Denmark latest to conclude Google Analytics is unlawful

Denmark is the fourth European country to state that Google Analytics breaks the GDPR

The Danish Data Protection Agency (DPA), Datatilsynet, has become the fourth national regulator to conclude that the manner in which companies are currently using Google Analytics breaches European Union regulations that demand stricter safeguards for personal data moved outside the bloc.

In a judgement published on Wednesday, the regulator said that the use of Google's popular tool is illegal because it enables companies to move users' data outside the EU without the necessary protections.

Dataltilsynet's decision follows those from Austria, France and Italy, with the regulator noting that the common opinion represents a pan-European attitude among the data regulators and is a crucial step toward a coordinated strategy.

In January 2022, the Austrian data protection authority Österreichische Datenschutzbehörde issued a decision on the use of Google Analytics. The watchdog said that Google had not put in place sufficiently strong measures to encrypt and anonymise the data collected via Analytics and sent to the US.

In February, French data protection watchdog CNIL ruled that the use of Google Analytics can 'sometimes' breach the EU's GDPR, as data transfers to the US are not adequately regulated.

More recently, in June 2022, the Italian Data Protection Authority, Garante, took a stance against data transfers to the US using Google Analytics.

The Italian watchdog said that the usage of the tool leads to the collection of a variety of user data, including device IP address, OS and browser details, screen resolution, language selection, as well as the date and time of the site visit. This information is transferred to the US without taking sufficient further steps to improve the degree of protection to the required EU legal requirement.

Makar Juhl Holst, Senior Legal Advisor at the Danish DPA, said that the GDPR is designed to preserve the privacy of European individuals, which implies that users should be able to access a website without worrying about their personal information ending up in the wrong hands.

"We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures," Holst added.

Organisations in Denmark that use Google Analytics have been advised by the authority to assess if their continued use of the service complies with data protection law.

If not, the organisation must either comply with the rules for the tool's usage or, if required, stop using it.

According to the regulator, pseudonymisation is one technical measure that may be relevant when using Google Analytics.

The regulator recommends organisations discontinue using Google Analytics if adequate supplemental safeguards cannot be put into place.

In that case, they're advised to look for an alternative tool for web analytics that complies with data protection rules, for example by not sending personal information about site users to other countries that are deemed to be "unsafe."

The Danish DPA is inviting organisations and other individuals with unique insight into Google Analytics to write to the regulator if they believe there are any circumstances that the DPA's guidance has failed to take into account on this issue.