Google Analytics always sends data to the US.

Google Analytics is still the most popular website tool for spying on user behavior.

A few days ago, Google made a surprising admission. Since then, it has been indisputable that all data collected with Google Analytics on a website is always sent to the USA and processed there.

Why did Google admit to this?

The trigger was a complaint by the  data protection organization noyb against Google to the Austrian supervisory authority. The authority then asked Google over 20 questions.

Google responded to the questions often evasively, frequently ignorantly, and incompletely. That Google proclaimed the exclusive data storage in the USA for Google Analytics data is relatively easy to explain. I need to elaborate on this a bit.

What is the legal situation?

Since the ECJ ruling on the Privacy Shield, also known as the “Schrems II” ruling, the USA is considered an unsafe third country. A transfer of personal data to the USA requires consent.

On websites, a transfer of personal data always takes place because the user’s network address, the IP address, is considered personal data according to a supreme court ruling.

The USA is considered an unsafe third country because legal measures there allow American authorities, such as intelligence agencies, to access data from American companies. If an American company stores customer data from Germans, America can access it.

The legal measures that legitimize intelligence agencies for secret data access are particularly the FISA Act and the Executive Order EO12333. In its response to the supervisory authority, Google clarified that these regulations only permit access to data stored outside the USA.

Google's logic is therefore: We store all data in the USA, so no access can occur based on FISA and EO12333. Thus, the data is safe with us.

However, this is not entirely true, but it is probably the best possible argument that Google can present. The creativity of this statement from Google likely correlates somehow with the salaries of Google’s lawyers. Nevertheless, Google has thereby admitted what many already knew but could not prove.

Are the data safe in the USA?

The better question is whether data sent to and stored in the USA by Google Analytics is safe.

Obviously, analytical data is generated in Europe when a European opens a website that uses Google Analytics. Google collects this data through a so-called collector.

A collector is a server that is ideally located in the geographical proximity of the user and receives the data from the endpoint. The data is then sent to the USA.

This is obviously, one might ironically note, inherently illegal without consent. Besides, affected individuals must be informed about this, which likely does not happen. Additionally, under the GDPR, every affected individual must have a right to object. The NSA probably does not recognize this term either.

This is obviously, one might ironically note, inherently illegal without consent. Besides, affected individuals must be informed about this, which likely does not happen. Additionally, under the GDPR, every affected person must have a right to object. The NSA probably does not know this term either.

Consent requirement for Google Analytics

Due to the global data collection and data transfers to the USA, consent for Google Analytics should be obtained before the tool is loaded.

In its current standard configuration, Google (Universal) Analytics uses cookies. According to § 15 Abs. 3 TMG, this requires consent. Reasoning:

• The cookies are set and read by Google Analytics.
• The values of the cookies are sent to Google servers.
• The cookies are not technically necessary. Proof: Google Analytics can also be operated without cookies.
• The ePrivacy Directive requires consent for this in Art. 5 Abs. 3. It is irrelevant what data is stored in the cookies. They do not even have to be personal data.
• The TMG must be interpreted according to the ePrivacy Directive, as per the BGH ruling of May 28, 2020 – I ZR 7/16 (“Planet49”).

With Google, it is also possibly impossible to conclude an effective DPA (Data Processing Agreement) because the subcontractors are distributed worldwide, Google "possibly" deletes data only after two months upon request, and so on.

All this is sufficient to assume a general requirement for consent for Google Analytics, even if no cookies are used.

Information about Google Analytics

Anyone who has looked at Google's privacy notices and the contractual framework for Google Analytics is probably just as confused as before. Google's statements are so convoluted, spread across various documents, vague, and ambiguous that transparent information on this seems impossible.

According to Article 12 GDPR, there must be transparent and understandable information about data processing with Google Analytics.

Conclusion

Obtaining valid consent for Google Analytics seems difficult. These so-called cookie pop-ups on websites are not only annoying but are also usually legally invalid in practice.

Without consent, Google Analytics could only be used if cookies are not used. However, the data quality would be questionable because Google Analytics is not optimized for this mode of operation.

A privacy-friendly analysis of website visitors is possible with tools like Trackboxx. Without cookies and without significant fingerprinting, no consent is required. The focus here is on ease of use, which is certainly not the case with Google Analytics. Anyone who has looked at the Google Analytics dashboard will still not have understood everything even after hours.

Additionally, I believe we should prefer German providers and stop providing free data to Google as soon as possible.

Anyone who has ever had a support case or a general question for a corporation will know the feeling of not having received a proper answer. In my experience, local providers are significantly more customer-friendly and have a better understanding of the service provider mentality.