Book Consultation
Pricing
Cases
Videos
About us
Webinars
Book Consultation
Pricing
Cases
Videos
About us
Webinars
Case Study

Norwegian Datatilsynet Issues Reprimand Over Google Analytics Use

by Berner Setterwall
July 26, 2023
The Norwegian Data Protection Authority (Datatilsynet) has issued a reprimand to Telenor ASA for illegally transferring personal data to the United States through Google Analytics, emphasizing the ongoing challenges with transatlantic data transfers following the Schrems II judgment.

Background

On July 26, 2023, the Norwegian Data Protection Authority (Datatilsynet) issued a significant decision in case 20/03771-17, finding that Telenor ASA had violated GDPR regulations by transferring personal data to the United States through Google Analytics. This case was part of a broader investigation involving 101 complaints about Google Analytics coordinated across the European Economic Area (EEA) by the privacy advocacy organization noyb, led by Max Schrems.

The Case and Decision

The Datatilsynet's investigation focused on Telenor's implementation of Google Analytics and the resulting transfer of personal data to Google's servers in the US. Key aspects of the decision included:

  1. GDPR Violation: The authority determined that Telenor's use of Google Analytics constituted an illegal transfer of personal data to the United States under Article 44 of the GDPR.

  2. Personal Data Identification: The data processed through Google Analytics included various identifiers and browser information that the authority classified as personal data, including:

    • Unique identifiers (client IDs)
    • IP addresses (even when partially anonymized)
    • Browser metadata
    • Time and duration of visits

  3. Insufficient Safeguards: Despite implementing Standard Contractual Clauses (SCCs) and additional technical measures, Telenor failed to provide adequate protection for the transferred data against potential access by US authorities.

  4. Outcome: The Datatilsynet issued a formal reprimand to Telenor rather than a financial penalty, noting that Telenor had already discontinued its use of Google Analytics in January 2021.

Technical Issues Identified

The Norwegian authority's assessment highlighted several technical concerns with Google Analytics implementation:

  1. Inadequate Anonymization: The so-called "anonymization" features of Google Analytics were deemed insufficient, as they still allowed for potential identification of individuals when combined with other data points.

  2. Data Combination Risks: The authority expressed concerns about Google's ability to combine analytics data with other services and datasets, creating a comprehensive profile of user activities.

  3. Access Control Problems: Technical measures implemented by Google were considered inadequate because Google, as the data processor, maintained control over encryption keys and access mechanisms.

Server-Side Tracking Solutions for Norwegian Compliance

In response to the Datatilsynet's decision, organizations can implement server-side tracking with specific safeguards to address the concerns raised:

  1. EU-Based Data Processing Infrastructure:

    • Deploy server-side tracking containers on servers physically located within the EEA
    • Implement technical controls to ensure all data processing remains exclusively within European jurisdiction
    • Create verifiable barriers preventing any direct or indirect transfer to non-adequate third countries

  2. True Anonymization Protocol:

    • Implement cryptographic hashing of identifiers at the server level before any analytics processing
    • Remove or fully anonymize IP addresses and other identifier data at the point of collection
    • Apply data minimization principles to collect only necessary, non-identifying information
    • Implement aggregate-level analytics where possible to prevent individual user tracking

  3. Technical Access Restrictions:

    • Create multi-layered technical barriers to prevent unauthorized access to personal data
    • Implement encryption where encryption keys are managed by a separate entity within the EEA
    • Establish strict access controls with comprehensive logging and audit capabilities

  4. Consent and Transparency Framework:

    • Implement server-side consent verification before any data collection or processing
    • Create mechanisms for immediate cessation of data processing upon consent withdrawal
    • Provide transparent information about data flow and processing practices

Implementation Guidelines

Organizations seeking to maintain analytics capabilities while complying with Norwegian and broader EEA requirements should consider these specific approaches:

  1. Edge Processing Architecture:

    • Deploy server-side processing containers as close to the data source as possible
    • Implement immediate anonymization or pseudonymization at the collection point
    • Create technical separation between user identification and analytics systems

  2. Multi-Stage Data Transformation Pipeline:

    • Develop a process that transforms raw data through multiple privacy-enhancing steps
    • Implement progressive data minimization at each processing stage
    • Apply differential privacy techniques to protect individual user identity while preserving analytical value

  3. Comprehensive Documentation System:

    • Create and maintain detailed documentation of all technical and organizational measures
    • Implement continuous monitoring to verify compliance with data residency requirements
    • Conduct regular audits to validate the effectiveness of privacy protection measures

Conclusion

The Norwegian Datatilsynet's decision adds to the growing consensus among European data protection authorities that Google Analytics, without significant modifications and safeguards, does not comply with GDPR requirements for international data transfers. This case emphasizes that even when no financial penalty is imposed, organizations must take data transfer restrictions seriously.

For organizations operating in Norway and across the EEA, implementing server-side tracking with proper EU data residency controls and comprehensive anonymization techniques has become increasingly important. The Datatilsynet's decision reinforces that merely implementing standard contractual clauses is insufficient without substantial supplementary measures.

By adopting server-side tracking solutions with true anonymization capabilities and strict data residency controls, organizations can maintain effective analytics capabilities while aligning with European data protection requirements. This approach enables businesses to gather valuable insights while respecting the fundamental rights and freedoms of individuals as required by the GDPR and interpreted by data protection authorities across Europe.