The Danish Data Protection Agency has announced that the standard settings of Google Analytics cannot be lawfully used. Here is what you as a company should know to draw up a plan - while we wait for the upcoming Trans-Atlantic Data Privacy Framework between the EU and the USA.
On 21 September 2022, the Danish Data Protection Agency published a press release with the conclusion "that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google."
The Danish Data Protection Agency, thereby, agrees with the French Data Protection Authority, who came to the same conclusion back in February 2022. As a result, everyone using Google Analytics must now decide how to proceed.
According to the Danish Data Protection Agency, you can solve the issue in two ways:
Neither solution 1 nor 2 is feasible for Danish companies.
A new setup requires resources
Deciding on a new analytics tool demands considerable resources. Most webshop and website systems support Google Analytics. Few CMS systems support approved analytics tools such as Matamo and Piwik Pro. Therefore, implementing a new analytics tool entails a considerable investment as the tool must be implemented from scratch. This typically requires outside help and development resources.
All integrations must be reestablished
Often, Google Analytics data do not only live in Google Analytics. All dashboards and reports must be recreated, and data from another analytics tool will not be as accessible as the data from Google Analytics. For instance, a connector to Matamo does not exist in Google Data Studio, which is the most common dashboard solution today.
All employees must be retrained
Google Analytics has been an integrated part of digital businesses for many years. Data access risks being limited to those 1-2 people who have time to learn a new platform. Proper training should, therefore, also be taken into consideration.
The Danish Data Protection Agency refers to CNIL (The French Data Protection Authority) regarding a legal configuration of Google Analytics with a proxy server. They present a concrete guide on how you secure lawful use of Google Analytics.
The guide underlines seven necessary measures which must be implemented to legalise the configuration:
Especially three of these measures are problematic from a digital marketing perspective:
In practice, this means that Google Analytics can no longer be used to understand where a visitor came from i.e. to show which channel or campaign a session/visitor came from. As a result, the tool is no longer useful for marketing purposes.
Even if a GTM server-side solution is implemented to erase cookie IDs and replace them with new anonymous IDs, Google Analytics will still not be configured correctly and will, thereby, still not be lawful, according to the guide from the French Data Protection Authority. However, it will significantly improve the standard configuration of GA or GA4.
The problem with Google Analytics arose when the data transfer agreement between the USA and the EU, called Privacy Shield, was declared invalid on 16 July 2020 (Schrems ||).
On 25 March 2022, the European Commission announced that it has agreed in principle with the USA regarding the establishment of a new Trans-Atlantic Data Privacy Framework (TADPF), which will foster trans-Atlantic data flows between the EU and the USA following GDPR.
At the present time, the new framework is under negotiation by the authorities. The expectation is to reach an agreement by the end of 2022. With the correct wording, a new agreement would legalise Google Analytics 100% according to GDPR.
The Danish Data Protection Agency has not set a clear deadline for when a GDPR-compliant solution must be in place but states that all companies must have a plan ready.
s360 recommends the following actions:
s360 has developed a solution which saves all your historical data from Google Universal Analytics. At the same time, you also get the opportunity for a smooth transition to Google Analytics 4 or another pre-approved tool. The solution includes dashboards that allow you to keep a complete overview regardless of potentially new systems in the future.
Please, contact us if you wish to hear more about the solution and to get further insights into the situation.
The Danish Protection Agency has no interest in making life difficult for Danish companies, but, as an authority, they have been obligated to publish a statement due to the cases investigated by authorities across Europe. In principle, the Danish authorities could have published the statement back in February after the announcement from the French authorities but probably chose to await and follow the development.
The European Supervisory Authorities' attention has long been directed at Google Analytics. However, the same GDPR-related challenge exists across a wide range of American software products where data are either transferred to American servers or where American authorities - purely theoretically and despite data being stored in European servers - still can obtain access because the European company ultimately has an American owner.
All stakeholders, including users, companies and authorities, have a shared interest in establishing a new Privacy Framework. Thus, the adoption of the framework has high priority.
It is important to highlight that the authorities have not made a decision in principle on GA4 but only on Google Analytics UA. It is, therefore, uncertain whether the negotiations on the new Trans-Atlantic Framework will be concluded before or after a potential decision on GA4.
Article edit made on the 28th September 2022
On the 27th of September 2022, Politico wrote this article: www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/, where sources close to the White House say they expect an executive order about Privacy Shield to be published in Week 40.
Article edit made on the 27th October 2022
On Friday, October 7th, the U.S. President Joe Biden signed an executive order to protect the privacy of personal data transferred between the EU and the US. The order will limit the ability of American national security agencies to access people’s personal information as part of a transatlantic data sharing agreement with the European Union. The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens. With that, it will establish the so-called Data Protection Review Court within the Department of Justice for European citizens to redress privacy concerns with US intelligence agencies.
The executive order is an important next step in the creation of a new transatlantic data sharing agreement that is needed for thousands of companies – including Google.
What happens next: The Privacy Shield Framework has to be reviewed and validated by the European Commission. This could take months, but these next steps towards a new Privacy Shield Framework are good news. Until then, in Denmark the Danish Data Protection Agency's guidelines published 21 September 2022 stand. The executive order seems very promising for companies trading products and services overseas: www.politico.com/news/biden-executive-order-eu-data-privacy-agreement
The Danish Data Protection Agency agrees with the above and has published a press release (in Danish): www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/okt/nyt-om-transatlantiske-overfoersler-af-personoplysninger
The above cannot replace legal counselling. s360 and its employees do not offer legal counselling in any form, including circumstances surrounding the setup and use of websites and media platforms. s360 does not accept any form of responsibility in regards to direct or indirect losses as a consequence of the use of this article, including loss following from inadequate or wrongful use of information, evaluations or other conditions. s360 recommends seeking legal counselling from a qualified lawyer if you are in doubt about any legal requirements and conditions, GDPR compliance and/or use of data.
Stay updated on official statements from Google and the future Trans-Atlantic Data Privacy Framework between the EU and the USA.
Join our monthly s360 mail to get industry news within digital marketing, technology and data. We put a lot of effort into our newsletter to provide valuable and actionable insights to you.