Google building and logo showing Google Analytics ban by data protection authority

Swedish Data Protection Authority May Be Next to Take Action Against Google Analytics

Google Analytics is arguably the most popular and widely-used tool for webmasters to observe and understand how users interact with their sites and pages, but it has been under fire in the European Union since early 2022 due to incompatibility with General Data Protection Regulation (GDPR) requirements. About half a dozen EU countries have banned it since then, and Sweden’s data protection authority is indicating that it might be the next one in line.

The issue traces back to the “Schrems II” ruling of 2020, which invalidated EU-US data transfers due to potential US government access to personal data shipped overseas. While the data that webmasters see when using Google Analytics is anonymized enough to keep individual users from being identified or tracked, EU data authorities are increasingly taking the position that the internal data that Google itself receives from the tool is in violation of GDPR terms.

Swedish data protection authority says Google’s popular metrics tool is in violation of consent and data transfer requirements

The campaign against Google Analytics in the EU stems from a set of complaints filed by Max Schrems and his privacy group “noyb,” the same entity that invalidated EU-US data transfers with its court case against Facebook. The Austrian data protection authority was the first to find in Schrems’ favor, in January 2022.

Since then, a number of other data protection authorities have investigated the complaints and come to similar conclusions: Denmark, Finland, France, Italy, Norway and Sweden have all banned Google Analytics under the reasoning that US government policy, such as the CLOUD Act, allows for interception of the personal data of EU citizens that is sent overseas without recourse for the impacted data subjects.

The rulings hold individual website operators responsible for using Google Analytics, even though Google is the party transferring data overseas. The lynchpin of the argument is that the data Google collects through the program is funneled back to its servers, where it is potentially paired with data Google collects from a variety of other sources. So while the individual webmaster is not identifying visitors via Google Analytics or collecting personal information about them, their web browsing habits could be connected to other personal data back in the US at Google’s end, all information that could then be obtained by the US government.

Several of the data protection authorities have also taken the position that the new Google Analytics 4 and Universal Analytics systems, which took the place of all prior Google Analytics instances on July 1, does not make adequate changes to meet GDPR requirements. The Swedish data protection authority has not yet gone so far as a national ban, but did fine several companies as a result of the Schrems complaints.

CDON, Coop, Dagens Industri, and Tele2 were all issued fines ranging from $30,000 to $1.1 million, depending on the scope of the data collection. All but Dagens Industri were ordered to stop using Google Analytics. While the Swedish data protection authority stopped short of promoting a national ban, the agency did issue a warning that other companies in the country could be similarly investigated and fined.

Google Analytics on shaky ground in EU until new data transfer terms are reached

US and EU officials announced the EU-US Data Privacy Framework, the expected Privacy Shield replacement, in 2022.  However, concerns about an almost inevitable court challenge by Schrems once it is in place has held up adoption. In May of this year, the European Parliament voted in favor of reworking the framework as it presently does not create the required level of GDPR equivalency to survive such a challenge. However, the framework still stands a very good chance of being adopted in the near future.

Adoption of a new agreement might bail out Google Analytics, at least temporarily. Google attempted to address these concerns with changes to the service over the past year for improved anonymization, including IP address truncation, but the Swedish data protection authority noted that these methods were inadequate to the task in the view of the GDPR.

Google Analytics is the most broadly popular web analytics tool, due in no small part to it being free. But the data protection authority decisions are increasingly pushing companies to look to paid solutions; those based in the US, such as HubSpot and Mixpanel, do not necessarily have the same Schrems II issues that Google does due to its internet-spanning hoard of targeted advertising data. Settings and privacy controls must still be arranged properly to ensure compliance with GDPR terms, however, and some companies are opting for EU services that store everything on servers within the bloc and that advertise aggressive data minimization to be as safe from regulatory attention as possible.