In a statement from earlier this year, the Danish Data Protection Agency (DDPA) announced that Google Analytics (GA) cannot be used lawfully without additional measures being taken in addition to the standard settings provided by Google.
The announcement echoes a line of similar statements recently made by other European supervisory authorities, who have uniformly found the use of GA to be unlawful under current circumstances without additional measures being taken.
The growing list of European agencies united in condemning the unregulated use of GA now also tentatively includes the Norwegian Data Protection Authority (Datatilsynet), who have recently reached the preliminary conclusion ‘‘that the use of GA was in violation of the GDPR’s transfer rules’’.
But what do the DDPA’s and the Datatilsynet's statements really mean? And why are EU countries taking this stance against GA now?
What The DDPA’s Statement Means
It is important to note that the conclusion reached by Datatilsynet is only preliminary, and that the authority may yet reach a conclusion that falls short of effectively banning the use of Google Analytics in Norway. The statement released by the Danish authority, by contrast, means that, in its standard form and settings, the use of Google Analytics violates Danish law with regards to data privacy. This is due to the fact that GA is not by default compliant with the EU General Data Protection Regulation (GDPR), as the tool may transfer personal data to the United States without offering an adequate level of data protection.
As this is the case, online organizations in Denmark who are unable to implement additional measures to safeguard visitor privacy must now use an alternative analytics tool that complies with GDPR, and it seems very likely that this will eventually be enforced in Norway also.
While the DDPA’s new statement applies only to organizations operating in Denmark, it is the direct result of the much wider drive to establish a standardized set of data protection laws on the European level. GDPR laws are intended to make it easier for citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where the issue exists.
As Makar Juhl Holst, Senior Legal Advisor at the DDPA put it:
“The GDPR is made to protect the privacy of European citizens. This means, among other things, that you should be able to visit a website without your data ending up in the wrong hands. We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures".
The DDPA’s guidance is based on the information provided by the European supervisory authorities’ decisions in combination with the DPA’s own research, and while a clear deadline is yet to be set for when GDPR-compliant solutions must be in place, organizations in Denmark and beyond would be well advised to start getting a plan ready sooner rather than later.
Why EU Countries Are Taking This Stance Against Google Analytics
The reality is that the European Supervisory Authorities’ attention has long been directed at Google Analytics. This attention is warranted, however, as the GA does not, by default, provide a sufficient level of data protection according to GDPR regulations.
Following Schrems II – the landmark European data privacy verdict issued in July 2020 – , the GA tool has been under even greater scrutiny for its noncompliance with data transfer rules. This led the European Data Protection Board (EDPB) to create a dedicated task force to coordinate the response at a European level. Since this time Italian, Austrian and French DPAs have all declared the use of GA to be effectively non compliant.
The new statement is essentially the Danish DPA following suit and, unsurprisingly, agreeing with other European DPA’s that GA is unlawful without additional measures being taken to ensure data transfer rules are adhered to. In the majority of cases the measures that will need to be taken to ensure compliance will be both highly costly and complex to implement. So, while it is true that the Danish DPA are technically neutral when it comes to specific products, in practical terms this can be seen as amounting to an effective ban on the tool in Denmark.
What all this basically boils down to is that organizations in Denmark will need to assess whether their use of GA takes place in compliance with data protection law. In cases where its use is found to be unlawful, immediate action will need to be taken to bring it into compliance or its use must be discontinued entirely.
How Monsido Can Help
With internet users worldwide increasingly concerned about their activity being tracked across the internet, the legal changes we are seeing across Europe with regards to data protection are ultimately both welcome and overdue. The unrestrained use of tools such as GA is not only becoming unlawful in many countries, but perhaps more importantly, contributes to an online culture that treats website visitors and their information unethically. At the end of the day people across the globe do not want their online activities and information tracked without limitation, and so accordingly the demand for laws that guarantee user privacy is only increasing.
The good news is that the digital landscape can ultimately only be improved by organizations adapting and navigating their activities so as not to be reliant on privacy-invasive tooling such as GA.
The even better news is that Monsido’s Statistics Module provides everything you need to track website analytics and user behavior while also meeting GDPR and Danish legal requirements.
With powerful new features like event tracking and data range comparison, you won’t need to go anywhere else to get the insights you need about your website visitors and their behavior.
The information in this article is made available by Monsido ApS and/or its subsidiaries and affiliates and is for informational purposes only so as to provide its customers with a general understanding of current legal developments. It should not be construed as providing specific legal advice, and you acknowledge that no attorney/client relationship exists between you or any third party and Monsido ApS and/or its subsidiaries and affiliates. This article should not be used as a substitute for competent legal advice from a licensed lawyer in your jurisdiction.