Google Analytics and Europe: Everything You Need to Know

Companies worldwide use Google Analytics to gather data on website visitors. However, recent European regulatory decisions have jeopardized the future of Google Analytics use in Europe.

Let’s take a deeper look into everything you need to know about the friction between Google Analytics and European regulatory bodies.

What’s the EU’s Issue With Google Analytics?

When a company uses Google Analytics, the data is stored and processed by Google’s servers in the United States. This transfer of data from Europe to the United States has been a point of contention for several European regulators.

In particular, there are concerns over how US intelligence services are able to access European citizens’ personal data without the protections that are required under several European data privacy laws.

EU-US Data Transfers

Several agreements, frameworks, and rules have been developed over the years to attempt to allow EU data to be safely shared with the United States. However, as data privacy regulations have grown over the years and attention has been given to data transfers, these agreements have undergone legal challenges.

EU-US Privacy Shield

The EU-US Privacy Shield was one of the most well-known data transfer frameworks created to address issues related to data transfers from Europe to the United States. It replaced the Safe Harbour Privacy Principles, which were overturned by the European Court of Justice (CJEU) in 2015.

Privacy Shield was created by the European Commission and the US government in order to permit the transfer of European data safely. However, in July 2020, the CJEU invalidated the EU-US Privacy Shield due to concerns about inadequate protections.

In particular, concerns were raised over US surveillance laws. These laws enable US intelligence services to request foreign personal data from certain US companies, including Google.

US surveillance laws do not provide non-US citizens with any way to know whether their data is being acquired, how it’s being used, or seek redress for any misuse. For this reason, Privacy Shield was invalidated, and each business transferring data from the EU to the US must consider the lawfulness of data transfer on a case-by-case basis.

European Data Protection Board Guidance

The ruling also made it clear that EU regulators must step in and suspend data flows if they believe people’s information is at risk. 

So for some transfers to be legal (such as EU-US data flows), additional measures may be needed (supplementary measures) to raise the level of protection to the required standard of essential equivalence with EU law — something the European Data Protection Board (EDPB) has since issued detailed guidance on.

Here is a short overview of the most effective measures from the guidance. If you need to transfer EU personal data to the US:

1. anonymize it before the transfer, or
2. pseudonymize the personal data before the transfer, or
3. encrypt data before the transfer.

The listed steps should provide an effective supplementary measure and enable EU-to-US data transfers. 

If a business cannot do any of the steps, there are additional measures in the EDPB guide, like state-of-the-art security and contractual obligations.

Google Data Transfers

Google has implemented many supplementary measures following the EDPB guidelines, including IP address anonymization.

So, what is the EU opinion on Google’s measures?

Austria’s Ruling on Google Analytics

The Austrian Data Protection Authority ruled that the use of Google Analytics violates the GDPR. 

They determined that the technical measures put in place by Google Analytics — including limiting access to data centers and encrypting data as it moves around the world — don’t do enough to stop it from potentially being scooped up by US intelligence agencies.

Google was able to access data in plain text. This unique ID generated by GA is considered to be personal data under the GDPR. Therefore, Google Analytics use involves personal data that isn’t protected from potential surveillance.

This transfer was found to be unlawful because there was no adequate level of protection for the personal data transferred

says Matthias Schmidl, the deputy head of the Austrian data regulator. 

He also added that website operators cannot use Google Analytics and be compliant with GDPR.

Google responded to the Austrian ruling with the following: 

We are convinced that the extensive supplementary measures we offer to our customers ensure the practical and effective data protection to any reasonable standard. 

In the same document, Google urged the US and EU to come to a mutual decision that will once again enable data flow from the EU to the US.

France’s Ruling on Google Analytics

The French data protection authority (CNIL) reached a similar decision. CNIL decided that an unnamed French website’s use of Google Analytics is non-compliant with the GDPR as it breaches Article 44 (which covers personal data transfers from the EU to countries that do not have essentially equivalent privacy protections, like the US).

The CNIL official statement is that transfers to the United States “are currently not sufficiently regulated” because of the absence of an EU-US adequacy decision (a mechanism that would allow for data transfer). Because of this, there is a risk for French website visitors when visiting websites with GA.

The authority noted additional measures taken by Google to regulate Google Analytics data transfers “are not sufficient to exclude the accessibility of this data for US intelligence services.”

European Data Protection Supervisor

The European Data Protection Supervisor’s (EDPS) intervention relates to a COVID-19 test booking website that the European Parliament launched in September 2020.

The test booking website was found to be dropping cookies associated with Google Analytics and Stripe — but the parliament failed to demonstrate it had applied any special measures to ensure that any associated personal data transfers to the US would be adequately protected.

How EU Member Rulings Affect Google Analytics Users

If you use Google Analytics, you may need to evaluate how and where you are using it. The GDPR applies to any company or website that serves European users, even if the company or website is not located in Europe. If you are subject to the GDPR, these rulings could impact your ability to use GA on your website.”

What Can You Do About Your Google Analytics Use?

Please note that all mentioned decisions are only binding in that particular case. Also, some are in the appeal process and not yet final. There are also many more GA complaints filed around Europe that are awaiting a final decision.

Analyze and Decide

You can review European Data Protection Board (EDPB) guidance and supplementary measures from Google to decide if they offer an adequate level of data protection for you to continue using them on your website. However, this might be challenging as it requires time and some legal knowledge.

If you have access to the legal counsel, we suggest consulting with them to see how the GA issue applies to your use case.

Please review GA technical documentation to see if you can set up GA in the least privacy-intrusive way, following EDPB guidance. You can also refer to Termly’s documentation on Google consent mode.

Use a Google Analytics Alternative

You can consider not using GA until their technology is scrutinized by EU authorities or until US and EU reach a data transfer agreement. Here are some alternatives for you to explore:

*Disclaimer: The opinions about the alternative tools are not Termly’s but taken from https://github.com/pluja/awesome-privacy. Please do your own due diligence if you decide to switch from GA to one of the provided vendors. The purpose of this list is to provide you with potential alternatives worth exploring.

If You Want To Continue Using GA

You can continue using GA at your own risk and follow new developments from EU privacy authorities and Google.

The EU Commission and the US agreed in March 2022 to commit to a new data privacy framework. However, the deal has not been finalized and may be subject to legal challenges.

Google Analytics 4

As a part of their efforts to focus on privacy, Google introduced Google Analytics 4, which is available now. It will fully replace Universal Analytics in 2023.

Google Analytics 4 offers broader privacy controls and also incorporates some privacy-focused changes. For example, it will not store IP addresses, which is critical for some data privacy concerns. In addition, it includes more control over various data settings.

It’s unclear if Google Analytics 4 changes will impact any European regulatory authority decisions.

Next Steps

If you use Google Analytics and have customers, users, or website visitors in Europe, you should stay aware of the legal decisions impacting its use. To stay updated on privacy rules and regulations, follow Termly’s weekly privacy news updates.

More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author