Danish DPA Follows Suit and Becomes the Latest EU Data Protection Authority to Conclude that the Use of Google Analytics is Unlawful Without Supplementary Measures

3 minute read | October.03.2022

In a recent announcement, Datatilsynet, the Danish Data Protection Authority (“Danish DPA”), declared that the Google Analytics tool does not comply with the GDPR’s requirements for international transfers. As such, it concluded that the tool cannot be used lawfully, unless further supplementary measures are implemented, on top of those already offered by Google.

The latest decision by the Danish DPA builds upon the growing sentiment among EU regulators as to the legality of Google Analytics and follows similar rulings by the Austrian, French and Italian data protection authorities. For further details on these decisions, please see our earlier articles here and here.      

What should you do if you use Google Analytics today?

The Danish DPA has proposed that organisations should either:

  • Assess what measures must be implemented by the organisation to bring the use of the Google Analytics tool into compliance with the GDPR (i.e., by implementing appropriate supplementary measures for international transfers), or
  • If this is not possible, stop using the tool and find an alternative web analytics tool which is compliant with the GDPR or does not transfer personal data out of the EEA.

While the Danish DPA’s guidance on Google Analytics is directed to Danish organisations, it notes that its decision represents a “common European position among the supervisory authorities”.

What can you do in practice?

  • Consider which version of Google Analytics your organisation is using

    Google has been working on updating the tool; Google Analytics Version 4 does not log or store individual IP addresses. It also allows users to disable certain data collection such as location and device data (see here for further information).

    One immediate mitigation measure is to ensure that you are using Google Analytics 4.

  • Configure your Google Analytics settings

    Google Analytics only infringes the GDPR requirements governing international data transfers to the extent that personal data is shared with Google’s servers in the United States. You should consider configuring your Google Analytics settings so that no personal data is collected. There are several settings in Google Analytics 4 which stops the collection of identifying information.

    However, even if you configure your settings so that personal data is not shared with Google, the Danish DPA is still of the opinion that the remaining information collected makes it possible to identify a person (such as the user’s unique identifier, interaction with the website and approximate location and time of visit). Implementation of such mitigation measures could reduce an organisation’s exposure, but it would not remove it entirely.
  • Consider implementing additional appropriate supplementary measures

    Proxy Server

    In its guidance on how to make Google Analytics compliant with the GDPR, the French DPA proposed the use of a proxy server. This would avoid any contact between the website user’s device and Google’s servers in the United States.

    The French DPA has, however, outlined stringent requirements in relation to the implementation of a proxy server as a solution. For example, certain identifiers must be removed, and the hosting conditions must be equivalent to that provided with the EEA. As a result, the implementation of a proxy server would likely be complex and costly. There is also no guarantee that it would be adequate under the scrutinising eye of a regulator.

    Encryption
    Organisations could consider encrypting the data sent to Google LLC. However, this would only be effective if the encryption keys were exclusively controlled by the data exporter. If Google LLC were able to access the data, the protection afforded by the encryption process is undermined.

  • Obtain User consent

    Article 49(1)(a) of the GDPR provides that users may provide explicit consent to the proposed international data transfer.

    However, for the reasons outlined in our earlier articles, here and here, the validity of the consent will likely fall under some scrutiny from EU regulators and be complicated to implement in practice.
  • Consider alternatives to Google Analytics

    The safest option may well be to consider alternative web analytics providers which do not transfer personal data outside of the EEA. This would eliminate the risk of infringing upon the GDPR requirements on international data transfers. The French DPA has published a list of compatible web analytics providers here.