The Danish Data Protection Agency has declared Google Analytics illegal. You have probably already heard it. And perhaps it has also given rise to sweat on the forehead. Because what do you do? We give you an overview of what you can do.
The questions are lined up: What, how, why. There is a lot of speculation, and it can be difficult to see how you should react to the news. That is why we have put together an overview that gives you a better understanding of what you can do.
It all starts with a data processing agreement. A data processing agreement is what must ensure that your business partners process data properly. This could bo when you transfer data to HubSpot, Facebook, or LinkedIn. In such cases the purpose of the data processing agreement is to ensure that the data you transfer to a third party i processed in accordance with the law.
The Danish Data Protection Agency examined Google Analytics for flaws. And they came to the conclusion that Google Analytics is illegal to use. This is because you send personal data to the tool and therefore must have a data processing agreement, and you cannot have that because Google Analytics is American owned.
Since Google Analytics i American-owned the American Intelligence Service has access to all the data that is transferred to it. On that basis the EU perceives the USA as an unsafe third country to which personal data may not be transferred under the GDPR. That was the shorter version, below we give you a more in-depth review.
Why is Google Analytics Illegal?
That in itself can be a complicated question to answer. Many things are still unknown and in its early stages which makes it almost impossible to predict the future.
Here in the blog post we give you an insight into the path that led to the recent verdict on Google Analytics with a timeline that (hopefully) simplifies the otherwise extensive issue.
2013: Safe Harbour becomes invalid
In 2013 Max Schrems complained to the Irish Data Protection Authority because Facebook in Ireland transferred his personal data to Facebook in the USA. Facebook based the transfer on the then Safe Harbour agreement which the European Commission has set up so that it was legal to transfer data between countries. But based on the case the European Court of Justice rules the Safe Harbour invalid (source).
2016: The European Commission introduces the Privacy Shield
Privacy Shield generally had the same purpose as the Safe Harbour but with improvements and adjustments. Companies that had joined the Privacy Shield was then legal to transfer data to (source).
May 2018: Introduction of GDPR and requirements for data processor agreement
In 2018 the EU introduces new legislation under the name General Data Protection Regulation (GDPR). According to the Danish Data Protection Agency the GDPR rules have the following purpose:
“The rules in the GDPR are designed to protects the privacy of European citizens. This means among other things that you must be able to visit a website without your information ending in the wrong hands.” (source).
The new legislation means that from now on it is a requirement that all companies enter into a data processing agreement with their tech suppliers which documents that personal data is processed in accordance with the rules. And this was at the time possible to enter into with American companies because they had the Privacy Shield.
You can read much more about the GDPR rules at Dansk Erhverv here.
The new and comprehensive GDPR rules should prove to be the starting point for many changes. Including the latest verdict on Google Analytics.
Juli 2020: Privacy Shield (USA) ruled invalid
In July 2020 the Court of Justice of the European Union concludes that in future personal data may not be transferred to the USA through the Privacy Shield. This is because Privacy Shield is unable to protect sensitive personal data from the US government. And therefore in practice you cannot make a legal data processing agreement with an American company.
This means that all American companies that move personal data across national borders from e.g. Denmark to the USA are actually already illegal from 2020. In principle this also involves platforms such as Facebook, Google Ads, HubSpot, YouTube, Sales Force, Microsoft power BI and many more (source). And that in itself is extensive and potentially very critical.
September 2022: The Danish Data Protection Agency judges Google Analytics illegal
The Danish Data Protection Agency examines Google Analytics and concludes that the tool is illegal because it sends personal data to an American company. It requires a data processing agreement to move data which can no longer be done with US company because the Privacy Shield is invalid. Upon closer inspection of Google Analytics it is therefore assessed that the tool does not meet the European GDPR regulations. This also means that Google Analytics has actually been illegal since July 2020 when the Privacy Shield was ruled invalid.
The tool sends information to servers in the United States which according to a ruling in 2020 is not a safe country. The reason lies in the fact that the FBI can in principle re-identify a person through the data that can be found in Google Analytics. This can be done for example with:
- IP adresse
- Client-id (which Google sets through a cookie in the browser)
- Referral source
- URL parameters from the link from which you visit a page
- Fingerprint in the form of device and browser
- User ID from CRM system or login
- Order number
All of this information are examples of how data from Google Analytics can be used to re-identify a person.
To use the tool legally one must ensure that it is impossible to re-identity a person through data. This will require the implementation of a number of additional measures in addition to the settings provided by Google (source). And this will ultimately mean that the data you are probably most interested in through Google Analytics is no longer possible to access.
October 2022: USA makes a new proposal for the Privacy Shield
The US has issued a decree presenting a new and more secure version of its Privacy Shield in the hope that the EU will approve it. If the EU approves it the new agreement will mean that the US is no longer classified as an unsafe 3rd country and that data processing agreements with American companies can once agian be made. Therefore, personal data may in the future be stored on servers in the USA. But again: This requires the agreement to be approved by the EU.
October 2022 - March 2023: EU analyzes the new Privacy Shield
It is still difficult to say what will happen. It is expected that within the next six months the EU will analyze the new Privacy Shield in depth, and only then will we know what it means for the use of tools that store data in the US.
March 2023 - End of 2023: Schrems III trial
Even if the EU were to end up approving the new Privacy Shield it is expected that we wiil have to go through a trial where the court will have to assess whether it is secure enough (source).
End of 2023: The hour of decision (maybe)
By the end of 2023 we may be wiser - perhaps not. It is difficult to say what the decision will be, but everything indicates that we will have decision at the end of 2023. Only time can tell whether Google Analytics will remain illegal or there will be a solution that will make it legal again.
So What Should You Do?
That is the big question you are probably left with now. And many do because the confusion is total.
As the situation currently stands you roughly have three options and we leave it up to you which one you choose:
- Waiting for the EU to approve the US's new Privacy Shield
Option 1 however involves you breaking the GDPR rules in the meantime and you risk doing that for a long time because as the timeline showed it is a decision that can be a long time in the making. - Make use of Google Analytics legally and accept that it will degrade your data
As previously described it is possible in practice to use Google Analytics legally but this is at the expense of the data you are most interested in which is of course not optimal. If you still want to continue using Google Analytics you must set up what the Danish Data Protection Agency calls reverse proxying also called server side tracking. This means sending data from server to server and not client to server. - Replace your American tools with European alternatives
With option 3 you uninstall Google Analytics and use alternatives instead. In this way you comply with the GDPR regulations right now. This includes Matomo Analytics which is basically the European version of Google Analytics.
What is Matomo Analytics?
Matomo was launched in 2007 and is a powerful personal data protection platform that provides 100 % data ownership. Today, the tool is used by over 1 million users in over 190 countries.
On the Matomo website you can read how Matomo can be compared to Google Analytics. A subscription to Matomo costs from DKK 145/month depending on your traffic. If you are already interested in Matomo it is possible to test drive the tool here.
At MCB our specialists are also ready to help you get started with Matomo Analytics.
