Danish Data Protection Agency – legal update
The Danish Data Protection Agency has become the latest in Europe to rule that Google Analytics is illegal (after Austria, France and Italy earlier in the year). Whilst this is similar to previous rulings, based on the idea that Google Analytics currently includes IP Address, which is classified as personally identifiable, and this is sent to servers in the US, thereby breaking GDPR, because the US does not have an adequacy agreement with the EU on GDPR.
So far, so similar. However, the Danish guidance includes a couple of important points.
Firstly, the Danish conclusion seems more strident than previous guidance decisions. It also specifically determines that it’s vital that “European data protection law is interpreted uniformly across the EU/EEA”, so there is the clear expectation that the same decisions, in line with CNIL, the French DPA, will be made by EU data protection agencies yet to formally rule.
Put simply, if you are operating Google Analytics in the EU, or have European-based customers accessing a digital asset with GA, even if you only operate in a country that hasn’t ruled yet, you should expect that you will have to follow similar measures in the near future.
Secondly, and perhaps more controversially, the Danish guidance requires organisations to put in supplementary measures to ensure they are compliant. This extends beyond just the removal of IP address and into pseudonymization.
The only measure “recommended” by the DDPA is to create a reverse proxy, as outlined earlier this year by CNIL, the French data protection agency, in their own decision. This is not a small undertaking, and a significant IT overhead for any business, but particularly smaller companies. The outlined approach involves stripping out additional, not just IP, information (including user agent, query string parameters and even page referrer information).
That’s because, as CNIL puts it, “The resulting requests allow these servers [GA servers, hosted in the US] to obtain the IP address of the Internet user as well as a lot of information about their terminal. This information may realistically allow the user to be re-identified and, consequently, to access his or her browsing on all sites using Google Analytics.” In other words, it’s possible for other, reasonably available, information about the user to be appended to create a picture of that individual, meaning it’s not actually anonymous.
The DDPA does acknowledge that Google has begun to “provide additional settings”, but says until there are more, the tool as it stands remains illegal. At the moment, this doesn’t specify whether it’s Universal Analytics or GA4; it’s not clear whether and when such settings getting in place would change these rulings. But the key point is it’s more than just stripping out IP address.
So, what does this mean? It’s certainly caused some considerable consternation among many of our pan-European clients – as noted above, this doesn’t just affect Danish businesses. There are two big issues.
The first major challenge is the only proposed solution – the reverse proxy mentioned above – is practically unworkable. Not only does it demand additional IT skills and resources that many will struggle to have, it also requires businesses to strip out the very information – particularly page referrer or UTM parameters, for instance – that you would want to use the tool for in the first place. In effect, the guidance puts a business wanting to use Google Analytics in something of a Catch-22 position; “you can use the tool, so long as you put in technical processes and infrastructure in place so you can’t use it in the way you wanted to”.
The second challenge is the extent to which this guidance applies to non-Google solutions. The DDPA is at pains to say it’s technology-agnostic, but then goes on to say it has been asked to give specific guidance on GA, so here it is. On the face of it, if your analytics provider says the data stays in the EU, then everything is good. But can they guarantee that? If the failsafe scenario kicks in, and a data centre goes down, what happens then? If another EU data centre takes over, great. If it goes to the US, then you could have exactly the same issue.
This should be a good opportunity for the other major vendors in the space (Adobe, Amplitude, Snowplow, AT Internet), but it will bring greater scrutiny on their EU and UK-based infrastructure and data centres.
If you are a data governance or compliance officer with operations in Europe, especially if you have Google Analytics somewhere within the business, it’s worth re-reading CNIL’s advice.
Your options are:
Either move to GA4 and in doing so, make sure you put in place relevant pseudonymisation processes consider alternative tools in either event, you should plan for how you can “stress test” your pseudonymisation processes, and see if you can “reverse engineer” an identity from other data you might collect
Further reading and related articles are here:
Press release: Use of Google Analytics for web analytics (datatilsynet.dk)
Google Analytics and data transfers: how to make your analytics tool compliant with the GDPR? | CNIL