Datatilsynet, Denmark’s data protection authority, is the latest EU authority to halt the use of Google Analytics for data transfers to the U.S. without supplementary measures.
The Danish authorities wrote that Google’s audience measurement tool is not compliant with the EU General Data Protection Regulation (GDPR) because the tool transfers personal data to the United States which does not offer an adequate level of data protection. The decision follows those from other European nations including Austria, France and Italy. In all three countries, the supervisory authorities found that the use of Google Analytics under the given circumstances was unlawful.
Under Datatilsynet’s guidance, Danish organizations must now assess whether their use of Google Analytics complies with the data protection laws. If their use does not comply, they must either stop using the tool or use supplementary measures.
“The GDPR is made to protect the privacy of European citizens. This means, among other things, you should be able to visit a website without your data ending up in the wrong hands. We have carefully reviewed the possible settings of Google Analytics and have come to the conclusion that you cannot use the tool in its current form without implementing supplementary measures,” said Makar Juhl Holst, Senior Legal Advisor at the Danish Data Protection Agency, in a press release.
He added that, since the decisions of other European nations, Denmark looked into Google Analytics specific settings and concluded that, without supplementary measures, it cannot be used lawfully.
Earlier this year, Denmark also revealed it was effectively banning Google’s services in schools, after officials in the municipality of Helsingør were last year ordered to carry out a risk assessment around the processing of personal data by Google, reported TechCrunch.
Datatilsynet said that data processing involving students using Google’s cloud-based Workspace software suite — which includes Gmail, Google Docs, Calendar and Google Drive — “does not meet the requirements” of the European Union’s GDPR data privacy regulations.
The authority found that Google’s terms and conditions seemingly allow for data to be transferred to other countries for the purpose of providing support, despite the fact that the data is ordinarily stored in one of Google’s EU data centers.