The Danish Data Protection Agency has determined that the operations of Google Analytics are unlawful in Denmark without “the implementation of supplementary measures in addition to the settings provided by Google.” At issue is the protections on consumer data collected in Europe for dispatch to the U.S.
As the agency notes in its press release, its Austrian, French and Italian counterparts have within the past year issued equivalent judgments of their own. The cases have been decided individually, but the decisions, the agency says, “represent a common European position.” However, “as the subject-matter of the submitted complaints has been exactly the same, the cases have been handled together by a working group under the auspices of the European Data Protection Board.”
In short, Google’s protections fall short of European law: specifically the General Data Protection Regulation (GDPR).
Denmark will require organizations on its territory to bring their use of Google Analytics into compliance with data-protection law or discontinue their use. For the former course of action the Danish agency is recommending pseudonymisation and notes that the French government, through its National Commission on Computing and Freedoms (CNIL), has laid out guidelines for the use of a reverse proxy.
