The Danish Data Protection Authority announces the common position of all EU supervisory authorities:
Only with the help of a so-called reverse proxy procedure Google Analytics can be used legally in the EU!
And that even
- after the adjustments Google has made following the decision in Austria.
- if standard contractual clauses have been agreed and the function of retrospective IP anonymisation, restrictions on data sharing and deactivation of Google Signals is used.
No matter whether Universal Analytics or Google Analytics 4 is in use.
The decision is also relevant for Germany. The statement reads:
(Translation and unterlining by the author)
It is very helpful that the Danish Data Protection Authority has also published answers to the most frequently asked questions, clearing up many misunderstandings:
- Is it possible to configure the Google Analytics tool in such a way that persondal data is not transferred to the United States?
- Is it possible to configure the Google Analytics tool in such a way that no persondal data is collected?
- I believe that I have configured Google Analytics in such a way that no personal data is collected. Do I violate a ban if I continue to use Google Analytics?
- Is this not at least pseudonymised data, which, according to you, is a possible effective supplementary measure?
- Can effective supplementary technical measures be implemented on their own?
- Can controllers take into account the likelihood of the specific data being accessed by law enforcement authorities on the basis of a risk-based approach?
- Is it possible to use Google Analytics based on the consent of visitors?
- What about Google’s statement that the company has never received requets from U.S. authorities for access to the data collected through Analytics?
- Is there an adjustment period?
- Is a new agreement between the EU and the US on the transfer of personal data not right around the corner?
The conclusion is that only following the instructions of the French data protection authority for setting up a reverse proxy can enable the legal use of Google Analytics: https://www.cnil.fr/en/google-analytics-and-data-transfers-how-make-your-analytics-tool-compliant-gdpr.
However, this procedure is very time-consuming and entails many restrictions (see our blog article “Is the use of Google Analytics with server-side tracking permitted in the EU?“).
It is much safer and easier to switch to an EU provider with independently confirmed GDPR and TTDSG compliance, as is the case with etracker Analytics.