Datatilsynet, Norway’s data and privacy authority, advises organizations in Norway to consider alternatives to Google Analytics. The watchdog announces that two ongoing investigations may lead to convictions for using Google Analytics.
Datatilsynet published a response to a recent case in Austria, where a website was found guilty of violating the GDPR by using Google Analytics.
In the response, the Norwegian authority expresses support for the decision of its “colleagues in Austria”, the Austrian Data Protection Authority (DPA). The DPA was the first European authority to condemn a website for using Analytics.
Datatilsynet is currently investigating two possible cases of privacy violation due to the use of Analytics. Although no conclusions have been reached, Datatilsynet’s section chief indicates that Austria’s ruling will influence the outcome of both cases.
According to the watchdog, Google Analytics is on the radar of other European data regulators. “Hence, we recommend everyone to explore alternatives to Google Analytics”, Datatilsynet said.
Is Google Analytics illegal or not?
Personal data must be shared in accordance with European privacy laws. Since July 2020, organizations have been personally responsible for complying with the rules. This was decided by the European Court of Justice. The decision is known as Schrems II.
The problem with Google Analytics revolves around data transfers between the US and EU. Google sends certain information to data centers in the US. From the moment Google sends personal data, Google and users of Analytics are responsible for data privacy protection.
Since Schrems II, The DPA (Austria) has been the first authority to legally substantiate that Google transmits personal data. This enabled a conviction for the use of Google Analytics. Multiple European watchdogs, including the Dutch AP and Datatilsynet, may reuse the DPA’s case to convict organizations in their control area.
However, it’s too easy to say that Google Analytics is therefore illegal. The website that was convicted in Austria could have avoided the problem by taking its own measures. Google Analytics offers privacy settings. The problem is that some settings are disabled by default.
Google refuses to change the settings in question. US laws stipulate that intelligence agencies in the US must have access to data stored on US soil. This makes it impossible for Google to provide a standard product that complies with European privacy laws. It remains possible for users to manually enable the settings. It is therefore likely that some Analytics users meet all privacy standards.
To be on the safe side, follow the advice of the data authority in your region.