Iubenda logo
Start generating

Documentation

Table of Contents

Google Analytics illegal in Europe? What you need to know

Privacy authorities: Google Analytics violates data protection in lack of safeguards in place for data transfers

🎯 Latest update on the use of Google Analytics in Europe

The usage of Google Analytics in Europe has been in jeopardy due to recent European court cases.

→ Several European data protection authorities have found that Google Analytics’ processing of European user data could result in illegally transferring data outside Europe.

The actions around Google Analytics are the result of the Privacy Shield being struck down because it was found that the privacy standards of the U.S. did not match those of the European framework. A major concern being that the government could access European data kept by US companies, even if stored in Europe. Full details here →

🗣 The day the industry has been waiting for is here – a new privacy framework is on the horizon. Since the privacy shield was struck down, there was no formal framework in place. In an effort to solve the ongoing issue of legal data transfers between the U.S. and the E.U., President Biden has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities to meet the obligations of the EU-U.S. Data Privacy Framework.

An executive order is a directive from the president of the United States that is signed and made public and controls how the federal government operates. This executive order might just be the solution the industry has been waiting for, here’s why:

By emphasizing a number of crucial framework elements, the Executive Order aims to address concerns while strengthening a strict set of civil rights and privacy protections for American signals intelligence activities. For more information, read our overview here.

The European Commission will be able to issue an “adequacy decision” that could allow data transfers between the E.U. and the U.S. once again. It may take up to six months to make a decision, but it’s safe to say we are approaching the finish line, there may be months before transferring data to US companies will not entail the risk of illegal data transfer outside Europe

Where does this leave us?

Currently, European Data Protection Authorities (DPAs) have been issuing orders to stop using Google Analytics – though without issuing fines. 

While Google has previously attempted to address some of the main points of concern with Google Analytics 4, these measures seem to still be considered insufficient by the authorities. 

Due in part to this conversation around the use of Google Analytics, Google released Google Analytics 4 in an attempt to address some of the concerns.

  • Google Analytics 4 uses IPs at first to decide where to store users’ other personal data (the server or data center depends on the user’s IP). It then eliminates IP addresses completely in an attempt to mitigate the problem of transferring European data to the United States.
  • Google Analytics 4 will also offer country-level controls and customization options to allow you to minimize the collection of user-specific data.

Here’s how to switch to and set up Google Analytics 4 →

So far, no economic sanctions have been issued by European DPAs for the use of Google Analytics.

If you’ve already switched to GA4 – this may still be a smart move – as GA4 significantly reduces data processing. Since the new privacy deal may be ready in several months, many businesses might decide to risk it as no fines have been issued.

From the Danish DPA:

For Google Analytics 4, it is apparent from Google’s documentation that I.P. addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the data subject’s location – there can be a direct connection to, among others, American servers before the address is discarded.

If you would like to follow this evolving case law and watch the latest decisions unfold, you can read our by-country breakdown here

Understandably you may be left feeling a bit unsure of what to do. Organizations like NOYB and other groups are trying to defend privacy rights – with one main concern being the possibility of government access to European data held by U.S. companies, even when stored in Europe.

📌 So, what should you do now?

Google Analytics has been the target of recent DPA orders, but currently, any service provided by a US party, even if hosting is in the EU, can be compromised. Therefore each controller must evaluate whether to stop using all or some of their US services between today and the time when a new deal will be in place. 

Like most things privacy-related, we can expect such an agreement will be challenged, so the journey may continue to be rocky for some time. In the meantime, you can do a few things today to put your mind at ease. 

💡 One option is to obfuscate personal data via a proxy server so that the data does not get to the U.S. company. We have selected a few solutions that do it. 

  1. Jentis
  2. Stape Europe

👉 At iubenda, you can rest assured that using our services on your site/app, the data of EU users is either not shared with US companies or, when it is, it’s encrypted before being sent.

🚀
Looking for a GDPR-friendly alternative to Google Analytics?

Given that this scenario is still present, some people are now thinking about Google Analytics alternatives that focus on privacy or are based in Europe.

Read this: 7 alternatives to Google Analytics

FAQs

Data protection authorities have found that the U.S. legal system does not guarantee the same standards of protection as the EU. The situation stems from a set of U.S. laws that allow government organizations to request access to consumers’ personal data from US-based services, regardless of where the data centers or servers are located.

In light of this, NOYB filed 101 complaints with European DPAs to find that transferring European users’ data to the U.S. was unlawful. The decisions, which have noted the illegitimacy of the transfers, focus on the analysis of additional technical, contractual and organizational measures.

The use of an encryption key by the company in question was deemed insufficient as the key was owned by Google LLC. From this, it follows that as long as the encryption key remains accessible to the importer (in this case, Google Analytics), the measures taken cannot be considered appropriate.

Furthermore, contractual and organizational measures are not evaluated because the others are always considered insufficient if technical measures are missing.

So far, the authorities have only said that additional technical security measures are needed if you continue using Google Analytics.

Based on the decisions issued so far, we can assume that the possible legal consequences are as follows:

  1. Receiving an order to identify additional technical measures within 60 (CNIL) or 90 days (Garante).
  2. Receiving an order to discontinue the service and replace it with another.

Please note that to date, no economic sanctions are being issued for the use of Google Analytics.

  • Latest update

See Also