The plight of Google Analytics in the EU continues as the Danish DPA issued a press release regarding the use of Google Analytics for web analytics on September 21, 2022. Following the earlier opinions issued by the Austrian, French, and Italian DPAs earlier in 2022, the Danes began receiving numerous questions and requests for guidance on the compliant usage of Google Analytics. Following their analysis, they have come to the conclusion “that you cannot use the tool in its current form without implementing supplementary measures.”
What makes this opinion different from the previous EU DPA guidance? And ultimately what does this mean for your business? Let’s dive in!
Is the Danish DPA’s guidance any different from previous findings from Austria, France, and Italy?
The Danish DPA’s investigation actually comes to the same conclusions as previous guidance released by other EU DPAs. This is true even though in this instance both Google Analytics 4 and the additional privacy settings released by Google in the summer of 2022 were also evaluated.
This is notable because, as stated in the press release, “although the individual cases have been decided individually by the respective supervisory authorities that received the original complaint, the decisions represent a common European position among the supervisory authorities.” Essentially this means that we are nearing universal EU DPA alignment on the usage of Google Analytics, in its current form, not being in compliance with GDPR.
They mention “implementing supplementary measures” as a way to potentially compliantly use the platform, what could these be?
Since the initial ruling from the Austrian DPA, there have been a number of potential solutions raised and Google has introduced some new privacy controls meant to address concerns. The Danish DPA has done a great job of explicitly addressing many of these in their Q&A section related to this evaluation. Let’s take a look at each of these approaches and where they stand.
1. Configuring Google Analytics in such a way that personal data is not transferred to the United States
In the investigation, the Danish DPA has concluded that, based upon Google’s responses to the EU supervisory authorities, that data collected through Google Analytics is processed and stored in the United States. They have not found sufficient evidence that Google has made any sufficient changes to their technical setup since the earlier DPA decisions have been made that would counter this belief.
In the view of the Danish DPA’s investigation, it is therefore not possible at this time to configure Google Analytics in such a way that personal data is not transferred to the United States.
2. Configuring Google Analytics so that no personal data is collected
Some have proposed that by modifying settings such as disabling data sharing with Google, using additional settings to limit device and location data collected by GA4, and not enabling Google Signals personal data can be deemed as not being collected.
The Danish DPA takes this head on by stating that even when these settings are turned off “the remaining data collected using the tool still constitutes personal data about the website visitors.” Central to this finding is that a unique identifier will continue to be collected (client id – which is central to all GA processing activity) along with the visitor’s interactions with the website, time of visit, and location of the visitor.
In the view of the Danish DPA’s investigation, so long as any unique identifier is present for a user (even in a first-party context) then Google Analytics can not be configured in such a way that no personal data is collected.
3. The interpretation that GA data is pseudonymized
Central to the question of pseudonymization is the requirement that “personal data can no longer be attributed to a specific data subject without the use of additional information” (GDPR Article 4, Section 1(5)). The analysis required to prove this condition must include additional information that would be available to an organization wishing to attribute the pseudonymized data to a particular person. Therefore, data such as the IP address must be included in the consideration of data which can be used to attribute pseudonymized data to a person.
Google has often cited protections such as the IP Anonymization setting available in Universal Analytics, IP not being logged or stored in GA4, and handling of IP addresses on local servers in the EU for users accessing a site in the EU for GA4 when countering any questions related to IP address being available for use in re-identification.
The Danish DPA addresses these claims by finding that an EU resident (therefore protected under GDPR) could be accessing a site from outside of the EU. In this scenario, according to Google’s own documentation, that user’s initial requests (including IP address) could be routed directly to servers in the United States. Thanks to server log data, which U.S. authorities could gain access to, they would then have the means to attribute Google Analytics data for a user to a specific person.
In the view of the Danish DPA’s investigation, Google Analytics data is therefore not effectively pseudonymized to meet the requirements of this condition.
4. Addition of supplementary technical measures
The Danish DPA cites a number of recommendations provided by the European Data Protection Board and evaluates two that have been proposed as solutions for Google Analytics.
The first evaluation is for encryption. With Google’s implementation of encryption, the encryption process is carried out by Google in the United States. Due to this, it is possible that Google would be compelled to provide the encryption keys to U.S. authorities upon requests, making the data readable.
It is therefore the view of the Danish DPA’s investigation that Google’s encryption is not an effective supplementary technical measure.
The second evaluation is for the possibility of pseudonymization. They find that pseudonymization can be implemented for Google Analytics through the use of a reverse proxy server so long as configuration conditions for effective pseudonymization are met. Specifically referenced is the French Data Protection Authority’s detailed guidance on a method to establish such an architecture published in July of 2022.
It is therefore the view of the Danish DPA’s investigation that pseudonymization is possible if this type of reverse proxy architecture is implemented. It is very important to note that the architecture outlined will have significant impacts on reporting and functionality in Google Analytics which will result in use cases for most organizations to not be satisfied.
5. Justifying international transfers (and the usage of Google Analytics) on the basis of consent
A final popular proposed solution to the question of Google Analytics and data transfers to the United States has been the use of consent as an effective means of satisfying compliance requirements.
GDPR does allow for transfers of personal data to third countries if the data subject has been informed of the possible risks of the transfer and expressly consents. The Danish DPA finds that these exceptions should be just that—exceptions—and not become the general rule. With the use of Google Analytics, the transfer of personal data to the third country in question (United States) is a general transfer of all data collected by the tool. It is therefore the general rule, and not an exception, that the data will be transferred to the United States.
It is the view of the Danish DPA’s investigation that the international transfer (and usage of Google Analytics) can not be justified on the basis of consent.
So is Google Analytics “banned”?
The Danish Data Protection Authority is explicit that they have not issued a ban on the use of Google Analytics. It is not in their authority to ban certain products but instead to simply assess whether the processing of personal data is in compliance with data protection law. It is ultimately the responsibility of the controller to ensure their activities are in compliance with the law.
They also mention that if an organization believes their setup and use of Google Analytics differs from the conditions evaluated in their investigation, it is up to the organization to document and demonstrate their position if an action is brought. However, if the setup is aligned with those that have been evaluated, the DPA will make the same assessment as outlined in their findings. A company assumes their own legal risk if they have a differing legal assessment with regard to their organization’s use of Google Analytics.
Ultimately the final decisions on compliance will be made by the courts in the event of an action being brought.
In the view of the Danish DPA’s investigation, Google Analytics usage is not “banned”. It is their view that the use of Google Analytics in the ways in which they were evaluated are non-compliant with GDPR.
What is the status of the new EU-US data transfer agreement?
The final looming consideration for many businesses with respect to their continued use of Google Analytics in the EU is the potential for a new EU-US data transfer agreement. In March of 2022, a new Trans-Atlantic Data Privacy Framework was announced. At this time a full legal agreement has yet to be agreed upon and adopted. Initially it was announced that the hope was for a new agreement to be in place by the end of 2022. That timeline appears highly unlikely and an updated timeline has not been communicated.
So where does that leave us?
For Danish websites this investigation and guidance leaves little doubt that the usage of Google Analytics (in any of its forms) presents a significant compliance risk unless a reverse proxy solution is implemented. For other EU websites, it is still unclear but the alignment of all DPAs with guidance to date seems to indicate a unified stance with the same determination is on the horizon.
Ultimately, it is up to each organization to assess their compliance risk, identify risk mitigation approaches available, and make the determination if said risk outweighs the benefits of continued use of the Google Analytics platform.
**Important – The information covered in this article is not intended to be legal advice or counsel. You should not act or refrain from acting on the basis of any content included in this article regarding legal compliance without obtaining appropriate legal guidance. The contents of this article contain general information related to various laws and regulations, but may not reflect your current situation. In addition, applicable laws and regulations regularly change. This is particularly true with respect to data privacy laws and regulations. Therefore, any laws and regulations described or otherwise referenced in this article may not be current when you read the article or even at the time of publication. We disclaim all liability for actions you take or fail to take based on anything in this article. Any action you take or any action you refrain from taking based on the information in this article is entirely at your own discretion and risk.**
