Currently, four European countries have banned the use of Google Analytics at institutional level. These are France, Italy, Austria and the Netherlands.
The main issue among European data protection authorities is the transfer of personal data of users – citizens of the European Union to the United States. Google Analytics collects personal user data (device IP address, browser information, device operating system, screen resolution, language selection) and transfers this personal data to servers located in the United States. US surveillance laws require US providers (e.g. Google or Facebook) to provide personal data to US authorities (federal and state authorities). At the moment, there is still no agreement between the EU and the US on the protection of personal data.
According to the decision of the Italian regulator (GPDP), the use of Google Analytics violates the provisions of Art. 5.1 (a) (principle of legality, good faith and transparency of processing), Art. 5.2 (principle of accountability), Art. 13.1 (f) (principle of transparency), Art. 24 (the responsibility of the administrator), Art. 44 and 46 (measures for the transfer of personal data to third countries and the principle of cross-border) of the GDPR.
From a technical point of view – yes, but in practice this may not be entirely possible.
The French regulator (CNIL) gives several options where the use of Google Analytics by EU- based site owners is possible only if the following requirements are met:
However, the position of the Austrian regulator (DSB) is as follows:
It should be noted that Google Analytics is not the only application for which this problem exists. However, they are the biggest and can be used as an example/warning for other companies.
GA4 processes IP addresses for geolocation, but no longer stores IP addresses. GA4 allows disabling Google Signals to prevent linking to Google accounts. GA4 allows configuring the granularity of geographic and device data collected (e.g. screen resolution requiring consent).
The new changes will solve some of the problems, but it is not yet clear whether this will be enough and whether it will make the application compatible with the requirements of the Personal Data Protection Regulation. There are still a number of features that need to be turned off to make GA4 100 % compatible, but this may result in a loss of data accuracy and functionality, and the issue of cross-border transfer of personal data is still there.
In view of the decisions of the regulatory authorities, it may be impossible to use Google Analytics in this configuration, and any legal framework in this direction is still very far away, or at least it is not clear when it will be put in place.
Оther options are used in practice, in which data exchange is controlled. There are programs whose servers are based in the EU or the data that is collected by the application is collected on a server of the site owner. Alternative applications are some open-source applications in which personal data is stored on the site owner`s server. We cannot recommend which application will be better than the others, but it is mandatory, when choosing one, to consider where the personal data obtained through them are stored and whether they leave the borders of the European Union.
In summary, at the moment there are no specific obstacles to the use of Google Analytics in Bulgaria, but there is a tendency to restrict its use in other European countries.
This Statement does not constitute legal advice or consultation but is rather an expression of Dimitrova, Staykova & Partners Law Firm team’s opinion.