How to keep using Google Analytics compliantly

2022 has brought us some groundbreaking findings in European data protection. In many cases, the question of personal data transfers to third countries, especially the U.S., has been the focus of attention. This includes transfers that typically occur within marketing and analytics tools.

Most users of US tools are facing major changes. This is because data protection authorities are increasingly enforcing the General Data Protection Regulation (GDPR) and rulings of the Court of Justice of the European Union (CJEU). 

Many of the popular marketing and analytics tools no longer meet the requirements. Those who continue to use them risk penalties in addition to legal fees and reputational damage. Fines can amount to up to 4% of global group sales. 

So why have U.S. tools like Google Analytics been declared unlawful?

The problem with U.S. tools

When and how personal data may be transferred to countries outside the EU is one of the central issues of the GDPR. Indeed, the GDPR does not prohibit the transfer of user data to third countries and the use of tools from third countries, such as Google Analytics. 

However, the requirements for these transfers are considerable. For example, the website operator must check whether the third country offers an “adequate level of data protection”. 

In the case of the U.S., the answer is simple: no, the level of protection is not sufficient. 

The CJEU came to this conclusion in the so-called Schrems II ruling in 2020. It declared Privacy Shield, an existing agreement on data transfers between the USA and EU, null and void.

The main reason for this ruling was a federal law in the United States, the Foreign Intelligence Surveillance Act (FISA). The expansion of this law after 911 enabled the U.S. government and U.S. intelligence agencies such as the NSA to conduct surveillance on the Internet on a grand scale. 

Tech companies can still be forced to hand over user data under secret court orders (“FISA Court”). The explosive Snowden revelations also showed this.

The data of EU citizens is therefore not safe in the United States. In consequence, website operators are responsible under the terms of the GDPR for ensuring that personal data is not transferred to the U.S. without further measures.

Google Analytics declared unlawful

The ruling has had a broad effect on data privacy enforcement in Europe. The Austrian data protection authority declared the use of the U.S.-based tool Google Analytics unlawful at the beginning of the year – a groundbreaking decision. Since then, the authorities of Italy, France and Denmark have followed suit. 

Google tried to counter the Austrian decision by implementing new data protection functionalities in Google Analytics. But even these are not sufficient to establish legality, as the Danish data protection authority ruled in late September. 

Unfortunately for businesses on both sides of the Atlantic, physically placing servers within the EU or letting subsidiaries handle the data processing does not solve the problem. 

According to data protection authorities, U.S. government agencies and intelligence services also have access to servers and U.S. subsidiaries, regardless of where they are officially located. This is made possible by the U.S. CLOUD Act. 

Users of Google Analytics (and other U.S. tools) would therefore have to stop using it if they wanted to be on the right side of the law. Or take additional measures to protect the data of EU citizens. 

Though the EU data protection authorities have specifically examined Google Analytics, their decisions have similar implications for all tools and services from U.S. providers that rely on the transfer of personal data. 

By the way, in regard to the UK, there is an adequacy decision by the EU Commission currently in effect.

Possible solutions

It is difficult to legally send personal data to third countries when no decision on data protection adequacy is in place. 

According to the GDPR, the affected user must explicitly consent to individual transfers and also be informed about possible risks. This consent must also only serve as a legal basis in exceptional cases, and “not become the rule,” as the European Data Protection Board has pointed out. 

So in practice, obtaining consent is extraordinarily difficult. And whether practical solutions to this problem will hold up in court is also still completely unclear. 

The only alternative is to make use of standard contractual clauses, which, according to the CJEU, can enable legal data transfer – when additional measures are taken. One such measure is the pseudonymization of personal data before it is sent to the U.S. via a proxy server. More on that later. 

So what courses of action do website operators realistically have left?

Three scenarios

1.Wait and see

One possible strategy is to do nothing for the time being and wait to see if and to what extent the EU data protection authorities execute their decisions. 

Advantages: You don’t have to change anything in your MarTech stack and avoid switching to other tools and tracking solutions. 

Also, the U.S. and the EU are working on a successor to Privacy Shield that would allow for much easier data transfers between them.

Disadvantages: There are risks associated with this option. The new data transfer agreement between the EU and the U.S. has already been criticised for offering too little to satisfy the requirements of the CJEU. Indeed, privacy activists, have already made it quite clear, that the new framework will be challenged in court as soon as it goes into effect. Legal limbo could continue for the time being. Read more here. 

It is also true that since the GDPR came into force in May 2018, it has taken some time for data protection authorities to start publishing concrete instructions on this topic. 

However, a consensus is emerging among member state authorities, particularly concerning Google Analytics and third-country transfers. It may well be that the first penalties are issued sooner than expected – and these can be severe at up to 4% of global group turnover.

2. Switch to European tools

You could switch your MarTech stack to European tools. If these are companies based in the European Economic Area, as well as not subsidiaries from third countries, you can avoid the issues around international data transfers. 

Advantages: This approach makes it easier for you to track in a privacy-compliant manner.

Disadvantages: Your infrastructure is tuned to your existing tracking and analytics setup. It can take considerable effort to make the switch.

The choice of European solutions is also still limited. Very few match established tools from the U.S. in terms of performance.

3. Switch to a proxy solution (server-side tracking)

The data protection agencies of France and Denmark have recommended using a proxy solution. 

The concept is simple: Instead of transferring data directly to the U.S. (or to U.S. servers in the EU), website operators place a server in between. There, the data can be pseudonymized to remove personal references. Only then will operators forward the data to U.S. tools such as Google Analytics. Both server and tracking software must be operated by EU companies in the EU. 

Using this method called server-side tracking, website operators can continue to use their usual tools. 

Advantages: You can simply continue to use your existing marketing tech stack and become DSGVO-compliant. You receive first-party data, which often has better quality and depth than third-party data. 

Disadvantages: The basic principle of server-side tracking is quite simple, but the implementation can involve considerable technical effort and costs if you want to set it up yourself.