In a still-pending complaint, the Norwegian data protection authority (Datatilsynet) reached the preliminary conclusion that “the use of Google Analytics was in violation of the GDPR's transfer rules.” The authority made the findings public yesterday on its website (Norwegian only) and expects to adopt a final decision “at the earliest in late April.”
Of course, the authority might reach a different conclusion in the end. But we have good reasons to believe that this will not be the case and that Norway may soon join Austria, France, Italy, Finland, and Denmark and practically ban Google Analytics. Here’s why.
(Update: a high-profile data transfer case involving Meta was decided by the Irish privacy authority two months later. As a result, Meta was fined for €1.2 billion and is currently risking an EU-wide Facebook blackout. The reasons behind the decision are the same that led to the bans against Google Analytics. We discussed this important case in detail)
- Google Analytics and data transfers
- What did the other authorities say exactly?
- What can we expect from the decision?
- The bigger picture
- Final Thoughts
Google Analytics and data transfers
We don’t have a decision yet, but we can take a look at the broader picture and take an educated guess about the most likely outcome and the reasons behind it.
Google Analytics’ legal issues with the GDPR, are nothing new: as we noted, other data protection authorities (DPAs) already took a hard stance. Most of their decisions result from a coordinated set of complaints by privacy NGO noyb, in a strategic effort to nudge DPAs towards stricter enforcement of the GDPR’s data transfer rules and of the Schrems II ruling of the EU Court of Justice.
Noyb’s complaints all read the same. The use of Google Analytics requires the transfer of personal data (cookies and IP addresses) to Google LLC, based in California. But this transfer exposes data to the risk of State surveillance in the US. For this reason, personal data needs to be protected through adequate safeguards against surveillance, as the Court of Justice established in the Schrems II case. Noyb claims that the data transfers lacks these required safeguards (known as supplementary measures in the jargon). This makes the use of Google Analytics incompatible with the GDPR and the Schrems II ruling. So far, the Austrian, French, and Italian authorities have agreed with noyb, and the Danish and Finnish ones embraced the same position in different circumstances.
(There is more to Schrems II and data transfers. We wrote about these topics in more depth on another blog)
What did the other authorities say exactly?
To be clear, all complaints and decisions are technically about specific websites. This is why we say that Google Analytics is practically banned in some countries. In theory, a different website could use Google Analytics lawfully by implementing different and better safeguards.
But theory is the keyword here. In practice, there are very few safeguards from State surveillance. Ensuring the safety of the data transfer is difficult for many services and practically impossible for Google Analytics, because it’s built around cookies and needs to process cookie identifiers in the clear in order to work (we wrote more about this).
So every decision practically amounts to a State-wide ban, which is why Google’s legal issues draw much attention in the privacy community.
What can we expect from the decision?
We don’t have a crystal ball, but we can take an educated guess based on the bigger picture.
Authorities have approached noyb’s complaints in the same way so far. This is because they coordinated their approach at a European level, as the Datatilsynet itself notes in its press release. This is why the Norwegian authority will probably rule against the use of Google Analytics in the end.
It should be noted that the Datatilsynet is treating the complaint as a cross-border case. In practice, this means that other European authorities can play a role by raising objections. But we don’t expect this to happen. Last year the French authority also submitted its decision against Google Analytics to other authorities, and no objections were raised at that time.
It is also worth mentioning that Norway is not an EU country. In fact, Norway is subject to the GDPR because it is a part of the European Economic Area. If the Datatilsynet's decision were confirmed, Norway would become the first non-EU country to rule against Google Analytics on the issue of data transfers.
The bigger picture
There are many privacy-friendly alternatives to Google Analytics, and Simple Analytics is one of them. We believe that a ban on Google Analytics is not the end of the world.
But the issue with data transfers is bigger than Google Analytics. Many US-based services require transfers of personal data and may come under fire next. Ditching Google Analytics is relatively easy (hello Simple Analytics), but doing without services like Oracle and AWS is a different story.
This is why the US and the European Commission negotiated a new data transfer framework to facilitate data transfers, and have taken steps to implement it. In December 2022, the Commission drafted an adequacy decision for the US- essentially a decision that greatly facilitates data transfers with a specific country. The decision is pending Member States' approval and will certainly be challenged in Court.
It is worth noting that the EU Court of Justice already invalidated two adequacy decisions for the US in the Schrems I and II cases. It is hard to say how a “Screms III” case will play out. For the moment, the future of data transfers remains uncertain.
Final Thoughts
Same story. Different country. Nothing new to see here as we’ve seen different EU countries reach the same conclusion as the Norwegian authorities just did. However, every country taking a stance against Google Analytics strengthens the case for better data protection. Google has picked up the evergrowing call for more privacy by switching to GA4. However, GA4 does not fix this issue.
At Simple Analytics, we also picked up the call for more privacy, and we do fix this issue. We are a small and independent team that strongly believes the internet should be a place that respects privacy. Surely, its possible to get the insights you need while being 100% GDPR compliant without needing a cookiebanner. Not convinced? Feel free to try it for yourself.