This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

Denmark Rules Against Use of Google Analytics

Following similar decisions in three other countries, the Danish data regulator in September ruled against the use of Google Analytics outside the EU unless the user implements additional protective measures. The cases that produced the rulings have been filed by a consumer advocacy group focused on transfers of EU data to Facebook and Google in the US, where it is feared that US authorities will have access to the data.

Why It Matters

Although the Danish ruling, like the others before it, focuses on "big tech," the Danish regulator says explicitly that Google's customers in Denmark must use supplemental measures in order to employ the service lawfully. Since many small and medium-sized US businesses use Google Analytics on their websites, and may be doing business in Denmark, this is a potentially very broad ruling.  

Specifically, the Danish authorities recommend pseudonymization -- in addition to toggling on new privacy controls that Google supplies -- but warn as follows:

you must put in place a plan to bring your use of [Google Analytics] into compliance by implementing supplementary measures.


If it is not possible to implement effective supplementary measures, you must stop using the tool and, if necessary, find another tool that can provide web analytics and allows for compliance with data protection law[.] (Emphasis added.)

The Danish decision and suggested measures are here.

[T]he Danish Data Protection Agency concluded that Google's popular analytics tool is unlawful because it enables companies to send personal data outside the EU without adequate protections. Therefore, organizations in Denmark can't continue to use the tool without certain "supplementary measures," including implementing the data de-identification measure known as pseudonymization, according to the regulator. The Danish authority's findings come on the heels of the data protection authorities in Austria, France and Italy issuing separate decisions during the past year that similarly declared that the use of Google Analytics violates the bloc's General Data Protection Regulation. While the regulators decided these matters "individually," their rulings "represent a common European position among the supervisory authorities" on the topic, according to Denmark's regulator.


data security and privacy, hill_mitzi, insights