Book Consultation
Pricing
Cases
Videos
About us
Webinars
Book Consultation
Pricing
Cases
Videos
About us
Webinars
Case Study

Danish Datatilsynet Rules Against Google Analytics Following EU-Wide Approach

by Berner Setterwall
September 21, 2022
The Danish Data Protection Authority (Datatilsynet) has ruled that the use of Google Analytics violates GDPR due to improper transfer of personal data to the United States, joining other EU authorities in establishing a consistent approach to US-based analytics services.

Background

On September 21, 2022, the Danish Data Protection Authority (Datatilsynet) issued a significant decision declaring that the use of Google Analytics violates the General Data Protection Regulation (GDPR). This ruling joined a growing consensus among European data protection authorities, following similar decisions by the Austrian, French, and Italian authorities earlier in the year.

The Danish decision was part of the coordinated response to complaints filed across the EU by the privacy advocacy organization noyb (None Of Your Business), founded by Max Schrems, following the Court of Justice of the European Union's "Schrems II" judgment in July 2020 that invalidated the EU-US Privacy Shield framework.

The Decision and Key Findings

The Datatilsynet's investigation centered on a company's implementation of Google Analytics and found several critical issues:

  1. Improper Data Transfers: The authority determined that the use of Google Analytics enables the transfer of personal information outside of the European Union without appropriate safeguards.

  2. Personal Data Classification: Cookie identifiers, IP addresses, and browser information collected by Google Analytics were classified as personal data under the GDPR, capable of identifying individual users, especially when combined with other data points.

  3. Inadequate Technical Measures: The pseudonymization and encryption measures implemented by Google were deemed insufficient to protect against potential access by US intelligence agencies under laws such as FISA 702.

  4. Standard Contractual Clauses (SCCs) Insufficient: Like other EU authorities, the Datatilsynet concluded that SCCs alone do not provide adequate protection for data transfers to the US without additional technical safeguards.

Technical Concerns Highlighted

The Danish authority's analysis identified specific technical issues with Google Analytics implementation:

  1. Data Combination Risks: The authority noted that Google can potentially combine analytics data with data from other Google services, particularly when users are logged into Google accounts.

  2. Pseudonymization Limitations: The decision emphasized that Google's IP anonymization features do not constitute true anonymization but merely pseudonymization, which still falls under GDPR protection requirements.

  3. Encryption Control Issues: The encryption measures implemented by Google were found inadequate because Google maintains control of the encryption keys, meaning US authorities could potentially compel access to both the data and the means to decrypt it.

Recommended Measures

The Datatilsynet provided specific guidance for organizations seeking to continue using analytics tools while complying with GDPR:

  1. Supplementary Technical Measures: The authority recommended implementing robust technical measures to ensure adequate data protection, including:

    • Complete removal of IP addresses before data reaches analytics servers
    • Implementation of proper pseudonymization techniques
    • Removal of external referrer information that could identify users
    • Elimination of URL parameters containing personal data
    • Prevention of cross-site tracking and identifiers

  2. Proxy Server Implementation: The authority suggested that using a proxy server with specific data protection criteria could potentially address some concerns by filtering personally identifiable information before it reaches Google's servers.

  3. EU-Based Analytics: The most secure solution would be using analytics tools that process and store all data exclusively within the EU jurisdiction.

Server-Side Tracking Solutions for Danish Compliance

In response to the Datatilsynet's decision, server-side tracking implementations offer organizations a viable path to maintain analytics capabilities while addressing the specific concerns raised:

  1. EU-Exclusive Data Processing:

    • Implementing server-side tracking infrastructure entirely within the EU
    • Creating data processing workflows that ensure all data remains under EU jurisdiction
    • Establishing technical controls that prevent any data from leaving EU servers

  2. Comprehensive Data Anonymization:

    • Implementing true anonymization (not just pseudonymization) at the server level
    • Creating robust one-way hashing protocols for any potentially identifying information
    • Applying data minimization principles to collect only necessary information
    • Implementing aggregate-only analytics for sensitive metrics

  3. Server-Side Filtering Engine:

    • Developing granular filtering rules that strip personally identifiable information before processing
    • Creating data transformation pipelines that convert raw data into privacy-preserving formats
    • Implementing server-side consent verification before any data collection or processing

  4. Technical Access Controls:

    • Establishing strict access limitations to raw data
    • Implementing encryption with proper key management separated from data storage
    • Creating technical and organizational measures that prevent unauthorized access

Implementation Guidelines

To implement server-side tracking in compliance with the Datatilsynet's guidance, organizations should consider these specific approaches:

  1. Edge Anonymization Architecture:

    • Deploy server-side tracking containers as close to the data source as possible
    • Implement immediate anonymization of IP addresses before any storage or processing
    • Create technical separation between identification systems and analytics systems

  2. Multi-Stage Data Transformation:

    • Develop a process that transforms raw data through multiple privacy-enhancing stages
    • Implement progressive data minimization at each step of processing
    • Apply statistical techniques that preserve analytical value while protecting individual privacy

  3. Compliance Documentation Framework:

    • Create comprehensive records of processing activities
    • Implement continuous monitoring to verify data remains within approved jurisdictions
    • Establish regular audit procedures to validate the effectiveness of technical measures

Conclusion

The Danish Datatilsynet's decision represents another significant milestone in the evolving European approach to international data transfers following the Schrems II judgment. By joining the Austrian, French, and Italian authorities in ruling against Google Analytics, Denmark has reinforced the emerging pan-European consensus that US-based analytics services require substantial safeguards to be GDPR-compliant.

For organizations operating in Denmark and across the EU, the implications are clear: implementing server-side tracking with EU-hosted infrastructure and comprehensive anonymization techniques is increasingly becoming a necessity rather than an option. The Datatilsynet's specific recommendations regarding supplementary measures provide a useful framework for organizations seeking to implement compliant analytics solutions.

By adopting server-side tracking with proper EU data residency controls and advanced anonymization techniques, organizations can maintain effective analytics capabilities while aligning with the emerging European regulatory framework for data protection. This approach not only addresses immediate compliance concerns but also positions organizations for sustainable, privacy-respecting analytics practices as regulatory expectations continue to evolve across the EU.