On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.
EU data protection authorities are cooperating through the European Data Protection Board on the treatment of Google Analytics. The Danish DPA’s decision follows similar decisions by EU data protection authorities in Austria, France, and Italy.
Under the Danish DPA’s guidance, organizations must assess whether their current use of Google Analytics complies with EU data protection law. If their use does not comply, then they must either remediate the noncompliance with supplementary measures or cease using the tool. The Danish DPA highlighted pseudonymization by “reverse proxy” as a possible technical supplementary measure, along with recent guidance by the French data protection authority, CNIL.
The Danish DPA has also posted an FAQ with more information on Google Analytics.