In light of this significant development, we have updated our coverage to reflect the latest information. To stay up-to-date on the new EU-US Data Privacy Framework agreement and its implications, we invite you to read our latest article on the topic.
🔍 Discover the latest: EU to USA Personal Data Transfers Now Approved
Thank you for your continued support and trust in our coverage of important global issues!
The usage of Google Analytics in Europe has been in jeopardy due to recent European court cases.
→ Several European data protection authorities have found that Google Analytics’ processing of European user data could result in illegally transferring data outside Europe.
The actions around Google Analytics are the result of the Privacy Shield being struck down because it was found that the privacy standards of the U.S. did not match those of the European framework. A major concern being that the government could access European data kept by US companies, even if stored in Europe. Full details here →
🗣 The day the industry has been waiting for is here – a new privacy framework is on the horizon. Since the privacy shield was struck down, there was no formal framework in place. In an effort to solve the ongoing issue of legal data transfers between the U.S. and the E.U., President Biden has signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities to meet the obligations of the EU-U.S. Data Privacy Framework.
An executive order is a directive from the president of the United States that is signed and made public and controls how the federal government operates. This executive order might just be the solution the industry has been waiting for, here’s why:
By emphasizing a number of crucial framework elements, the Executive Order aims to address concerns while strengthening a strict set of civil rights and privacy protections for American signals intelligence activities. For more information, read our overview here.
The European Commission will be able to issue an “adequacy decision” that could allow data transfers between the E.U. and the U.S. once again. It may take up to six months to make a decision, but it’s safe to say we are approaching the finish line, there may be months before transferring data to US companies will not entail the risk of illegal data transfer outside Europe
Currently, European Data Protection Authorities (DPAs) have been issuing orders to stop using Google Analytics – though without issuing fines.
While Google has previously attempted to address some of the main points of concern with Google Analytics 4, these measures seem to still be considered insufficient by the authorities.
Due in part to this conversation around the use of Google Analytics, Google released Google Analytics 4 in an attempt to address some of the concerns.
Here’s how to switch to and set up Google Analytics 4 →
So far, no economic sanctions have been issued by European DPAs for the use of Google Analytics.
If you’ve already switched to GA4 – this may still be a smart move – as GA4 significantly reduces data processing. Since the new privacy deal may be ready in several months, many businesses might decide to risk it as no fines have been issued.
From the Danish DPA:
For Google Analytics 4, it is apparent from Google’s documentation that I.P. addresses are used to determine the approximate location of the visitor, after which the address is discarded before the data is logged to a server. As with Universal Analytics, the same issue is also relevant for Google Analytics 4, as – depending on the data subject’s location – there can be a direct connection to, among others, American servers before the address is discarded.
If you would like to follow this evolving case law and watch the latest decisions unfold, you can read our by-country breakdown here.
Understandably you may be left feeling a bit unsure of what to do. Organizations like NOYB and other groups are trying to defend privacy rights – with one main concern being the possibility of government access to European data held by U.S. companies, even when stored in Europe.
Google Analytics has been the target of recent DPA orders, but currently, any service provided by a US party, even if hosting is in the EU, can be compromised. Therefore each controller must evaluate whether to stop using all or some of their US services between today and the time when a new deal will be in place.
Like most things privacy-related, we can expect such an agreement will be challenged, so the journey may continue to be rocky for some time. In the meantime, you can do a few things today to put your mind at ease.
💡 One option is to obfuscate personal data via a proxy server so that the data does not get to the U.S. company. We have selected a few solutions that do it.
👉 At iubenda, you can rest assured that using our services on your site/app, the data of EU users is either not shared with US companies or, when it is, it’s encrypted before being sent.
Given that this scenario is still present, some people are now thinking about Google Analytics alternatives that focus on privacy or are based in Europe.
Read this: 7 alternatives to Google Analytics
Data protection authorities have found that the U.S. legal system does not guarantee the same standards of protection as the EU. The situation stems from a set of U.S. laws that allow government organizations to request access to consumers’ personal data from US-based services, regardless of where the data centers or servers are located.
In light of this, NOYB filed 101 complaints with European DPAs to find that transferring European users’ data to the U.S. was unlawful. The decisions, which have noted the illegitimacy of the transfers, focus on the analysis of additional technical, contractual and organizational measures.
The use of an encryption key by the company in question was deemed insufficient as the key was owned by Google LLC. From this, it follows that as long as the encryption key remains accessible to the importer (in this case, Google Analytics), the measures taken cannot be considered appropriate.
Furthermore, contractual and organizational measures are not evaluated because the others are always considered insufficient if technical measures are missing.
So far, the authorities have only said that additional technical security measures are needed if you continue using Google Analytics.
Based on the decisions issued so far, we can assume that the possible legal consequences are as follows:
Please note that to date, no economic sanctions are being issued for the use of Google Analytics.