Based on its investigation of Google Analytics, the Data Protection Agency concludes that the use of the tool is not directly compliant with the GDPR. This also applies even when activating the anonymisation and encryption features available in Google Analytics. The conclusion made by the Data Protection Agency implies that the tool cannot be used in its present form without taking further measures.
Concerns about Google Analytics
Besides complying with the rules of the Danish Executive Order on Cookies, owners of Danish websites using cookies must also comply with the GDPR. Accordingly, website owners must e.g. make sure to be authorised to collect and process personal data, such as IP addresses and unique identifiers, via cookies, and to enter into data processing agreements if third party solutions are used for the processing of data collected via cookies. Furthermore, attention must be directed to the issue of whether, in connection with the use of services collecting personal data via cookies, such as Google Analytics, data is transferred out of the EEA as such transfers are subject to special rules.
When any website owner uses Google Analytics, Google transfers any data collected via cookies placed by Google Analytics to Google in the USA, which may then access the data in plain text format. Opting out of such transfers when you use Google Analytics is not possible.
Such transfers may cause problems as Google in the USA is subject to US law and policies, implying that protection levels of any data available to Google in the USA are not adequate according to European standards. Consequently, the Danish Data Protection Agency and several other European data protection agencies have assessed that, as a general rule, Google Analytics may not be used in conformity with the GDPR.
What now?
Danish organisations using Google Analytics must determine whether their use of the tool is within the framework of the GDPR and, in particular, the rules on transfers. If this is not the case, said organisations have a duty to make their use of the tool GDPR compliant or, alternatively, they must cease any use of the tool.
The Data Protection Agency suggests two ways of solving the Google Analytics issue:
- Replace Google Analytics
One possible solution is to replace Google Analytics with another similar tool. The French data protection agency, CNIL, has prepared a list of recommended alternative tools. The use of such tools, however, is subject to the requirement that the organisation in question address the issue of whether the tools may be used in compliance with the GDPR. The fact is that neither the Danish Data Protection Agency nor CNIL has made a detailed assessment of the tools on the said list. - Configure Google Analytics to prevent collection of personal data
According to the Data Protection Agency, the configuration options available in Google Analytics do not prevent the collection of personal data to such a sufficient extent that use of the tool becomes legal. Another option is, however, to set up a reverse proxy server as a node for Internet traffic on the website, ensuring pseudonymisation of the personal data processed by Google Analytics. The proxy server must be configured in a special way for it to comply with the conditions of pseudonymisation. For that purpose, CNIL has drafted a guide for the proper setting up of a reverse proxy. The configuration also implies, however, that Google Analytics will no longer be practicable in marketing contexts due to the fact that it will, for example, no longer be possible to retrieve data on the campaign or channel from which the website visitor came.
Roll up your sleeves right away
The decision made by the Danish Data Protection Agency and the European decisions made in the past months as to the use of Google Analytics are not the result of new legislation, rather, they constitute interpretation of existing rules. This means that organisations are not allowed any adaptation period to settle the issue of their use of Google Analytics. In other words, the rules may even now be enforced by the Data Protection Agency. It is therefore important for organisations using Google Analytics to give priority to finding a way to solve any compliance challenges of using Google Analytics. The decision also forms part of a collective attack on cookies, whereby e.g. the IAB Europe cookie standards were also previously set aside by several foreign data protection authorities. For more details, please read our previous news article (in Danish only).
Trans-Atlantic Data Privacy Framework
The EU and the USA are currently working on an agreement to ensure legal transfer of personal data to the USA in compliance with data protection regulations. Even though the parties have agreed on the general provisions of such an agreement, no specific time frame has yet been given as to when the agreement is in place. When in place, the agreement will also be conditional upon several legal documents being drafted and, probably, being put out to consultation with the European Data Protection Board before the agreement may be used as a basis for personal data transfers to the USA. The Data Protection Agency does not make any allowances in respect of GDPR violations in the period leading up to the coming into force of the agreement with the USA that may rectify any specific non-compliance.
Bech-Bruun recommendations
Violations of the rules on third-country transfers within which the use of Google Analytics belongs, according to the decision made by the Danish Data Protection Agency, are subject to the highest fines provided for by the guidelines on fines of the Data Protection Agency and may thus result in fines of up to 4% of annual global revenue. In addition, the issue is generally given substantial attention by the supervisory authorities in Denmark and the other EU Member States, and several other cases on the use of Google Analytics are already pending before the supervisory authorities.
Moreover, anyone visiting a website will be informed that the website uses Google Analytics. Consequently, it is certainly not without risk continuing the use of Google Analytics.
Bech-Bruun recommends that you:
- Form a general view of how you use Google Analytics, which features are important to your enterprise and whether you should move existing and historical data away from Google Analytics
- Make a plan for making Google Analytics comply with regulatory requirements – which possible solution do you intend to work with, how and when will the solution be implemented and how is the internal allocation of responsibilities?
- Update your privacy policy and cookie policy as soon as you have implemented your policy solutions to reflect your actual use of cookies and processing of personal data via the website. Use a cookie system automatically scanning the website for cookies, and if you have decided to replace Google Analytics with a legal alternative, you should ask your cookie supplier to perform a new, extraordinary cookie scan of the website as soon as you have replaced Google Analytics with the new system. In that way, you will be certain that the cookies used on your website are immediately accurate.
At Bech-Bruun, we specialise in data protection legislation, including third-country transfer of personal data. Please feel free to contact one of our data protection specialists if you need advice on the transfer of personal data to third countries and the requirements made in that respect, including on the legalisation of Google Analytics.