Google Analytics and EU rules

 September 26, 2022

In the last few months, we have witnessed multiple European Data Protection offices weigh on the legitimacy of Google Analytics.

Back in January, I’ve published a post that touched on the topic but was not really about Google Analytics. So, let’s start looking at what happened, why Google Analytics seems to be so interesting for the European Privacy authorities, and finish with some guessing on what could happen in the next few months.

What happened so far

On 5th January 2022, the European Data Protection Supervisor (EDPS) published the decision that the European Parliament website was not compliant with GDPR due to the usage of Google Analytics.

On 12th January 2022, the Austrian Data Protection Authority (DSB) decided that an Austrian company using Google Analytics violated the GDPR since moving such data to the US has no legal basis.

On 10th February 2022, the French Data Protection Authority (CNIL) publishes a sentence where they find that Google Analytics data transfer to the USA as being non-compliant with GDPR. On 2nd March 2022, the CNIL published two other decisions (MED 2022-015 and MED 2022-016), reaffirming the same.

On 23rd June 2022, the Italian Data Protection Authority (GPDP) decided that Caffeina Media Srl, a local publisher, usage of Google Analytics was non-compliant with GDPR.

On 21st September 2022, the Danish Data Protection Agency (Datatilsynet) published a review where they concluded that Google Analytics could not be used in a way that is compliant with the GDPR.

Google Analytics issues

Why are so many Data Protection Authorities saying that Google Analytics usage is not, and probably can not be, compliant with GDPR? The main reasons are:

Google Analytics users can share data with Google and often do so
Google Analytics data are (potentially) stored in the US
Google Analytics data are managed by Google, which is a company subject to the CLOUD Act

The first point is the less problematic of all since a correct configuration would allow avoid this issue.

The second problem has been confirmed by Google, and there is no way around since Google Analytics users can not configure it. Potentially Google could change its architecture and avoid this movement of data, effectively solving this problem. Although Google says that Google Analytics 4 solves the issue, the Austrian and Danish DPAs reject Google’s point of view.

The third problem is by far the biggest. All US companies are subjected to the CLOUD Act, which forces them to hand to US Authorities personal data they have access to if US Authorities ask for them. Google affirmed that in 15 years, they never received any request by US Authorities to share data deriving from Google Analytics. The issue, though, is that the CLOUD Act also forbids the company to share the information that the request (and the data transfer) occurred. So, Google can not communicate if they have received any such request, so even if they say that they have never received such a request, their statement is worthless from the DPAs point of view. Also, even if Google’s statement is true, it does not prevent the US Authorities from performing such a request in the future. This problem is enormous but very little discussed since it would impact nearly all services provided by any US company to EU citizens.

Future speculations

A possible solution to Google Analytics (and all other US-provided services) would be a new EU-US deal similar to Safe Harbor and Privacy Shield. The issue with this solution is that both those agreements were invalidated by the European Court of Justice (ECJ) due to the lack of local regulations (mostly in the US) that sustained the international agreement. Creating a new agreement without having changed or removed the CLOUD Act and other regulations such as the SCA, the LEADS Act, and the ICPA would result in the ECJ scrapping that agreement as it did for the previous two. The EU and the US announced that an agreement “in principle” was found in March 2022, but nothing followed it, so it is tough to say if something will ever be proposed on this, and if so, when it will happen.

So, speaking of the average Google Analytics user having no power to influence US Laws and international agreements between US and EU, I think that he should take action to mitigate his risk by substituting Google Analytics with other tools that do not have the same issues.

 Privacy, Web

 Cookies, GDPR, Google, Legal

Say something

Comments

Ann Oneemus on 2022-10-16 17:53:21 UTC said:

Your first issue with goggle.analytics is unclear. Are users knowingly sharing information with goggle? or is the information leaking out? Can you advise which tools you can substitute for google.analytics?

Your About page is informative but I wonder what your mission statement would be.

I landed on your site looking for ‘a websites with no cookies’ and wonder what that page collects from a visitor to that page.

now to see what you have to say about open source…

Fabio Alessandro Locati on 2022-10-17 06:31:53 UTC said:

The first issue with Google Analytics is that by default, the option is to share such information with Google, and many people do not de-flag it.
Also, part of the problem is that the person that should de-flag it is the Google Analytics user (the website owner) and not the data owner (the website user).

As for alternatives to Google Analytics, there are many alternatives, with or without cookies. I’ve decided to go for no tracking (if not the ones derivable from Access logs), but I know that there are alternatives such as Matomo and Plausible Analytics that can be self-hosted. Using those software does not guarantee that the solution can be considered GDPR-compliant since implementation errors might create a non-compliant solution.

My mission statement is to help people leverage technology to improve the world we live in and decrease technology-related risks for themselves and others.