Danish DPA: Q&A on the use of Google Analytics

On the 21 of September 2022, the Danish Data Protection Authority (“DDPA” or “Danish DPA”) issued a Q&A Guidance on the use of Google Analytics in order to provide Google’s services customers with an authoritative analysis and informational support on this matter. In particular, the DDPA concluded, that, following its review of the tool Google Analytics, its settings, and the terms under which it is provided, the tool cannot be used lawfully. Therefore, the DDPA provided the aforementioned Q&A Guidance in order to clarify how to deal with controversial issues that may arise using the Google Analytics tool, including the chance to use the tool in such a way that data protection provisions are not infringed.

The Danish DPA position falls within the common position among different EU Data Protection Authorities (i.e. Data Protection Authorities of Italy, Austria and France) on the use of Google Analytics (an earlier contribution regarding the decision issued by the Italian Data Protection Authority was published on our TMT Data Protection Observatory and is available here; you can also find the Italian Data Protection Authority press release, in English, here).

Data transfer to the US

Data transfers to the United States (“US”) have become much more complicated since July 2020, following the “Schrems II” judgment. It is worth remembering that, by such decision, the Court of Justice of the European Union invalidated the Decision 2016/1250 adopted by the European Commission pursuant to Article 45 of the Regulation (EU) 2016/679 (“GDPR”) on the adequacy of the protection provided by the “EU-US Privacy Shield”, reminding that the protection granted to personal data in the European Union must travel with data, and the level of protection in third countries, even if does not need to be identical to the one guaranteed in the EU, must be essentially equivalent.

In the case of the US, it has been ascertained that the possibility for public authorities to access – under domestic law, for national security purposes – to personal data transferred from the EU does not meet the minimum requirements of EU law and does not grant data subjects enforceable legal rights against the US authorities.

Therefore, as recalled in the EDPB’s FAQ adopted on the 23 of July 2020, in the absence of a decision pursuant to Article 45 of the GDPR or of appropriate safeguards pursuant to Article 46 of the GDPR, according to Articles 46 and 49 of the GDPR, data exporters may transfer data to the US by adopting other mechanism (for further details about the topic, some earlier contributions were published on our TMT Data Protection Observatory and are available here and here).

Briefly, following the Schrems II judgement, additional safeguards need to be implemented by European data exporters to transfer data to the US.

As a result, on the 25 of March 2022, the EU Commission and the US government have announced that an agreement in principle on a new Trans-Atlantic Data Privacy Framework has been reached. Despite this announcement, in the last months, Google Analytics tool (specifically the cookies furnished in version 3, also known as “Universal Analytics”) came under the lens of several EU Data Protection Authorities for not complying with the GDPR data transfer provisions, since some information collected, via cookies, by website operators using this service were unlawfully transferred to the US.

The Danish DPA’s considerations

The DDPA, after an analysis of Google Analytics tool, stated that the same could not be used without implementing supplementary measures.

However, the above does not mean that the DDPA has banned the use of Google Analytics. Indeed, it has just assessed whether the processing of personal data by means of Google Analytics tool is carried out in compliance with data protection law.

On this regard, pursuant to the DDPA’s Q&A, organizations using Google Analytics must assess whether their current use takes place in compliance with EU data protection law, since as with all other processing of personal data, it remains with the data controller to be able to demonstrate that the controller’s processing activities are carried out in compliance with the relevant law. Consequently, if their use does not comply with the relevant provisions, then they must cease the use or either remediate the non-compliance by implementing supplementary measures in addition to the settings provided by Google.

Considering the above, the DDPA recalled that – as indicated in the recommendations 01/2020 of the European Data Protection Board – the pseudonymization and the encryption might be possible technical measures that can be effective in addressing access to personal data by law enforcement authorities, and thereby bringing an inadequate level of data protection up to the required European level.

Specifically, the Danish DPA highlighted that the pseudonymization[1] by “reverse proxy” may be an effective technical supplementary measure – as also stated by the French Data Protection Authority in its recent guidance – and that “in the case of Google Analytics, pseudonymization can be implemented by establishing a “reverse proxy server” which acts as a hub for internet traffic from website visitors”, allowing organization to “gain control over what data is collected and what data is subsequently sent to the servers used to provide the web analytics tool such as Google’s servers”. At the same time, the DDPA specifies that “organizations wishing to establish a reverse proxy should be aware that the proxy must be configured in such a way that the conditions for effective pseudonymization are met […] “this means that public authorities in the importing third country must not be able to attribute the pseudonymized data to an identifiable person, either alone or in combination with additional information”.

Moreover, the Danish DPA also assessed other technical supplementary measures, which, at the end of the analysis, have been considered difficult or impossible to implement in Google Analytics technical setup (e.g. the chance to configure the Google Analytics tool in such a way that personal data shall not be transferred to the US or the chance to configure it in such a way that no personal data is collected).

On a final note, the DDPA highlighted that, despite the fact that Google has started to make available additional settings to its customers that allow them to configure the tool limiting the collection of a number of additional data (e.g., data concerning the visitor’s browser, operating system, etc.), the remaining data collected using the tool (e.g. visitor’s unique identifier, data about the visitor’s interaction with the website, the time of the visit, and the location of the visitor) still constitutes personal data about the website visitors.

In a nutshell, organizations must consider that:

• the pseudonymization measure is a feasible way if they establish a reverse proxy server and make sure that the pseudonymized data, alone or in combination with additional information, cannot be attributed to a natural person;
• the anonymization of IP addresses is not considered an effective supplementary measure, since it remains unclear where the anonymization takes place (in the EU or in the US);
• the encryption measure is not a feasible way since it is carried out by Google in the US and, conversely, in order to be effective, encryption keys must be held exclusively by the data exporter or a third party within the EU or in a secure third party;
• with Google Analytics 4, there can be direct connection to, among others, US servers before IP addresses are discarded;
• all data collected through Google Analytics is processed and stored in the US and it seems not possible to configure this tool in order to avoid it (for further clarification, organizations have to reach out Google as the provider of the tool);
• even if additional settings made available by Google are turned off, configuring the tool to collect as little data as possible, the remaining collected data still constitutes personal data about the website visitors;
• the possibility for the third country’s authorities to access to personal data under laws does not meet the minimum requirements of EU law, in any case, even if the access is unlikely;
• the data subjects expressly consent to transfer is one of the exceptions from the general conditions for third country transfers and should be interpreted restrictively;
• Google’s statement that the company has never received request from US authorities for the access to the data collected through Google Analytics is not enough to demonstrate that third country’s laws (that are not in compliance with EU data protection provisions) are not applied;
• if they have configured the tool in such a way that no personal data is collected, they have to be able document and demonstrate how the issues identified by various EU Data Protection Authorities are not relevant to their use of the tool;
• if they continue to use the tool with the same setup than the one on which EU Data Protection Authorities position is based, they will assume a legal risk.

For further details, please find the press release here and the DDPA’s Q&A here.

[1] “Pseudonymization” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Moreover, according to the European Data Protection Board, there are a number of conditions which must be met in order for pseudonymization to be considered an effective supplementary measure for the transfer of personal data to third countries, such as the data controller can demonstrate through a thorough analysis that the pseudonymized data cannot be attributed to a natural person without the use of additional information.