With multiple European authorities ruling against the use of this service, the Norwegian DPA suggests that companies explore alternatives to Google Analytics.
In a recent blog, we covered why the use of Google Analytics (and Stripe) by the European Parliament was considered a violation of the Court of Justice’s (CJEU) “Schrems II” ruling on EU-US data transfers. After multiple European authorities have ruled against the use of Google Analytics, and the illegal transfer of data to the US, the Norwegian DPA has suggested in this report, that companies seek alternatives to the use of Google Analytics, as the pattern of companies and organisations being sanctioned over their use of the service is very likely to continue.
Personal data transferred from the EU to the US is subject to very strict conditions, and may quite likely be illegal.
The Austrian Data Inspectorate (DSB) recently investigated a website’s use of Google Analytics. They concluded that the use of Google Analytics means that personal information is sent to the United States, and that therefore, the use of Google Analytics may be illegal. In light of the Schrems II ruling from the European Court of Justice, the Austrian DPA came to the conclusion that this transfer was indeed illegal. With the use of Google Analytics, it is possible to de-identify the IP addresses of website users, however it is important to note that this will not solve the problems identified by the Data Protection Authorities. The Austrian DPA has pointed out that Google Analytics also involves cookies, and they believe that if a user is already logged in to a Google account, it is possible to link the analysis data to their Google account.
The Norwegian DPA foresees further sanctions for the use of the service and urges organizations to explore alternatives to the use of Google Analytics.
The Norwegian Data Protection Authority is also currently dealing with two cases involving the use of Google Analytics. Although the Authority has not concluded in these cases, they will look at European practice in case processing. “We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics.” says section chief Tobias Judin. Transferring data to the US is not inherently illegal, however a number of measures need to be implemented in order to ensure that this is legal. In many of these cases, these measures are not in place. For this reason, the Norwegian DPA is suggesting that organisations explore alternatives to Google Analytics. It is also important to note that other website tools may also send personal information to the United States. Some tools send much more data than Google Analytics does. Therefore, it is important that website owners have a full overview of what tools they use and what personal information they process through the tools. If it is found that personal data is being transferred to the US through these tools, website owners may need to stop the use of these tools immediately, as serious cases may result in sanctions.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data to collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
