytics today?
The Danish Data Protection Agency understands that many organisations already use Google Analytics and that, in the past, there has been an easily accessible way of transferring personal data to the US in the form of a so-called adequacy decision from the European Commission. However, in July 2020, the Court of Justice of the European Union declared this Commission decision invalid.
Therefore, the message from the Danish Data Protection Agency is that if you use Google Analytics, you must put in place a plan to bring your use of into compliance by implementing supplementary measures.
One possible technical measure that may be relevant when using Google Analytics is pseudonymisation. The French Data Protection Authority has created detailed guidance for organisations wishing to establish effective pseudonymisation by means of a so-called reverse proxy. The guidance can be found here: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr
If it is not possible to implement effective supplementary measures, you must stop using the tool and, if necessary, find another tool that can provide web analytics and allows for compliance with data protection law, for example by not transferring personal data about visitors to “unsafe” third countries.
The basis for the Danish Data Protection Agency’s guidance
The Danish Data Protection Agency’s guidance is based on the information provided by the European supervisory authorities’ decisions and the Danish DPA’s own research. This also means that the Danish Data Protection Agency cannot rule out that there may be circumstances or technical settings which the Danish DPA has not taken into account. The Danish Data Protection Agency invites organisations and any persons who have special insight into the relevant tool to write to the Danish DPA (https://www.datatilsynet.dk/kontakt/skriv-til-os) if they believe that there are circumstances that the DPA’s guidance does not take into account.