Google Analytics and data privacy is making headlines again, especially in Scandinavia. In January 2023, the Finland Data Protection Authority ruled that having Google Analytics send personal information about a site's end users to the United States was a breach of privacy laws.
After the decision, many media outlets have been excitedly writing about this decision — sometimes colorfully. But what is the data transfer mess really about and what should we do now? Mira Mäkiranta, Director of Competence and Insight at Nordic Morning, explores this hot topic, including the upcoming Google Analytics transition to GA4.
If you wanted to completely avoid the data transfer discussions, especially when it comes to analytics, you’d need a European tool with all data warehouses on European-owned servers. However, not even that would fully resolve the problem, because the effects of the decisions extend far beyond analytics.
The General Data Protection Regulation (GDPR) specifies that the personal data of EU citizens must not be sent to places where it is not well taken care of (i.e. where it can be used by local intelligence). The USA is currently defined as an unsafe country. However, two main questions remain, both of which are primarily decided by the local EU country authorities (Data Protection Agencies, or DPAs): “what is personal information?" and “what is meant by transfer of information?". That's why the rules vary in different countries.
For example, the decisions of the authorities of Austria, France and, most recently, Denmark and Finland have made headlines, stating that there are no personal variables in GA as such, but "personal information may be created" by combining a few different variables . This interpretation is relatively strict, and is why the decisions have been newspaper fodder in several countries.
In addition, in all policy decisions so far, the situation of the organization that received a notice has been that the appropriate consent for monitoring has not been requested, or the request for permission has not technically affected the monitoring.
And while the EU agrees on many issues relating to the GDPR and numerous preliminary decisions, a common vision is lacking when it comes to analytics. A decision relating to analytics has not yet been made from the local level on the scope of EU legislation, i.e. the decision of a local authority has not been challenged in higher courts at EU level. As a result, we don't know how things "really" are. However, the local authority, as the competent authority, may impose fines and notices according to its own interpretation.
Google has released a new version of its tool called Google Analytics 4 (GA4). It is allegedly more secure – for example, the user's IP address is not sent out of the EU for processing at all. In addition, the privacy settings are more versatile. A transition to GA4 will be Google's main solution in the future and the old version of Universal Analytics will stop working completely.
Google also reminds us that the analytics data is not very personal (read: interesting), and the National Security Agency (NSA) has never once made a request for information about it in the entire history of the tool's existence. This is understandable when you compare, for example, analytics data (which pages are downloaded and on what kind of device) with, say, mobile device usage data or the contents of emails, which the NSA also has access to.
In Sweden, no position has been taken on the transfer of data in connection with the use of GA.
In Finland, the authority took a stand on the matter a few weeks ago in the Helmet case. What is worth noting in this decision is that the location of the data servers is not relevant, but rather their ownership. In other words, according to the decision, GA raised suspicions due to the data warehouses being owned in the US, not that the warehouses are partially located in the USA.
The decision is logical, because the Cloud Act means that the NSA may have access to data regardless of its location, if the owner of the data warehouse is a US entity. However, this decision revealed the impossibility of the whole situation: under the guise of the same decision, a majority of the big cloud platforms and internet solutions, including for example Amazon Web Services (AWS) and Microsoft (Teams and Outlook), would be questionable in the EU.
After the decision of the Danish DPA, a new data transfer agreement between the EU and the USA was prepared which is expected to clarify the messy and practically impossible situation. The market therefore expects that the agreement will oblige organizations from the US perspective to behave better on the issue, which would also enable normal digital cooperation between the EU and the US in the future.
In light of the Google Analytics transition, it could be tempting to switch to an alternative tool. And while there are several good alternatives, changing is a big project and the effects of the decision extend not only to analytics, but often the entire digital marketing ecosystem. For this reason, and to avoid the risk of making yet another future change when things clarify, it might make sense to monitor the situation and wait for the details of the new data transfer agreement before making any decision.
Many analytics tools that compete with Google Analytics have emphasized that their tools are more GDPR compliant, as all data warehouses are located in the EU. Unfortunately the situation seems to be more complicated than that. If we take the latest local DPA decisions as an example, what matters is not the location of the data warehouse but the underlying ownership of those warehouses. Many vendors who say their data is located safely in the EU, are either US-owned businesses or they could be using US-owned cloud services.
As mentioned before, if we wanted to completely avoid the data transfer discussion in terms of analytics, a European tool would have to be taken into use, with all data warehouses on European-owned servers. However, the challenge is obviously much bigger than analytics. The whole EU is currently waiting for some kind of clarification on the matter, with the situation being close to impossible.
If the current Finnish DPA decision were to be implemented everywhere, it would effectively mean that the EU has its own internet – information cannot be sought from outside the EU, and there must be no non-European operators on the EU's internet. It’s not just Google: every US operator and US-owned big tech company is currently facing the same problem. Recently in Denmark, the AWS cloud platform has also been in the eye of the storm for the same data transfer reason.
For Google Analytics users, switching to GA4 instead of the old Universal Analytics is recommended – and ultimately the only way to continue using GA as the old version will soon be completely retired.
Regardless of the measurement tool used, Server Side Tracking is a safer option than traditional ways of measuring, as it allows the organization to influence exactly what data is sent to the servers. Therefore, if there is a clear decision in the future that certain information may not go to data centers owned by a US operator, it could be reacted to immediately by removing this information from the analytics.
In addition, it is worth paying attention to the fact that consent for all monitoring is properly requested in accordance with the recommendations of the local authority. For example in Finland, according to Traficom's instructions, this means that the consent banner must also have an "I refuse" option in addition to the "I agree" and "go to settings" options.
It’s a complex situation and the future is, for now at least, largely unclear. As always, our experts are available to help you make sense of it all, whether guiding your transition to GA4, exploring alternative analytics tools, or contextualizing what it means for your broader digital marketing ecosystem. We are a GDPR compliant click away.
By Mira Mäkiranta, Director of Competence and Insight at Nordic Morning