Is Google Analytics illegal?

29th June 2022Google Analytics Graph
Image credit Pixabay

Earlier this week, Italy became the fourth country to explicitly state that Google Analytics is illegal because it violates GDPR, thus essentially banning its legal use.

The reason Google Analytics is illegal, according to the Italian Data Protection Agency the GPDP is as follows:

“A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA which is a country without an adequate level of data protection”  GPDP Full article

This comes hot on the heels of the French data protection body (CNIL) which published guidelines last week, around their earlier banning of Google Analytics which they announced in February this year.

The first European state to question the legality of Google Analytics was Austria when in January they issued a decision ruling that Google Analytics violated the EU GDPR.  They reaffirmed this position in May, much to the delight of Max Schrems, the privacy campaigner from where this originates.

The states that have declared that Google Analytics is illegal (so far):

  • Austria
  • Holland
  • France
  • Italy

More European states are expected to follow this position.  Marketers should brace themselves (or more sensibly start planning for alternative solutions).

Why is this happening?

The reason we are in this position is mainly due to the failure of an arrangement called Privacy Shield which was an agreement between the EU and the US that allowed data to flow freely between the two territories.

However, the nature of Privacy Shield was challenged by Max Schrems in a high-profile court case and was ultimately invalidated due to there not being enough safeguards in place in the USA to protect the personal data of the EU citizens (to the same extent that the GDPR does).

Where the safeguards fail in particular is surrounding the fact that Google is classed as an ‘electronic communication service provider’ and in the US this gives the US intelligence services the right to access this data should they so wish – and this is what is violating the GDPR and making the use of Google Analytics illegal in four European states (so far).

The EU and the US are working on a new framework for data exchange to replace the Privacy Shield (originally entitled Privacy Shield 2.0) – however at the moment, whilst ‘an agreement in principle’ has been announced, this is more of a holding position than anything else and holds no legal basis, so at the moment, to transfer data to the US you must go through the hoops of performing an International transfer risk assessment.

See our earlier blogs on the Privacy Shield.

What happens next?

The use of US-based software services, such as Google Analytics is in violation of the EU GDPR (see our Blog on using Mailchimp).  The UK GDPR closely mirrors the European version so we await an announcement from the ICO, our data protection body in the UK.

Watch this space as they say.  In the meantime, our recommendations are to look at privacy-friendly alternatives to Google analytics and also ensure any of your other software is not storing or backing up, your data in the US.  A lot of common software does – It is very important that you check.

If you are transferring data to the US, whilst we wait for the new Privacy Shield 2.0 you will need to put the much more cumbersome International Data Transfer Agreement (IDTA) or if first receiving data from the EU, Standard Contractual Clauses (SCC) with the UK addendum. See our blog on SCCs here.

We use Google Analytics – should I panic?

Bottom line – don’t panic just yet! UK Data Controllers will have to wait for the ICO to offer guidance.  The first time the Privacy Shield was made unlawful the ICO said they wouldn’t take any action until a solution was found.  Ultimately though consumers want privacy, so the sooner you build privacy best practices into your business process the better.

Need some help?  The best place to start is by booking your complimentary 30-minute Zoom consultation with one of our data protection specialists.

Book your complimentary consultation here.


Let us ease your mind

If you have any queries, questions or requests then please get in touch. We’re always very happy to talk, you’ll find a friendly voice on the end of the line or simply fill out the form below.

    Your Contact Details

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.