Associate professor warns: Google Analytics may soon become illegal in Denmark

It may soon be illegal to use Google Analytics in Denmark. But first, European data protection authorities need to reach an agreement on the issue. Illustration: bigtunaonline | Bigstock

Nervousness has spread among the business community after the Austrian Data Protection Authority published its decision in a case involving Google Analytics in early January.

The authority declared the use of the American tech giant’s service illegal, and due to the ambition to harmonise the enforcement of the GDPR across the EU’s national borders, many are now wondering what that could mean for data controllers and authorities in Denmark.

“The ultimate consequence is that one can no longer use Google Analytics. That is exactly what the Austrian Data Protection Authority is saying.”

This is the answer that comes from Ayo Næsborg-Andersen, associate professor of data protection law and human rights at the University of Southern Denmark. Although the Austrian Data Protection Authority’s assessment is based on a single company’s use of the service, it may apply in a more general way.

The authority has investigated the additional measures that Google has implemented an attempt to secure personal data when it is sent to the parent company in the United States. It is really the data controllers—and not Google, the data processor—who have to make sure the transfer is secure, but since many do not have the resources to carry out the complex legal work, the tech giant has tried to help its customers.

The measures can, for example, be technical, such as encryption, and must supplement the security provided for the transfer under a standard contract. The contract cannot stand alone, the European Court of Justice ruled in the Schrems II Decision in the summer of 2020.

However, it is very difficult to find additional measures that can adequately protect the data in the insecure third country, the US. The country’s legislation gives authorities access to data to a degree that, according to the EU, is undemocratic and goes beyond the Union’s data protection guarantees.

Ayo Næsborg-Andersen, associate professor of data protection law and human rights at the University of Southern Denmark. Illustration: Brian Rasmussen/Fotografhuset

Austria also concluded that Google had not found the solution to send cookie data, such as IP addresses and online user IDs, to the United States legally. However, it is the Danish and not the Austrian Data Protection Authority that must regulate data controllers in Denmark—so nothing has been decided yet, according to Ayo Næsborg-Andersen:

“Austria is sending a very clear message. But at the same time, it's just one data protection authority out of 27, and if the other 26 come to a different conclusion, then the Austrian authority has to correct its judgement and admit that it was wrong.”

Taking the temperature of the room

When Version2 asked the Danish Data Protection Agency what the Austrian decision could mean for companies in Denmark a few weeks ago, it refused to answer.

Instead, the agency sent out a press release stating that it will delve deeper into the case, follow other similar decisions in the EU, and provide guidance in the long run.

The Swedish Authority for Privacy Protection has also refused to comment on what the case may mean for data controllers in the neighbouring country.

Right now, they are waiting for all EU authorities to reach a common understanding:

“Austria has now come out with its proposal, and the others need to take the temperature of the room and see what the other data protection authorities say. Then we’ll get a message, and I think it will come in the spring. But it’s impossible to know for sure,” says the associate professor and continues:

“It’s always difficult to predict how long it will take. But at some point, we will know the position of the different data protection authorities. When we do, one should probably adjust unless they want to risk a fine.”

Is there a genuine risk that that data controllers in the EU—including Danish data controllers—will have to stop using Google Analytics?

“I think so. I don’t know how big the risk is. But it’s a realistic possibility. If they can't sufficiently secure data, there are some fairly clear messages from the European Court of Justice—then one may not transfer it,” she emphasizes.

Widespread in Denmark

This could potentially affect many Danish companies and authorities that use Google Analytics because the tool is quite popular in Denmark.

“There are really, really many websites that use Google Analytics. It’s an effective and cheap tool, and there are many companies that are really satisfied with it,” says Ayo Næsborg-Andersen, and adds:

“Potentially, this decision could prevent companies from using it. It is therefore very important to find out the final ruling when the other data protection authorities have also looked at it. Potentially, that could mean one can’t use Google Analytics.”

Most Danish data controllers are probably also dependent on Google’s additional measures because the alternative is that they must be organized by, for example, an owner of a small webshop from Svendborg:

“I have a hard time imagining that there are many people who have taken additional measures themselves. People are still finding their feet in this,” Ayo Næsborg-Andersen says.

The influence of Danish data controllers on the way they use Google’s services is limited. It is the tech giant that does the calculations and produces the statistics, which tell the website owner about the behaviour of the visitors.

“In order to make those calculations, one needs personal data. Once they have been made, all personal data can be deleted, and then all the statistics remain,” she says and continues:

“The problem is the process of making the calculations, because Google is responsible for it. That’s what they’re really good at. As long as Google does this in a way that is not safe from the US authorities, there will probably be a problem.”

Is it not possible for Danish data controllers to find some additional measures or other tools to protect data?

“The problem is that Google needs to have access in order to do the calculations. On the one hand, Google requires access to the information, because otherwise they cannot make their calculations. On the other hand, Google is not allowed to access the information because the security is not good enough. These two conditions cannot be reconciled.”

More cases are emerging

So there is still some doubt, while companies and authorities in the EU are waiting for the data protection authorities to agree on how to regulate the use of Google Analytics.

“What I think happens right now is that all the different European data protection authorities meet at the European Data Protection Board once a month. There, they discuss issues such as this case, because it can undeniably have significance for many countries,” the associate professor says.

In the meantime, several similar decisions may emerge around Europe. The case from Austria started as part of the “101 model complaints” by the Austrian privacy organization “None of Your Business” (noyb), which have been shared with all supervisory authorities. Yesterday, France issued another decision, backing the Austrian conclusion and concluding that the use of the US service is illegal in the EU.

Austria and France have got the ball rolling, and we will know the fate of Google Analytics in Denmark in spring.