Is Google Analytics GDPR-compliant? Main issues

Please click here to read the details.

What are the main problems?

Data transfer to the United States. GA collects data from users all over the world including users from the European Union and stores this data on the cloud services in the United States. That has become a problem not a long time ago, with the so-called Schrems II decision by the Court of Justice of the European Union. That decision has made invalid the U.S.- EU Privacy Shield. That mechanism was used to transfer data between the European Union and the U.S. safely and without additional requirements. Now, most of the companies transferring data from the EU to the U.S. are using standard contractual clauses in their data processing agreements to safeguard the transferred data. 


After the Schrems II decision, the NOYB (Austrian data protection non-government organisation) has found up to 101 complaints against companies who use Google Analytics: 

  • There is one decision from the Austrian DSB already which stated that using Google Analytics regarding the EU users violates several provisions of GDPR. Even implementation of SCC and technical and organizational measures was not enough to make such transfer to the U.S. lawful. 
  • The Dutch Data Protection Authority also claims that the use of Google Analytics is not compliant with GDPR, as the data collected by GA was sufficient to identify a European data subject. 
  • The Norwegian DPA has recommended exploring alternatives to Google Analytics.


Thus, the lawfulness of data transfer to the U.S. via Google Analytics remains quite a complicated issue, and one of the ways to solve it is to somehow prevent the interference of U.S. national authorities and intelligence services from getting access to the data transferred to the U.S. by restricting its powers to inspect and seize the personal data. 


Consent! Despite the problems with transfer to the U.S., there is also a consent issue with Google Analytics. Due to the fact that GA makes a profile of every user with a unique ID and hashes this information, such data anyway is treated as personal under GDPR. It will be almost impossible to perform such processing based on purpose other than the user’s consent. So, there is a risk to lose a lot of active users, while they do not want to consent to the tracking their personal data via Google Analytics. Moreover, it is important to manage visitors’ consent: obtain it in a lawful way, store it for the necessary period and delete it when it isn’t needed. 


All in all, there are definitely some concerns regarding the GDPR compliance of Google Analytics: transfers to the U.S., which is a third country under GDPR, the necessity to obtain consent: all of these problems make it harder and harder to use GA now. So, we need to wait for the thoughts of other European data protection authorities.  


What about now? Companies that use Google Analytics perhaps need to think about a different scenario. As it becomes dangerous to use GA now, it is reasonable to look for some alternative ways of tracking statistics, switch to European platforms which are compliant with GDPR. 


However, as there is no direct decision to ban GA, companies may make their use of GA a bit safer by following some recommendations: 

  • Accept Google’s Data Protection Agreement which is updated to reflect the new version of SCC.
  • Obtain user consent in accordance with GDPR rules.
  • Correct configuration of Google Analytics by using IP anonymization. 
  • Switch to server-side tracking: it means that data transferred to Google Analytics would not contain users’ IP addresses. 
  • Use other services to secure the data: for example, data catalyst to anonymize the data collected.

    Reminder: to make a donation please click here.

    Your question to IT lawyers