Companies worldwide use Google Analytics to gather data on website visitors. However, recent European regulatory decisions have jeopardized the future of Google Analytics use in Europe.
Let’s take a deeper look into everything you need to know about the friction between Google Analytics and European regulatory bodies.
What’s the EU’s Issue With Google Analytics?
When a company uses Google Analytics, the data is stored and processed by Google’s servers in the United States. This transfer of data from Europe to the United States has been a point of contention for several European regulators.
In particular, there are concerns over how US intelligence services are able to access European citizens’ personal data without the protections that are required under several European data privacy laws.
EU-US Data Transfers
Several agreements, frameworks, and rules have been developed over the years to attempt to allow EU data to be safely shared with the United States. However, as data privacy regulations have grown over the years and attention has been given to data transfers, these agreements have undergone legal challenges.
EU-US Privacy Shield
The EU-US Privacy Shield was one of the most well-known data transfer frameworks created to address issues related to data transfers from Europe to the United States. It replaced the Safe Harbour Privacy Principles, which were overturned by the European Court of Justice (CJEU) in 2015.
Privacy Shield was created by the European Commission and the US government in order to permit the transfer of European data safely. However, in July 2020, the CJEU invalidated the EU-US Privacy Shield due to concerns about inadequate protections.
In particular, concerns were raised over US surveillance laws. These laws enable US intelligence services to request foreign personal data from certain US companies, including Google.
US surveillance laws do not provide non-US citizens with any way to know whether their data is being acquired, how it’s being used, or seek redress for any misuse. For this reason, Privacy Shield was invalidated, and each business transferring data from the EU to the US must consider the lawfulness of data transfer on a case-by-case basis.
European Data Protection Board Guidance
The ruling also made it clear that EU regulators must step in and suspend data flows if they believe people’s information is at risk.
So for some transfers to be legal (such as EU-US data flows), additional measures may be needed (supplementary measures) to raise the level of protection to the required standard of essential equivalence with EU law — something the European Data Protection Board (EDPB) has since issued detailed guidance on.
Here is a short overview of the most effective measures from the guidance. If you need to transfer EU personal data to the US:
- anonymize it before the transfer, or
- pseudonymize the personal data before the transfer, or
- encrypt data before the transfer.
The listed steps should provide an effective supplementary measure and enable EU-to-US data transfers.
If a business cannot do any of the steps, there are additional measures in the EDPB guide, like state-of-the-art security and contractual obligations.
Google Data Transfers
Google has implemented many supplementary measures following the EDPB guidelines, including IP address anonymization.
So, what is the EU opinion on Google’s measures?
Austria’s Ruling on Google Analytics
The Austrian Data Protection Authority ruled that the use of Google Analytics violates the GDPR.
They determined that the technical measures put in place by Google Analytics — including limiting access to data centers and encrypting data as it moves around the world — don’t do enough to stop it from potentially being scooped up by US intelligence agencies.
Google was able to access data in plain text. This unique ID generated by GA is considered to be personal data under the GDPR. Therefore, Google Analytics use involves personal data that isn’t protected from potential surveillance.
This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred
says Matthias Schmidl, the deputy head of the Austrian data regulator.
He also added that website operators cannot use Google Analytics and be compliant with GDPR.
Google responded to the Austrian ruling with the following:
We are convinced that the extensive supplementary measures we offer to our customers ensure the practical and effective data protection to any reasonable standard.
In the same document, Google urged the US and EU to come to a mutual decision that will once again enable data flow from the EU to the US.
France’s Ruling on Google Analytics
The French data protection authority (CNIL) reached a similar decision. CNIL decided that an unnamed French website’s use of Google Analytics is non-compliant with the GDPR as it breaches Article 44 (which covers personal data transfers from the EU to countries that do not have essentially equivalent privacy protections, like the US).
The CNIL official statement is that transfers to the United States “are currently not sufficiently regulated” because of the absence of an EU-US adequacy decision (a mechanism that would allow for data transfer). Because of this, there is a risk for French website visitors when visiting websites with GA.
The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”
European Data Protection Supervisor
The European Data Protection Supervisor’s (EDPS) intervention relates to a COVID-19 test booking website that the European Parliament launched in September 2020.
The test booking website was found to be dropping cookies associated with Google Analytics and Stripe — but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers to the US would be adequately protected.
How EU Member Rulings Affect Google Analytics Users
If you use Google Analytics, you may need to evaluate how and where you are using it. The GDPR applies to any company or website that serves European users, even if the company or website is not located in Europe. If you are subject to the GDPR, these rulings could impact your ability to use GA on your website.”
What Can You Do About Your Google Analytics Use?
Please note that all mentioned decisions are only binding in that particular case. Also, some are in the appeal process and not yet final. There are also many more GA complaints filed around Europe that are awaiting a final decision.
Analyze and Decide
You can review European Data Protection Board (EDPB) guidance and supplementary measures from Google to decide if they offer an adequate level of data protection for you to continue using them on your website. However, this might be challenging as it requires time and some legal knowledge.
If you have access to the legal counsel, we suggest consulting with them to see how the GA issue applies to your use case.
Please review GA technical documentation to see if you can set up GA in the least privacy-intrusive way, following EDPB guidance. You can also refer to Termly’s documentation on Google consent mode.
Use a Google Analytics Alternative
You can consider not using GA until their technology is scrutinized by EU authorities or until US and EU reach a data transfer agreement. Here are some alternatives for you to explore:
Alternative | Description |
Matomo |
Google Analytics alternative that protects your data and your customers’ privacy. |
Plausible |
Simple and privacy-friendly alternative to Google Analytics. |
Umami |
A simple, fast, website analytics alternative to Google Analytics. |
Aurora |
100% Cookie-Free Open Website Analytics. Collect Anonymous Data. Make your Audience Happy Now! |
Nullitics |
Zero-effort open-source cheap analytics. |
Ackee |
Self-hosted website analytics. |
Shynet |
Modern, privacy-friendly, and detailed web analytics that works without cookies or JS. |
Pirsch |
Pirsch is a simple, privacy-friendly, open-source alternative to Google Analytics — lightweight, cookie-free, and easily integrated into any website or backend. |
*Disclaimer: The opinions about the alternative tools are not Termly’s but taken from https://github.com/pluja/awesome-privacy. Please do your own due diligence if you decide to switch from GA to one of the provided vendors. The purpose of this list is to provide you with potential alternatives worth exploring.
If You Want To Continue Using GA
You can continue using GA at your own risk and follow new developments from EU privacy authorities and Google.
The EU Commission and the US agreed in March 2022 to commit to a new data privacy framework. However, the deal has not been finalized and may be subject to legal challenges.
Google Analytics 4
As a part of their efforts to focus on privacy, Google introduced Google Analytics 4, which is available now. It will fully replace Universal Analytics in 2023.
Google Analytics 4 offers broader privacy controls and also incorporates some privacy-focused changes. For example, it will not store IP addresses, which is critical for some data privacy concerns. In addition, it includes more control over various data settings.
It’s unclear if Google Analytics 4 changes will impact any European regulatory authority decisions.
Next Steps
If you use Google Analytics and have customers, users, or website visitors in Europe, you should stay aware of the legal decisions impacting its use. To stay updated on privacy rules and regulations, follow Termly’s weekly privacy news updates.
reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP Director of Global Privacy