October 27, 2022
The Danish Data Protection Agency announced on September 21 that Google Analytics as a standard implementation does not comply with GDPR and therefore cannot be legally used without supplementary measures. The Danish Data Protection Agency thus follows the assessment of several other European authorities, France, Italy and Austria, which earlier this year announced the same verdict over Google Analytics. This is a significant tightening of the guidelines for GDPR, which will impact Danish companies and may influence even more European countries to follow.
Here are five takeaways to help you understand and navigate the recent ruling in Denmark:
- The reason for the Danish Data Protection Agency’s announcement is that it has concluded that data such as IP addresses sent to the U.S. can be traced back to the user despite the use of Google Analytics' built-in privacy measures. This is therefore considered a breach to the Schrems II legislation according to GDPR.
- In 2020, Schrems II rejected the existing data exchange agreement between the EU and the U.S. A new transatlantic data transfer agreement is being worked on, but it is currently uncertain when it will be ready and whether it will be approved by the European union and GDPR.
- As a starting point, this means that Google Analytics is no longer permitted to be used in Denmark without supplementary measures, such as a reverse-proxy server solution, which anonymizes the collected data before it is sent on to Google's American servers.
- The additional measures to become GDPR compliant can prove to be costly for the individual company, and the right solution therefore requires a thorough individual assessment to find the best solution.
- It is important to decide how your company will act based on the new assessment, whether being a Danish or European Country, and to have a plan in place to become GDPR compliant.
If you need advice to clarify the optimal solution for your company to become GDPR compliant, or if you want to have a clear backup plan in place in case the authority in your country chooses to follow the conclusion from Denmark, Austria, France and Italy, we at Valtech are here to help.
We have already advised and supported multiple other clients within the European Union to become GDPR compliant and navigate the everchanging waters of GDPR. Grab us for a chat:
Thomas Ø. Christensen
Rie Kühn Bagge-Nielsen