3 minute read | October.03.2022
In a recent announcement, Datatilsynet, the Danish Data Protection Authority (“Danish DPA”), declared that the Google Analytics tool does not comply with the GDPR’s requirements for international transfers. As such, it concluded that the tool cannot be used lawfully, unless further supplementary measures are implemented, on top of those already offered by Google.
The latest decision by the Danish DPA builds upon the growing sentiment among EU regulators as to the legality of Google Analytics and follows similar rulings by the Austrian, French and Italian data protection authorities. For further details on these decisions, please see our earlier articles here and here.
What should you do if you use Google Analytics today?
The Danish DPA has proposed that organisations should either:
While the Danish DPA’s guidance on Google Analytics is directed to Danish organisations, it notes that its decision represents a “common European position among the supervisory authorities”.
What can you do in practice?
One immediate mitigation measure is to ensure that you are using Google Analytics 4.
In its guidance on how to make Google Analytics compliant with the GDPR, the French DPA proposed the use of a proxy server. This would avoid any contact between the website user’s device and Google’s servers in the United States.
The French DPA has, however, outlined stringent requirements in relation to the implementation of a proxy server as a solution. For example, certain identifiers must be removed, and the hosting conditions must be equivalent to that provided with the EEA. As a result, the implementation of a proxy server would likely be complex and costly. There is also no guarantee that it would be adequate under the scrutinising eye of a regulator.
Organisations could consider encrypting the data sent to Google LLC. However, this would only be effective if the encryption keys were exclusively controlled by the data exporter. If Google LLC were able to access the data, the protection afforded by the encryption process is undermined.