Sep 29

Danish Data Protection Authority hits Google Analytics

DP News – Week 39. Danish Data Protection Authority hits Google Analytics.

The Danish Data Protection Authority (Datatilsynet) has taken a closer look at the Google Analytics tool, its settings and, finally, at conditions under which the tool can legally be used.

The decision is clearly a follow-up to the previous rulings held by other EU supervisory authorities (France, Austria and Italy) earlier this year. Given the same subject matter of the complaints, the usage of GA in all cases was deemed illegal. Datatilsynet believes the decisions reflect a pan-European approach among national supervisory authorities. As it explains, “We have reviewed the options in Google Analytics carefully and have come to the conclusion that you cannot use the tool in its current form without taking additional measures”.

As the Datatilsynet suggests, one of the possible measures that could help is basically pseudonymisation before the data export that meets the criteria set by the EDPB in its recommendations 01/2020. Datatilsynet also mentions that the guidance from France’s data protection authority (CNIL) should be taken into account.

As CNIL earlier outlined, it is not sufficient to just change the processing settings of the IP address, nor would that be enough to use “encryption” of the identifier generated by Google Analytics to replace it with an identifier generated by the site operator. The reason for this is, as CNIL explains, ‘direct contact, via an HTTPS connection, between the individual’s terminal and servers managed by Google’, which results in these servers obtaining ‘the IP address of the Internet user as well as a lot of information about his terminal’.

The above issue might be addressed through “the use of a proxy server to avoid any direct contact between the Internet user’s terminal and the servers of the analytics tool”. The usage of proxy servers must not lead to the data being transferred outside of the EEA.

In additions, for the proxy to be valid, the following should take place:

  • the absence of transfer of the IP address to the servers of the analytics tool.
  • the replacement of the user identifier by the proxy server;
  • the removal of external referrer information from the site;
  • the removal of any parameters contained in the collected URLs (e.g. UTMs, but also URL parameters allowing internal routing of the site);
  • reprocessing of information that can be used to generate a fingerprint, such as user-agents, to remove the rarest configurations that can lead to re-identification;
  • the absence of collection of cross-site or lasting identifiers (CRM ID, unique ID);
  • the deletion of any other data that could lead to re-identification.
See more related posts »

Related blog posts

Learn together with +8000 privacy pros

Grow and improve with our best tips and tricks. No spam, ever.

  • Hidden