On March 1, 2023, the Norwegian data protection authority (DPA), Datatilsynet, released a preliminary opinion about the use of Google Analytics. Datatilsynet stated that using Google’s platform is illegal under the General Data Protection Regulation (GDPR).
The decision is a follow-up to the 2022 press release, in which the DPA suggested the tool might not meet the standards of the EU law and recommended that Norwegian companies find a compliant alternative. It makes Norway the sixth European country after Austria, Italy, France, Hungary, and Denmark that might effectively ban the use of Google Analytics in its default setup.
All the rulings highlight the same issue – since Google Analytics sends user data to the US, this data can’t be adequately protected from potential access by US intelligence agencies. Without a legal framework regulating the EU-US data flow, transfers of personal data from the European Economic Area (EEA) to the US violate the individuals’ privacy rights granted by GDPR.
Learn how the Norwegian DPA’s decision will affect companies using Google Analytics.
Datatilsynet’s opinion is a result of one of 101 complaints filed by NOYB against websites that use Google Analytics. Norwegian DPA investigated the case of the state-owned telecommunications company’s website, telenor.com.
The data privacy activist organization lodged the complaints after the invalidation of Privacy Shield, a former agreement regulating transatlantic data transfers.
In the complaints, NOYB argued that without a legal framework governing the data flow between the EU and the US, the Europeans’ data could potentially become a subject of surveillance by the US authorities. Because of that, using tools such as Google Analytics that send user data to the US violates the requirements of GDPR.
Datatilsynet’s position on the case has been coordinated with the European Data Protection Board (EDPB), which set up a special task force to help European DPAs handle the 101 complaints.
– The EDPB does a good job of ensuring that the supervisory authorities apply the law in a harmonized way. When it comes to the use of Google Analytics, a clear European consensus has emerged – says Tobias Judin, a head of the international department at the Norwegian data protection authority.
The other DPAs have a month to raise potential objections against the Datatilsynet ruling, while the affected company has three weeks to comment on the case. After this, the Norwegian authority will make an official statement.
The press release by the Norwegian DPA includes a strong recommendation for Norwegian companies to seek compliant alternatives to Google Analytics. It most likely applies to both versions of the product – Universal Analytics and Google Analytics 4. As we can read in the statement:
We have received several questions about whether, hypothetically speaking, we would move towards a different conclusion with Google Analytics 4. The Norwegian data protection authority has not taken a position on this in the specific case, but as far as we can see, Google Analytics 4 will not necessarily correct those problems we have identified so far. In this context, referring to the Danish Data Protection Authority’s guidance may be helpful, which states precisely this (datatilsynet.dk).
Datatilsynet will release the official guidelines for Norwegian websites in the coming months.
Meanwhile, the future of Google Analytics in the rest of Europe remains unknown. The decisions on the remaining complaints by NOYB are pending. But since they’ll be coordinated by the EDPB, there’s a good chance they will share the sentiment of the previous opinions of the EU DPAs.
The decisions by EU DPA apply to Google Analytics in its default setup. According to the guide by French CNIL, it’s possible to configure Google Analytics to satisfy the requirements of GDPR.
But there’s a catch. To do so, companies must employ data pseudonymization with the reverse proxy. It means they have to:
- Ensure Google Analytics only fires scripts after user consent is obtained.
- Deploy analytics server-side on EU-based and -operated servers.
- Get rid of all personal identifiers (such as user identifiers, IPs, cross-side identifiers, referred, most link decorations, and custom dimensions that may hold personal data) before sending data to the US.
As a result, companies will lose all valuable data on their campaigns, referrers, cross-domain user journeys, and more. They will be left with no option to connect sessions and recognize visitors’ intent, and won’t know if one event led to another. Their data will be virtually unusable in many marketing and business use cases. Finally, companies will have to take on the severe cost and effort of maintaining such a configuration.
For this reason, replacing Google Analytics might be an easier option for companies that want to comply with the law and still collect meaningful data.
There’s also a new data agreement between the EU and the US in the works, which might again legitimize the use of tools such as Google Analytics. But according to data protection bodies and privacy activists, the American and European authorities still need to work out a solution that could meet the standards set by GDPR.
On February 28, the EDPB released its opinion on the draft adequacy decision regarding the EU-U.S. Data Privacy Framework. While the Board welcomes some improvements to the new draft of the agreement, it also points out its important flaws:
– A high level of data protection is essential to safeguard the rights and freedoms of EU individuals. While we acknowledge that the improvements brought to the U.S. legal framework are significant, we recommend to address the concerns expressed and to provide clarifications requested to ensure the adequacy decision will endure. For the same reason, we think that after the first review of the adequacy decision, subsequent reviews should take place at least every three years, and we are committed to contributing to them – says the EDPB Chair, Andrea Jelinek.
The Austrian data activist organization, NOYB, has also criticized the current version of the act. According to its founder, Max Schrems, the text fails to offer privacy safeguards going beyond what was offered under the previous invalidated frameworks.
– As the draft decision is based on the known Executive Order, I can’t see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights – argues Max Schrems.
NOYB has declared that if the final order doesn’t align with EU law and the relevant judgments by the Court of Justice of the European Union (CJEU), they will file other complaints.
It appears that the new agreement might soon share the fate of its predecessors.
The preliminary decision and recommendations by Datatilsynet are a clear sign that Norwegian and other EU companies doing business in Norway must now carefully rethink their analytics choices. If they want to collect valuable data and comply with the EU law, there are several analytics platforms they can consider using.
To learn more about Google Analytics alternatives, check out our detailed product comparisons:
- What is privacy-friendly analytics? Including the comparison of 9 platforms
- Google Analytics alternatives – free and paid
- Piwik PRO vs. Google Universal Analytics & Google Analytics 360 & Google Analytics 4 & Google Analytics 4 360
Contact us to learn more about how Piwik PRO Analytics Suite helps collect accurate data and align with all applicable laws, including GDPR. We’ll be happy to answer your questions.