Is Google Analytics Illegal in the EU?

Every ruling against Google Analytics traces back to one case: the Court of Justice of the European Union's judgment in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18), delivered on 16 July 2020. The CJEU invalidated the EU-US Privacy Shield framework, finding that US surveillance programmes, particularly those under Section 702 of the Foreign Intelligence Surveillance Act (FISA), are incompatible with the fundamental rights of EU data subjects.

The court found that US law does not provide EU citizens with rights equivalent to those guaranteed by the Charter of Fundamental Rights of the European Union, specifically the right to an effective judicial remedy and the right to privacy. This meant that any transfer of personal data to the US required additional "supplementary measures" to bring the level of protection up to EU standards. The CJEU left it to data controllers to assess whether such measures were feasible.

For Google Analytics, this created an immediate problem. The tool works by embedding a JavaScript tag on your website that collects data about every visitor, including IP addresses, device identifiers, browsing behaviour, and interaction patterns, and transmits it to Google's servers. Even with IP anonymisation enabled, the full IP address is briefly processed by Google before truncation, and the combination of other identifiers (client ID, session data, browser fingerprint) constitutes personal data under GDPR Article 4(1). Since Google LLC is a US company subject to FISA 702, any data reaching its servers is accessible to US intelligence agencies without the knowledge or consent of the data subject.

The privacy advocacy organisation noyb (None of Your Business), founded by Max Schrems, filed 101 identical complaints across the EU and EEA in August 2020, each targeting a different website's use of Google Analytics and Facebook Connect. These complaints forced data protection authorities across Europe to assess whether Google Analytics transfers comply with GDPR after Schrems II.

The rulings came in rapid succession:

Austria (DSB), January 2022. The Austrian data protection authority was first. In its decision of 22 December 2021 (published January 2022), the DSB found that an Austrian health website's use of Google Analytics violated GDPR Article 44 by transferring personal data to the US without adequate safeguards. The DSB rejected Google's Standard Contractual Clauses as insufficient, noting that no supplementary measures could prevent US government access under FISA 702. The authority explicitly found that Google Analytics cookies and the associated unique identifiers constitute personal data.

France (CNIL), February 2022. The CNIL followed on 10 February 2022, issuing a formal notice to an unnamed French website operator ordering it to bring its use of Google Analytics into compliance or cease using the tool entirely. The CNIL's analysis mirrored Austria's: the data transferred to Google constitutes personal data, the transfer lacks adequate safeguards, and Google's supplementary measures (encryption in transit, internal access controls) are insufficient because Google itself holds the encryption keys and can be compelled to provide data to US authorities.

Italy (Garante), June 2022. The Italian data protection authority ruled in June 2022 that an Italian web publisher's use of Google Analytics violated GDPR transfer rules. The Garante gave the company 90 days to comply and issued a public warning to all Italian website operators that using Google Analytics "without the safeguards set out in the EU Regulation on the protection of personal data" is unlawful.

Denmark (Datatilsynet), September 2022. The Danish DPA published its decision in September 2022, concluding that a Danish municipality's use of Google Analytics was unlawful. The Datatilsynet specifically noted that Google's server-side adjustments did not change the fundamental problem: a US entity processes the data.

Norway (Datatilsynet), November 2022. Norway's data protection authority issued its advance notice in November 2022, finding preliminary evidence that Google Analytics use by a Norwegian entity violated GDPR transfer provisions. The Norwegian Datatilsynet aligned its reasoning with the Austrian and French decisions.

Finland (Tietosuojavaltuutettu), December 2022. The Finnish data protection ombudsman reached the same conclusion in its assessment, finding that website operators using Google Analytics transfer personal data to the US in a manner that fails to meet GDPR Chapter V requirements.

The pattern is unambiguous. Six independent national authorities, applying the same CJEU precedent, reached the same conclusion: Google Analytics, as normally implemented, violates the GDPR.

Google has introduced two features that are frequently cited as solutions: Consent Mode v2 and server-side tagging via Google Tag Manager. Neither addresses the core legal issue.

Consent Mode v2 modifies how Google tags behave when a user declines consent. In "advanced" mode, it sends cookieless pings to Google even without consent, using these signals for "conversion modelling" and "behavioural modelling." The Danish Datatilsynet and other DPAs have flagged that even these cookieless pings can transmit personal data (IP addresses, request headers) to Google servers. The CNIL's technical analysis concluded that IP addresses transmitted during cookieless pings are personal data, and their transfer to Google LLC in the US faces the same Schrems II problem.

Server-side tagging routes analytics data through your own server (or a Google Cloud server in the EU) before it reaches Google's analytics infrastructure. This adds a proxy layer but does not change the destination. The data still ends up with Google LLC, a US entity subject to FISA 702. Moving the first hop to an EU server does not change the jurisdictional exposure of the final recipient. As the Austrian DSB noted in its ruling, the relevant question is not where the data is initially processed but whether the data controller (Google) is subject to US surveillance law.

In practical terms, these features are privacy theatre. They make the data flow more complex but do not change the legal analysis. If you need GDPR-compliant analytics, the only reliable approach is to use a tool that does not send personal data to a US entity at all.

On 10 July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) under Implementing Decision (EU) 2023/1795. Google LLC is a certified participant in the DPF, which in theory provides a valid legal basis for EU-to-US data transfers.

However, there are significant reasons not to treat the DPF as a permanent solution:

• Legal challenge is expected. noyb announced in July 2023 that it intends to challenge the DPF before the CJEU, arguing that Executive Order 14086 (the US executive order underpinning the DPF) does not materially change the surveillance architecture that led the court to invalidate Privacy Shield. If the CJEU strikes down the DPF (a "Schrems III" scenario), any transfers relying on it would become unlawful overnight.
• Executive orders are revocable. The DPF's safeguards rest on an executive order, not legislation. A future US administration could modify or revoke EO 14086 without Congressional approval. This creates regulatory uncertainty that no adequacy decision can fully resolve.
• FISA 702 was reauthorised. In April 2024, the US Congress reauthorised and expanded FISA Section 702 through the Reforming Intelligence and Securing America Act (RISAA), extending the programme through April 2026 and broadening the definition of "electronic communications service provider." This expansion directly undermines the DPF's claim that US surveillance is proportionate.

For organisations making infrastructure decisions today, relying on the DPF as the sole basis for using Google Analytics is a bet on legal stability that the last two decades of EU-US data transfer history do not support. The safer strategy is to use analytics tools that keep data within EU jurisdiction entirely, eliminating transfer risk regardless of what happens to the DPF.

The good news is that European analytics alternatives are not just compliant; they are often technically superior for most use cases. Tools like Plausible Analytics, Simple Analytics, Pirsch, Piwik PRO, and TelemetryDeck are built in Europe, process data exclusively on EU servers, and most require no cookie consent banners because they do not use cookies.

Switching is straightforward. Most EU analytics tools can be installed by replacing a single script tag. Plausible and Piwik PRO support importing historical data from Google Analytics, so you do not lose your baseline metrics. The script sizes are dramatically smaller (Plausible is under 1 KB versus Google Analytics at approximately 45 KB), which directly improves page load times and Core Web Vitals scores, a factor that itself affects search rankings.

For a detailed comparison of which EU analytics tool fits your needs, see our feature-by-feature comparison of EU alternatives to Google Analytics. If you want to understand the technical approaches that make cookie-free analytics possible, read our guide to cookie-free analytics and GDPR compliance.

For the broader legal context, our analysis of GDPR enforcement trends covers the full picture of fines and regulatory direction, and our explainers on the CLOUD Act and FISA 702 surveillance detail the US laws that create the structural conflict with European data protection.