Can You Use Google Analytics in the EU? A Guide for Australian Organisations

In January 2022, Austria became the first EU country to state that the continuous use of Google Analytics contravened the GDPR. France’s data protection agency swiftly followed suit, with Italy and Denmark also banning Google Analytics in 2022. It’s expected that most EU member states will eventually release a finding that Google Analytics data protections, in their current form, do not comply with the bloc’s data protection law.  

Max Schrems: “We expect similar decisions to now drop gradually in most EU member states. We have filed 101 complaints in almost all Member States and the authorities coordinated the response. A similar decision was also issued by the European Data Protection Supervisor last week.” 

What is Google Analytics? 

Google Analytics is a Google product that collects data about users of a website and apps. It then collates and aggregates that data for the owner of the website, to give them information about their business.  

It is used on approximately 56.5% of websites.  

Can You Use Google Analytics in the EU?  

It’s inaccurate to say that it is ‘banned’. The Universal version of the Google Analytics tool is non-compliant or in contravention of the GDPR, but that’s not the same as being banned. It could be used if the non-compliant aspects were addressed (however this is currently not possible). 

It’s also important to note that each decision made by the European data authorities relates only to the use of Universal Google Analytics on a single website. However, since all Universal Google Analytics accounts use the same settings (and suffer the same privacy issues), the practical impact is that using Google Analytics is effectively unlawful in the EU.  

Finally, it’s important to understand the different Google Analytics products. Each privacy decision made in the EU relates to Universal Google Analytics (GA) – which is being retired by Google in July of this year.  

Universal GA will be replaced by Google Analytics 4 (GA4). No case law currently exists about this product. However, despite the platform becoming more privacy-centric, we think it is unlikely to meet the high bar set by the GDPR.  

Privacy Issues with the Google Analytics Tools 

The most significant issue with the use of the Google Analytics tools in the EU is that the data collected is processed in the US. Data transfers between the EU and US are currently complicated, as a result of the Shrems II decision. You can read more about that here. 

Can You Deploy Google Analytics Safely in the EU? 

France’s privacy watchdog outlined that pseudonymisation alone was unlikely to offer protections that would make the use of Google Analytics lawful in the EU.  

It proposed a highly technical proxy option for website owners that may make the Google Analytics platform compliant with the GDPR. However, it does make the data collected almost useless.  

Instead, it is recommended that organisations either uninstall the tool and ‘wait and see’ what happens with the EU-US data transfer negotiations. Or install an EU-based analytics tool (of which there are many).   

Can Australian Organisations Safely Use Google Analytics? 

Australian organisations can collect and store data using the Google Analytics products without much risk of penalty from Australian authorities. However, if Australian organisations collect and store the data of European residents (by showing their website within the EU), then there is a legal risk. Because the GDPR applies to all organisations, even those physically located outside the EU, that:  

• Offer goods or services to EU residents; or  
• Monitor their behaviour. 

Further Resources 

For more information about the ongoing EU-US data transfer saga, read: 

• https://privacy108.com.au/insights/new-sccs-gdpr-summary/  
• https://privacy108.com.au/insights/privacy-shield-2-coming/  

And for more information about Google Analytics and its data handling practices, read:  

• https://privacy108.com.au/insights/google-analytics-and-gdpr/  

If you need help negotiating the complexities of the GDPR, contact us for a no-obligation, free discussion on your requirements or ask us about our Privacy Compliance Review services.