After Austria, France, and Italy, Denmark has become the fourth country to declare the use of Google Analytics unlawful. This decision was stated in a press release from the DPA and is a result of a coordinated approach at the European level.
It’s not the first time the Danish DPA has ruled on the use of Google products. A few months ago, it issued a statement declaring the use of Google Workspace (formerly G-suite) for municipalities in violation of the GDPR.
In the present statement, the Danish DPA addresses the use of Google Analytics specifically and on a much broader scale.
Let’s dive in!
1. Statement by Danish DPA
The Danish DPA concluded that the use of Google Analytics is unlawful. The decision is based on an individual case but represents a common European position toward processing personal data.
Unlike the other DPAs, the Danish DPA did not act on a complaint but instead looked into GA’s data transfers at its own discretion.
It stated that the GDPR is made to protect the privacy of EU citizens. This means that you should be able to visit a website without your data being misused. In this light, they have carefully examined Google Analytics, in particular, after other Member States’ previous decisions.
After careful consideration, the Danish DPA reached the same conclusion as the other Member States. In its current form and settings, the use of Google Analytics violates the law.
They stated that you must stop using the tool if it’s impossible to implement additional measures that safeguard website visitors’ privacy. If that’s not possible, you should find another analytics tool that does comply with GDPR and does not transfer data to “unsafe” third countries like the U.S.
2. Background on the press release
Data transfers to the U.S. have become much more complicated since the Schrems II decision. It’s a long story, but in a nutshell, since Schrems II, additional safeguards need to be implemented to transfer data to the U.S. In many cases, this is practically impossible.
After Schrems II, Google Analytics came under fire from several DPAs for not complying with data transfer rules. Privacy NGO noyb filed 101 complaints about data transfers directed against Google Analytics and Facebook, and the EDPB created a task force to coordinate the response at a European level. This led to the Austrian, French and Italian DPAs stating that the use of Google Analytics is illegal.
The Danish DPA is now following suit. They looked into GA and stated that it could not be used without implementing some complex and costly supplementary measures (a reverse proxy server). In practical terms, Denmark is the fourth country to ban Google Analytics.
3. Implications for Danish organizations
The Danish DPA stated that GA is not compliant with the rules of data transfers, meaning that a data controller cannot legally use it unless they protect the data with supplementary measures.
The only example offered by the DPA is a reference to the position of the French authority: you can use GA if you use a server as a reverse proxy. We would be very surprised if anyone actually did this. Hosting GA on your own server is costly and complicated that it defeats the purpose of using a free analytics tool to begin with!
No other measures are suggested, for the very good reason that none exist. This press statement is, for all practical purposes, a ban.
4. Final Thoughts
The recent decisions and the fact that a task force has been created on a European level make it highly likely that this is not the last decision we have seen.
Organizations will need to rethink their business practices with respect to web analytics. This is a change for the better. Not only is the use of Google Analytics unlawful, but it’s also unethical towards website visitors.
Consumers demand privacy and don’t want to be tracked across the internet.
The internet will be a better place if organizations adapt and navigate their business without relying on privacy-invasive tooling like Google Analytics.