• Blog
  • Norwegian Data Protection Authority's Conclusion on Google Analytics Violation Under GDPR

Norwegian DPA's Verdict on Google Analytics

Simon Coulthard March 01, 2023

2 Minute Read

The Norwegian data protection agency, in a still-pending complaint coordinated by Noyb, came to the preliminary conclusion that the usage of Google Analytics was in violation of the GDPR's transfer requirements. 

Before a formal decision is made, the parties to the cases are given the chance to remark on the matter.

The findings were made public on March 1, on its website, and it plans to adopt a final judgment from late April.

The Background of Google Analytics Violations

The Noyb organization has complained to the EEA's data supervisory authorities about a number of European websites. According to Noyb, websites that use Google Analytics, an American analytic tool, violate the General Data Protection Regulation (GDPR) by sending users' personal data outside of the European Economic Area.

The Norwegian website telenor.com, one of the ones that received complaints, formerly made use of Google Analytics. As a result, the Norwegian Data Protection Authority analyzed the situation. 

Their initial finding is that the transfer regulations of the GDPR were broken by the usage of Google Analytics. In order to provide the parties in the case a chance to comment on the results before we reach a decision, Datastylnet has now sent them prior notice.

The European Data Protection Board (EDPB) has created a separate working group to manage complaints because there have been so many at the European level about the use of Google Analytics. The GDPR must be interpreted uniformly across the EEA by the data supervisory authorities.

The usage of Google Analytics violates privacy laws, according to decisions made by the data supervisory authorities of Austria, France, Italy, and Denmark as well as the data supervisory authority for EU entities (EDPS). 

“Norway is clearly in line with the rest of Europe under noyb's opinion on the use of Google Analytics”, said Tobias Judin, section manager at Datailsynet.

The data supervisory authority in Liechtenstein has also expressed concerns about the tool, and the Danish Data Protection Authority likewise comes to the same conclusion in a guidance on the subject.


What Did the Authorities Recommend?

There may be repercussions for other Norwegian websites if the Norwegian Data Protection Authority rules that the website's usage of Google Analytics violated the GDPR. Thus, they again urge people to look into Google Analytics' alternatives.

When a decision has been taken, they will give more specific information on what is applicable and what they anticipate from Norwegian websites. At the earliest, this might not happen until the end of April.

If you’re interested in finding an alternative, TWIPLA is a GDPR-compliant website intelligence platform. Privacy by design ensures that it meet's the requirements of this strict data privacy law, and can be used without creating data privacy compliance work.

It also provides various levels of privacy protection you can make use of depending on the country’s law.

Get Started for Free

Gain World-Class Insights & Offer Innovative Privacy & Security