[wpml_language_selector_widget]

Is Google Analytics illegal in Denmark? Get an overview here

The Danish Data Protection Agency has announced that the standard settings of Google Analytics cannot be lawfully used. Here is what you as a company should know to draw up a plan - while we wait for the upcoming Trans-Atlantic Data Privacy Framework between the EU and the USA.
September 22, 2022
Est. 1 minute

Is Google Analytics illegal in Denmark? Get an overview here

The Danish Data Protection Agency has announced that the standard settings of Google Analytics cannot be lawfully used. Here is what you as a company should know to draw up a plan - while we wait for the upcoming Trans-Atlantic Data Privacy Framework between the EU and the USA.

On 21 September 2022, the Danish Data Protection Agency published a press release with the conclusion "that the tool cannot, without more, be used lawfully. Lawful use requires the implementation of supplementary measures in addition to the settings provided by Google."

The Danish Data Protection Agency, thereby, agrees with the French Data Protection Authority, who came to the same conclusion back in February 2022. As a result, everyone using Google Analytics must now decide how to proceed.

Does the Danish Data Protection Agency have any solutions in place?

According to the Danish Data Protection Agency, you can solve the issue in two ways:

  1. Choosing an alternative web analytics tool from a list of approved suppliers
  2. Configuring Google Analytics in such a way that no personal data are transferred to Google's servers in the USA

Neither solution 1 nor 2 is feasible for Danish companies.

Why not just replace Google Analytics tomorrow?

A new setup requires resources
Deciding on a new analytics tool demands considerable resources. Most webshop and website systems support Google Analytics. Few CMS systems support approved analytics tools such as Matamo and Piwik Pro. Therefore, implementing a new analytics tool entails a considerable investment as the tool must be implemented from scratch. This typically requires outside help and development resources.

All integrations must be reestablished
Often, Google Analytics data do not only live in Google Analytics. All dashboards and reports must be recreated, and data from another analytics tool will not be as accessible as the data from Google Analytics. For instance, a connector to Matamo does not exist in Google Data Studio, which is the most common dashboard solution today.

All employees must be retrained
Google Analytics has been an integrated part of digital businesses for many years. Data access risks being limited to those 1-2 people who have time to learn a new platform. Proper training should, therefore, also be taken into consideration.

Why not just configure Google Analytics to meet legal requirements?

The Danish Data Protection Agency refers to CNIL (The French Data Protection Authority) regarding a legal configuration of Google Analytics with a proxy server. They present a concrete guide on how you secure lawful use of Google Analytics.

The guide underlines seven necessary measures which must be implemented to legalise the configuration:

  1. The absence of transfer of the IP address to the servers of the analytics tool
  2. The replacement of the user identifier by the proxy server
  3. The removal of external referrer information from
  4. The removal of any parameters contained in the collected URLs
  5. Reprocessing of information that can be used to generate a fingerprint
  6. The absence of collection of cross-site or lasting identifiers
  7. The deletion of any other data that could lead to re-identification

Especially three of these measures are problematic from a digital marketing perspective:

  • The removal of external referrer information from
  • The removal of any parameters contained in the collected URLs
  • Reprocessing of information that can be used to generate a fingerprint

In practice, this means that Google Analytics can no longer be used to understand where a visitor came from i.e. to show which channel or campaign a session/visitor came from. As a result, the tool is no longer useful for marketing purposes.

Even if a GTM server-side solution is implemented to erase cookie IDs and replace them with new anonymous IDs, Google Analytics will still not be configured correctly and will, thereby, still not be lawful, according to the guide from the French Data Protection Authority. However, it will significantly improve the standard configuration of GA or GA4.

Is there other solutions than the proxy setup to legalise Google Analytics again?

The problem with Google Analytics arose when the data transfer agreement between the USA and the EU, called Privacy Shield, was declared invalid on 16 July 2020 (Schrems ||).

On 25 March 2022, the European Commission announced that it has agreed in principle with the USA regarding the establishment of a new Trans-Atlantic Data Privacy Framework (TADPF), which will foster trans-Atlantic data flows between the EU and the USA following GDPR.

At the present time, the new framework is under negotiation by the authorities. The expectation is to reach an agreement by the end of 2022. With the correct wording, a new agreement would legalise Google Analytics 100% according to GDPR.

How does it affect you as a company?

The Danish Data Protection Agency has not set a clear deadline for when a GDPR-compliant solution must be in place but states that all companies must have a plan ready.

s360 recommends the following actions:

  • Save all important historical data from Google Analytics in a data warehouse (EU servers) to always have these historical data available
  • Use your new data setup to recreate your most important GA views in a visualisation tool such as Google Data Studio, Looker or Microsoft Power BI
  • Prepare a plan for the company's future tracking setup (potentially together with an external partner)

s360 has developed a solution which saves all your historical data from Google Universal Analytics. At the same time, you also get the opportunity for a smooth transition to Google Analytics 4 or another pre-approved tool. The solution includes dashboards that allow you to keep a complete overview regardless of potentially new systems in the future.

Please, contact us if you wish to hear more about the solution and to get further insights into the situation.

What does the future look like?

The Danish Protection Agency has no interest in making life difficult for Danish companies, but, as an authority, they have been obligated to publish a statement due to the cases investigated by authorities across Europe. In principle, the Danish authorities could have published the statement back in February after the announcement from the French authorities but probably chose to await and follow the development.

The European Supervisory Authorities' attention has long been directed at Google Analytics. However, the same GDPR-related challenge exists across a wide range of American software products where data are either transferred to American servers or where American authorities - purely theoretically and despite data being stored in European servers - still can obtain access because the European company ultimately has an American owner.

All stakeholders, including users, companies and authorities, have a shared interest in establishing a new Privacy Framework. Thus, the adoption of the framework has high priority.

It is important to highlight that the authorities have not made a decision in principle on GA4 but only on Google Analytics UA. It is, therefore, uncertain whether the negotiations on the new Trans-Atlantic Framework will be concluded before or after a potential decision on GA4.

Article edit made on the 28th September 2022

On the 27th of September 2022, Politico wrote this article: www.politico.eu/article/us-expected-to-publish-privacy-shield-executive-order-next-week/, where sources close to the White House say they expect an executive order about Privacy Shield to be published in Week 40.

Article edit made on the 27th October 2022

On Friday, October 7th, the U.S. President Joe Biden signed an executive order to protect the privacy of personal data transferred between the EU and the US. The order will limit the ability of American national security agencies to access people’s personal information as part of a transatlantic data sharing agreement with the European Union. The order will create a new body within the U.S. Department of Justice that will oversee how American national security agencies are able to access and use information from both European and U.S. citizens. With that, it will establish the so-called Data Protection Review Court within the Department of Justice for European citizens to redress privacy concerns with US intelligence agencies.

The executive order is an important next step in the creation of a new transatlantic data sharing agreement that is needed for thousands of companies – including Google.

What happens next: The Privacy Shield Framework has to be reviewed and validated by the European Commission. This could take months, but these next steps towards a new Privacy Shield Framework are good news. Until then, in Denmark the Danish Data Protection Agency's guidelines published 21 September 2022 stand. The executive order seems very promising for companies trading products and services overseas: www.politico.com/news/biden-executive-order-eu-data-privacy-agreement

The Danish Data Protection Agency agrees with the above and has published a press release (in Danish): www.datatilsynet.dk/presse-og-nyheder/nyhedsarkiv/2022/okt/nyt-om-transatlantiske-overfoersler-af-personoplysninger

Contact information

Mathias Hillerup Larsen, CTO, [email protected], +45 2327 5245
Frederik Hyldig, CPO, [email protected], +45 5073 7486
Rasmus Lenler-Petersen, Head of Legal, [email protected], +45 2071 2469

The above cannot replace legal counselling. s360 and its employees do not offer legal counselling in any form, including circumstances surrounding the setup and use of websites and media platforms. s360 does not accept any form of responsibility in regards to direct or indirect losses as a consequence of the use of this article, including loss following from inadequate or wrongful use of information, evaluations or other conditions. s360 recommends seeking legal counselling from a qualified lawyer if you are in doubt about any legal requirements and conditions, GDPR compliance and/or use of data.

Sign up for our newsletter and stay updated on the case

Stay updated on official statements from Google and the future Trans-Atlantic Data Privacy Framework between the EU and the USA.


Newsletter

Don’t miss out on digital news

Join our monthly s360 mail to get industry news within digital marketing, technology and data. We put a lot of effort into our newsletter to provide valuable and actionable insights to you.


Woman in armchair