Norwegian DPA warns against EU-US data transfers – what it means for your website analytics

If your company relies on Google Analytics or other US-based analytics tools, you may soon be putting your data compliance at risk.

In February 2025, Norway’s Data Protection Authority (Datatilsynet) issued new guidance on data transfers to the United States, highlighting growing concerns about the legal framework supporting these transfers – the EU-US Data Transfer Agreement. 

But why is this a matter of concern? The recent shake-up at the US Privacy and Civil Liberties Oversight Board (PCLOB) has left it unable to function properly. As a result, without a working oversight board, the US may struggle to guarantee adequate privacy protection measures – putting your data compliance at serious risk.

What are the consequences for marketers and website owners? If the EU decides to revoke the US adequacy decision, restrictions could be imposed immediately – without a transition period. That means if you’re still using Google Analytics or similar US-based services, you could suddenly find yourself/your business violating the General Data Protection Regulation (GDPR) overnight.

The key takeaways from Norway’s new guidance

Here’s what the Norwegian DPA’s warning means for you if you’re handling EU/EEA user data:

Immediate risk for US services
The Privacy and Civil Liberties Oversight Board (PCLOB), which was meant to protect privacy rights in the US, is no longer operational. This raises red flags about the legal stability of transatlantic data transfers.

The current adequacy decision is still valid
Despite concerns over the PCLOB’s operational status, the EU-US Data Privacy Framework remains in effect – for now.

European Commission oversight
The European Commission is actively monitoring the situation and may revise or revoke the adequacy decision if significant privacy risks emerge.

Expert warnings
Privacy experts and legal advisors strongly recommend that you start planning an exit strategy now, rather than wait for new restrictions to take effect.

No grace period
If the EU withdraws the US adequacy decision, you may have no time to react, exposing you to financial fines and data disruption.

Why data transfers between the EU and US are so controversial

The transfer of personal data between the EU and US has been a long-standing point of contention due to fundamental differences in privacy laws. The EU enforces strict privacy rights under the General Data Protection Regulation (GDPR), ensuring that individuals have control over their personal data. The US, however, has more fragmented privacy laws, with intelligence agencies having broad powers to access data under regulations like the Foreign Intelligence Surveillance Act (FISA 702).

These concerns have led to major legal battles, including the Schrems I and Schrems II cases, which invalidated previous data transfer frameworks (Safe Harbor and Privacy Shield) because they failed to offer adequate protection for EU citizens’ data. The current EU-US Data Privacy Framework (DPF) is now under scrutiny, with Norway’s DPA warning that its validity could be short-lived. If it’s overturned, businesses relying on data transfers to the US could face immediate compliance risks.

The role of the European Commission in data transfers

The European Commission is responsible for assessing whether non-EU countries offer adequate data protection.  This process results in adequacy decisions like the one granted to the US under the DPF.

However, adequacy decisions are not permanent. They can be revoked or suspended if conditions change, and the Commission is obligated to continuously monitor the legal and political landscape in countries that receive the EU data. The recent turmoil surrounding the Privacy and Civil Liberties Oversight Board (PCLOB) in the US has raised new doubts about whether the DPF can continue to meet the EU’s high data protection standards.

This means that relying solely on the DPF for legal data transfers may not be a sustainable long-term strategy for businesses. To avoid data disruption, you should explore alternative compliance measures such as Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or switching to EU-based solutions.

What this means for marketers and website owners

If you’re running analytics on your website, now is the time to stay alert and prepare for any scenario. We’ve seen this before in 2020 – when Privacy Shield was invalidated, several European regulators quickly cracked down on Google Analytics and other US-based services. If history repeats itself and the EU-US DPF agreement is now revoked, we could see a domino effect of similar enforcement actions, following the latest concerns raised by the Norwegian DPA.

This means that if you continue using Google Analytics or similar US-based marketing solutions that rely on data transfers – such as ad networks, email platforms, and customer data platforms (CDPs), you could soon be violating GDPR. Waiting for regulators to act could leave you scrambling at the last minute. Instead, you should take control now by switching to a privacy-compliant analytics solution such as Piwik PRO Analytics Suite.

European regulatory actions against Google Analytics

After the Schrems II ruling invalidated Privacy Shield in 2020, and before the European Commission adopted a new adequacy decision in 2023 – the EU-US Data Privacy Framework – European regulators wasted no time in taking action. Several data protection authorities (DPAs) ruled that using Google Analytics and other US-based services violated GDPR, citing concerns over inadequate safeguards against the US surveillance.

These enforcement decisions created a ripple effect, forcing European businesses to rethink their analytics strategies. Here’s a look at how different countries responded:

• Denmark: The Danish DPA (Datatilsynet) concluded that the use of Google Analytics violates the GDPR, as it involves transferring personal data to the US, which does not offer an adequate level of data protection.
• Austria: The Austrian DPA ruled that data transfers to Google in the US via Google Analytics breach Chapter V of the GDPR, due to insufficient safeguards against US surveillance.
• France: The French DPA (CNIL) determined that the use of Google Analytics is illegal under the GDPR, as it involves transferring personal data to the US without adequate protection.
• Italy: The Italian Data Protection Authority (Garante) found that the use of Google Analytics violates the GDPR, as it results in the transfer of personal data to the US, which lacks adequate data protection measures.
• Sweden: Sweden’s data protection authority (IMY) ruled that four companies had unlawfully transferred personal data to the US by using Google Analytics. The IMY stated that companies using Google Analytics fail to implement sufficient safeguards against US government surveillance, violating GDPR requirements.Norway: The Norwegian DPA declared that the use of Google Analytics was illegal prior to the EU-US Data Privacy Framework adequacy decision, indicating potential for future restrictions.

How you can prepare for potential data transfer disruptions

Transatlantic data flows account for more than half of Europe’s data flows and about half of US data flows globally (US Chamber). This underscores the importance of ensuring compliant and secure data transfer mechanisms between the EU and the US. To mitigate these risks and ensure continued compliance, you should take proactive steps now. Some key actions include:

1. Review contracts with US providers: Audit all agreements with analytics, marketing, and cloud service providers based in the US to understand data processing terms and compliance measures.
2. Implement Standard Contractual Clauses (SCCs): If you continue working with US providers, ensure that SCCs are in place to provide additional legal safeguards for cross-border data transfers.
3. Assess alternative digital marketing tools: Consider migrating to EU-based analytics and marketing solutions that operate within GDPR-compliant frameworks and offer full data residency options.
4. Monitor regulatory developments: Stay updated on changes to data transfer regulations, including potential shifts in the EU-US Data Privacy Framework and rulings from other European DPAs.
5. Enhance data protection policies: Strengthen internal policies on data minimization, user consent management, and encryption to align with best practices in privacy compliance.

While not all of these compliance steps fall directly within the marketing department’s responsibilities, marketers play a crucial role as advocates for privacy-first strategies, by ensuring compliance protects not just user data but also the company’s reputation and ROI. By proactively championing privacy compliance, you help secure sustainable and legally sound digital marketing and analytics strategies that maintain customer trust and business continuity.

Norwegian DPA’s broader concerns beyond Google Analytics

While much of the discussion around data transfers has focused on Google Analytics, Norway’s DPA highlights a much broader issue – US companies across multiple industries process EU personal data, raising legal and compliance risks.

Many businesses use US-based services beyond analytics, including:

• Cloud providers like Amazon Web Services (AWS) and Microsoft Azure.
• Marketing platforms like HubSpot and Mailchimp.
• Customer Relationship Management (CRM) software like Salesforce.
• Ad-tech solutions that track users across websites.
• Consent management platforms (CMPs) such as OneTrust and TrustArc.

If the EU-US adequacy decision is revoked, all these services could be in legal jeopardy for businesses processing EU citizen data. Norway’s DPA encourages companies to audit their data flows now, ensuring they know where personal data is processed and whether it complies with GDPR.For businesses seeking a sustainable approach, shifting towards EU-hosted, privacy-first solutions will help ensure compliance without relying on regulatory frameworks that could change at any moment.

Piwik PRO Analytics Suite: A safe and compliant Google Analytics alternative 

Piwik PRO Analytics Suite is the best GA4 alternative for marketers who want to gain valuable and actionable analytics insights while ensuring full GDPR compliance. Here’s why:

8 reasons to replace Google Analytics 4 with Piwik PRO Analytics Suite

1. Fully GDPR-compliant: Built with privacy in mind, unlike US-based platforms that risk legal challenges.
2. Data residency and sovereignty: Piwik PRO allows you to choose data storage locations, ensuring compliance with local data residency requirements.
3. Easy privacy compliance: Collect data with full respect for privacy laws, including GDPR, HIPAA, CCPA, and TTDSG. The platform includes privacy settings directly in the UI.
4. 100% data ownership: No third-party sharing, so you retain control over all user data.
5. Advanced analytics with familiar concepts: Piwik PRO supports both event-based tracking and session-level aggregation, allowing marketers to analyze user behavior with advanced reports such as funnels and user flows.
6. More reliable data collection: Capture up to 70% more data compared to Google Analytics, all while staying privacy-compliant. Piwik PRO offers session-level data collection in anonymous profiles that align with EU regulations.
7. Painless migration & seamless setup: Implement Piwik PRO with a single tracking tag and start analyzing data in under an hour. The platform follows a familiar logic for those transitioning from Universal Analytics or GA4.
8. Well-integrated product suite: Benefit from an advanced analytics ecosystem that includes a Customer Data Platform, a Tag Manager, a Consent Manager, and multiple integration options for better data activation and personalization.

Don’t just take our word for it: hear from our customers on Piwik PRO’s benefits

Still unsure if Piwik PRO is the right choice to confidently replace Google Analytics? See what the experts have to say about the advantages of switching to Piwik PRO for a privacy-compliant, powerful analytics solution:

Getting started with Piwik PRO Analytics Suite: A step-by-step guide

Transitioning to Piwik PRO ensures compliance with data protection regulations while maintaining robust analytics capabilities. Here’s how to get started:​

1. Research your analytics needs: Identify the key insights and features your business relies on and ensure they align with compliance requirements.
2. Compare Piwik PRO with your current solution: Explore Piwik PRO’s capabilities to determine how it meets your needs and where it can even offer deeper privacy-first insights.
3. Request a demo: Schedule a personalized demo to see Piwik PRO in action and discuss integration with your existing marketing stack.
4. Plan your migration: Work with Piwik PRO’s team to develop a seamless transition strategy, ensuring minimal data loss and downtime.
5. Set up & customize: Configure dashboards, reports, and user permissions to align with your business objectives. We offer flexible support for onboarding and implementation.
6. Train your team: Provide onboarding resources and training to maximize the value of their new analytics platform. A good place to start is Piwik PRO’s YouTube channel, which offers a dedicated playlist with Piwik PRO Analytics video tutorials.
7. Optimize & monitor: Continuously refine your analytics setup based on insights while ensuring ongoing compliance with privacy regulations.

Find your Google Analytics replacement

Regulatory uncertainty is increasing, and Norway’s warning makes it clear: US-based analytics tools could soon be non-compliant across the EU. However, global data regulations are tightening beyond the EU. Countries like China (PIPL), India (DPDP Act), Brazil (LGPD), and Canada (CPPA) are all implementing stricter privacy frameworks. Businesses that rely on cross-border data transfers need a future-proof strategy that prioritizes privacy-first solutions, EU-based vendors, and data sovereignty.

Waiting until restrictions are enforced could mean scrambling to find a solution while facing potential fines and data loss. Piwik PRO Analytics Suite is the best alternative to Google Analytics, providing a powerful, privacy-focused analytics solution that keeps your business ahead of changing regulations without disrupting your analytics and marketing data.

FAQ 

Why are EU-US data transfers under scrutiny again?

The Norwegian DPA has raised concerns about the operational status of the US Privacy and Civil Liberties Oversight Board (PCLOB), which plays a key role in ensuring US data protection standards. If the EU-US Data Privacy Framework (DPF) is revoked, businesses relying on US-based services like Google Analytics could suddenly find themselves non-compliant with GDPR.

What happens if the EU revokes the Data Privacy Framework (DPF)?

If the EU revokes the adequacy decision for the EU-US Data Privacy Framework (DPF), companies relying on Google Analytics or other US-based tech tools could suddenly be in violation of GDPR, with no transition period. This could lead to financial fines and operational disruptions.

Is Google Analytics a GDPR-compliant choice for EU businesses?

While the EU-US Data Privacy Framework (DPF) is currently in place, concerns remain about its long-term stability. The Norwegian DPA and other European regulators warn that Google Analytics still poses compliance risks because it involves transferring personal data to the US, where surveillance laws (like FISA 702) allow government access to foreign data.

Multiple European Data Protection Authorities (DPAs) – including those in France, Austria, Denmark, Italy, Sweden, and Norway – have ruled in the past that Google Analytics violates GDPR due to US surveillance risks. If you’re still using Google Analytics, your company could be at risk of enforcement actions should the DPF be withdrawn by the European Commission.

Solution: To future-proof your analytics, switch to a privacy-compliant alternative like Piwik PRO Analytics Suite, which offers GDPR-compliant data hosting in the EU.

What is the best alternative to Google Analytics for GDPR compliance?

A privacy-compliant alternative to Google Analytics is Piwik PRO Analytics Suite. Unlike US-based tools, Piwik PRO offers:

• Full GDPR compliance with EU-based hosting options.
• 100% data ownership, meaning your data stays private.
• Advanced analytics capabilities, including event tracking, funnels, and user flows.

Migrating from GA4 to Piwik PRO is simple, making the transition easy with:

• One-click data import options.
• Customizable dashboards to match your existing setup.
• Comprehensive onboarding support to help teams transition smoothly.

What makes Piwik PRO Analytics Suite different from other Google Analytics alternatives?

Piwik PRO Analytics Suite is built with privacy at its core, offering:

• Data residency options within the EU, US, or private cloud.
• No third-party data sharing—you own 100% of your analytics data.
• Integrated privacy tools, including built-in consent management.
• Advanced analytics and tag management in one platform.

How can I confidently switch from Google Analytics without losing insights?

Piwik PRO Analytics Suite provides a familiar analytics experience while improving data collection reliability (up to 70% more data than GA4), privacy compliance, and advanced reporting features like funnels and user flows. It also offers easy migration tools for a seamless transition.

How do I start transitioning away from Google Analytics?

To replace Google Analytics, first audit your data flows, then evaluate privacy-compliant analytics platforms. Piwik PRO Analytics Suite makes it easy to migrate with a free plan, allowing businesses to test the platform before fully transitioning. You can also request a free demo customized to your needs.

What other US-based services might be affected by EU data transfer regulations?

Beyond Google Analytics, any US-based marketing, cloud, or analytics platform handling EU data – including for example HubSpot, Mailchimp, Salesforce, and AWS – could be impacted if the adequacy decision is revoked. You should assess all third-party tools that process user data now to be prepared with alternative tools.

How can I prepare for potential EU-US data transfer disruptions?

To stay ahead of regulatory changes, businesses should:

• Audit current data flows to identify any dependencies on US-based services.
• Explore privacy-compliant alternatives like Piwik PRO Analytics Suite.
• Implement Standard Contractual Clauses (SCCs) for additional safeguards.
• Monitor regulatory updates and plan for a smooth transition.

What’s the safest way to future-proof my analytics strategy?

To avoid regulatory uncertainty, switch to an EU-hosted analytics provider with strong privacy protections, like Piwik PRO Analytics Suite, that allows you to implement a reliable data privacy strategy. This ensures long-term compliance with GDPR and other evolving global privacy laws.