Danish Data Protection Authority declare the use of Google Analytics illegal

The Danish Data Protection Authority announces the common position of all EU supervisory authorities:

Only with the help of a so-called reverse proxy procedure Google Analytics can be used legally in the EU!

And that even

  • after the adjustments Google has made following the decision in Austria.
  • if standard contractual clauses have been agreed and the function of retrospective IP anonymisation, restrictions on data sharing and deactivation of Google Signals is used.

No matter whether Universal Analytics or Google Analytics 4 is in use.

See: https://www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/sep/brug-af-google-analytics-til-webstatistik

The decision is also relevant for Germany. The statement reads:

Although each case has been decided individually by the respective supervisory authority that received the original complaint, the decisions reflect a common European approach among supervisory authorities. It is crucial for both the organisations processing personal data and the citizens whose personal data are at stake that the common European rules are interpreted in the same way across the EU/EEA. The subject matter of the complaints lodged has been exactly the same and the cases have therefore been dealt with together in a Working Party under the auspices of the European Data Protection Board. Here, the legal issues – and the response to them – have been discussed.“

(Translation and unterlining by the author)

It is very helpful that the Danish Data Protection Authority has also published answers to the most frequently asked questions, clearing up many misunderstandings:

  • Is it possible to configure the Google Analytics tool in such a way that persondal data is not transferred to the United States?
  • Is it possible to configure the Google Analytics tool in such a way that no persondal data is collected?
  • I believe that I have configured Google Analytics in such a way that no personal data is collected. Do I violate a ban if I continue to use Google Analytics?
  • Is this not at least pseudonymised data, which, according to you, is a possible effective supplementary measure?
  • Can effective supplementary technical measures be implemented on their own?
  • Can controllers take into account the likelihood of the specific data being accessed by law enforcement authorities on the basis of a risk-based approach?
  • Is it possible to use Google Analytics based on the consent of visitors?
  • What about Google’s statement that the company has never received requets from U.S. authorities for access to the data collected through Analytics?
  • Is there an adjustment period?
  • Is a new agreement between the EU and the US on the transfer of personal data not right around the corner?

The conclusion is that only following the instructions of the French data protection authority for setting up a reverse proxy can enable the legal use of Google Analytics: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr.

However, this procedure is very time-consuming and entails many restrictions (see our blog article “Is the use of Google Analytics with server-side tracking permitted in the EU?“).

It is much safer and easier to switch to an EU provider with independently confirmed GDPR and TTDSG compliance, as is the case with etracker Analytics.

Scroll to Top