The free and powerful functionalities of Google Analytics has seen it become ubiquitous across the web, with an estimated 50% of all websites employing GA.
However, GA’s legal journey in Europe has been a rollercoaster ride characterized by constant back-and-forth legal decisions set against an ever-evolving backdrop of data privacy awareness and discourse.
We need a wider context to fully understand Google Analytics’ murky legal status, so let’s go back in time to quickly touch on the history of data privacy legislation in Europe.
A brief history of Google Analytics’s European legal woes
1995: Data Protection Directive
The European Union introduces this directive outlining that personal data may not be sent outside of the EU unless there is a "essentially equivalent" level of legal protection in the destination country.
1998: Safe Harbour Privacy Principles
The European Union develops a range of principles to prevent EU organizations from disclosing users’ personal information.
2000: Safe Harbour US decision
A European Commission ruling on Safe Harbour determines that the United States offers “essentially equivalent” data protection. This enables the transfer of EU user data to US servers.
2002: The ePrivacy Directive
The ePrivacy Directive is introduced, laying the foundation for data protection throughout the EU by regulating electronic communications such as email marketing and cookie usage. It is a directive and not a law, intending to establish a general precedent from which EU member countries can create their own laws.
The ePrivacy Directive requires that websites obtain user consent before storing cookies in that user's browser, except for necessary cookies that are required to make a website fundamentally work properly.
2005: Google Analytics is born
Google acquires an existing product, Urchin Analytics, rebranding it as Google Analytics. Google Analytics utilizes cookies to track users and thus falls under the ePrivacy Directive.
Under Safe Harbour, Google Analytics can lawfully transfer EU user data to US servers.
2013: Schrems I complaint
In a case known as “Schrems I”, Austrian law student Max Schrems files a complaint against Facebook Ireland.
Schrems argued that EU user data transferred to the US was not adequately protected from US government surveillance programs like PRISM, which had recently come to light in revelations by NSA whistleblower Edward Snowden earlier that year.
The core rationale was that Facebook, as an American company, could be legally forced to turn over data of EU users to the US government - with complete disregard of any European privacy laws.
2015: Schrems I ruling on Safe Harbour
The Schrems I case reaches the European Court of Justice, ruling in favor of Schrems. This invalidated the original Safe Harbour agreement facilitating data transfers between the EU and US.
Safe Harbour was found to be invalid for three key reasons:
- Its privacy protections were subject to interference by US surveillance programs
- There were no legal remedies for EU individuals who wanted to access, edit, or delete their own data
- EU supervisory authorities were unable to meaningfully exercising their powers in the US
Although the specific decision was against Facebook, it set a precedent for all other American companies. The legality of Google Analytics, which transfers EU user data to Google's US servers, was now in question.
2016: Privacy Shield created
The fallout of Schrems I led to the European Commission developing a new data transfer agreement: the EU-US Privacy Shield framework.
The Privacy Shield created stronger obligations on American companies to protect the personal data of EU users against US authorities.
Max Schrems again challenges Privacy Shield in a case known as “Schrems II”.
2018: GDPR introduced
The General Data Protection Regulation is introduced, significantly impacting how services such as Google Analytics can collect, store, and process personal data of EU users.
One of the most visible changes was the lawful basis for processing. Under GDPR, Google Analytics data collection falls within the category of processing personal data; for example, an IP address which could potentially identify an individual.
Website owners must have a lawful basis for processing this personal data, which often requires obtaining user consent and quickly led to the proliferation of cookie consent banners everywhere.
GDPR also restricts transfer of user data to countries with weaker privacy protections. Again, it has been argued that this data is unsafe on Google’s US servers where the US government has access to EU user data.
2020: Schrems II ruling on Privacy Shield
Widely known as the “Schrems II” case, the European Court of Justice ruled that Privacy Shield was invalid for two key reasons:
- US surveillance programs such as PRISM are not limited to what is strictly necessary and proportional, meaning that EU user data in US servers do not have equivalent protection as EU law
- EU individuals do not have a meaningful legal remedy for redress in regards to their data being accessed by US surveillance
This once again brought the EU legality of Google Analytics into question.
2022: Data Protection Authority rulings on GDPR
Data Protection Authorities (DPAs) in countries like Austria, France, Italy, Denmark and Norway began ruling that Google Analytics, in its default settings, violated GDPR.
These DPAs felt user data was at risk because US authorities could access EU user data on US servers.
Also, anonymized data (like IP addresses) might still be identifiable in circumstances; for example, IP addresses could be combined with other data points, such as device or geolocation data, to meaningfully identify an individual.
2023: EU-US Data Transfer agreement
The European Union and the United States announced another new data transfer agreement, the EU–US Data Privacy Framework (DPF), replacing the previous two failed frameworks, Safe Harbour and Privacy Shield.
This new DPF framework aims to address concerns raised in Schrems II by providing clearer guidelines for US government access to data, as well as establishing a new system for redress for EU individuals whose data is accessed by US authorities.
US companies can certify their participation in the DPF by committing to comply with its privacy obligations and principles. Tech giants such as Google, Microsoft, and Meta have become certified.
2024: What the hell is going on?
Disclaimer: we are not lawyers and this is not legal advice.
At this moment in time, it appears that Google Analytics is technically legal. The 2023 Data Privacy Framework is the current legal instrument for Google Analytics to transfer EU data to the US.
But as you can see, there has been over a decade of legal ping-pong that is likely to continue. US government promises are hollow and the current Data Privacy Framework will certainly be challenged again.
Unfortunately the legal landscape for Google Analytics in Europe remains unstable.
At first instance our recommendation is to use an analytics solution that falls under EU jurisdiction, such as Piwik PRO. There are also other products such as Matomo Analytics, which is from New Zealand - a jurisdiction with data privacy legislation considered to be adequate by the European Union.
Again, this is not legal advice. Organizations using Google Analytics in Europe should speak to their legal teams and carefully assess their compliance with GDPR.
If you’d like to learn more about Google Analytics and tag management solutions, read more on our service page.
Book a Free Website Consultation
Discover quick wins for your digital strategy. 100% guaranteed.