This is blog post #15 in our series on the GDPR.
Four European Data Protection Authorities (DPAs) have thus far concluded that the transfer of personal data to the United States via Google Analytics is unlawful according to the General Data Protection Regulation (GDPR).
It is quite certain that other European DPAs, including the Norwegian Data Protection Authority, will follow suit because all members of EU/EEA are committed to comply with the GDPR.
Website analytics vs privacy
Everyone who manages a website is (or should be) interested in the behavior of users across web pages. For this purpose there are analytics platforms that measure activities on a website, for example how many users visit, how long they stay, which pages they visit, and whether they arrive by following a link or not.
To help measure those parameters (and a lot of others) there exists a market of web analytics tools of which Google Analytics (GA), launched in 2005, is the dominant one. In addition, GA includes features that support integration with other Google products, for example Google Ads, Google AdSense and many more.
The use of GA implies collecting data that is personal by GDPR definition, for instance IP-addresses, which can be used to identify a person even if done in an indirect way. GA may use pseudonymization, using their own identifier, but the result is still personal data.
The fact that data collected by GA, of which some data is personal, is transferred to the USA and processed there, has brought the DPAs of Austria, Denmark, France, and Italy to conclude that the use of Google Analytics is not compliant with the GDPR.
None Of Your Business
This conclusion has been reached after complaints submitted by the Austrian non-profit organization NOYB (“my privacy is None Of Your Business”) to a number of European DPAs.
The complaints are based on the Court of Justice of the European Union (CJEU) concluding that the transfer of personal data to the US, without special measures, violates the GDPR.
According to NOYB the Executive Order signed by US President Joe Biden recently will not solve the problem with EU-US data transfers with regards to the potential for mass surveillance.
DPAs on the case
The Danish DPA writes that even if Google has indicated that they have implemented such measures, these measures are not satisfactory in order “to prevent access to transferred personal data by US law enforcement authorities”.
The Norwegian DPA has thus far received one complaint regarding Google Analytics, and they are saying on their web site that the case is being processed.
They “will place great emphasis on what other countries have come up with”, they say in an email conversation.
Runbox will continue following these developments and keep you updated.
2 thoughts on “Privacy, GDPR, and Google Analytics”
I would be interested in learning how tracking data falls in with GDPR and Google Analytics. From what I can gather it’s not allowed but flies under the radar. noscript will trigger / track the user regardless of whether the website is using onetrust etc to allow cookie customization cookies.
Thanks for your comment and apologies for the belated reply. The intention of our blog post was to give an overview of the matter and is mainly based on articles from the reliable sources referred to in the post. We suggest that you direct questions of a more technical nature through an inquiry to NOYB (https://noyb.eu/), and regret that we cannot provide a technically explanatory answer here.