Norway declares Google Analytics non-compliant with GDPR
In the years since the implementation of the General Data Protection Regulation (GDPR) in 2018, the data protection NGO NOYB filed numerous complaints with EU data protection authorities against a number of European websites. NOYB believes the websites transfer personal data out of the European Economic Area in violation of the GDPR by using the US analytics tool Google Analytics.
One of the offending websites, telenor.com, is Norwegian and used to use Google Analytics. The Norwegian Data Protection Authority, Datatilsynet, investigated this case. The preliminary conclusion: The use of Google Analytics violated the transfer provisions of the GDPR.
European coordination
Due to the high number of complaints about the use of Google Analytics at the European level, the European Data Protection Board (EDPB) has established a working group to coordinate the handling of complaints. The reason for this is that data protection authorities are required to interpret the General Data Protection Regulation in the same way throughout the EEA.
Data protection authorities in Austria, France and Italy, as well as the Data Protection Authority for the EU institutions (EDPS), have already ruled that the use of Google Analytics violates data protection rules. In addition, the Danish data protection authority comes to the same conclusion in a guide on the subject, and the Liechtenstein data protection authority has also been critical of the tool.
What happens now with Google Analytics?
If the Norwegian data protection authority also decides that the use of Google Analytics by the website in question violates the GDPR, this could also have consequences for other Norwegian websites. Therefore, the Norwegian authority reiterates its recommendation to consider alternatives to Google Analytics. More detailed information on what to expect from Norwegian websites will be available at the end of April at the earliest.
Universal Google Analytics or GA4?
At the time of the complaint, the website in question was using Universal Google Analytics. While the data protection authority has not commented on whether the same violations exist with Google Analytics 4 in this specific case. But as far as can be seen, Google Analytics 4 will not necessarily fix the problems identified by the data protection authority. In this context, it may be useful to refer to the guidelines of the Danish data protection authority, which state exactly this.
Quelle: datatilsynet.dk | NOYB
Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter. JENTIS Data Capture Platform enables future-proof GDPR-compliant tracking, regardless of the data privacy framework and potential challenges.
Any questions on how JENTIS can help your business? We look forward to your message!
Learn more
JENTIS Privacy Controls
Ensure compliance with international privacy regulations using JENTIS' advanced privacy controls. Safeguard user data and build trust with your customers.
Case Study: Google Analytics 4 with 100% Server-side Tracking
Learn how hosting provider World4You captures the maximum data quality for Google Analytics 4 with the JENTIS DCP.
Whitepaper: First-Party Data Capture with a Server-Side Tracking Platform
How to achieve maximum data quality for your marketing with server-side tracking while remaining privacy-compliant.