Does the use of Google Analytics violate GDPR?

If you haven’t had a chance to see the recent ruling made by Austrian Data Protection Authority concerning a website’s use of Google Analytics violating GDPR we recommend you do:

Austrian DSB: EU-US data transfers to Google Analytics illegal (

Here’s our take on the recent ruling

In 2020, the European Court of Justice decided that the use of US providers violates GDPR. This recent ruling specifically points to the use of Google Analytics alone as violating GDPR.

Due to its free entry level and widespread adoption, Google Analytics may be an obvious choice to utilise for your website. However, it is currently not fit for purpose. How can that be when the application uses data encryption, offers IP anonymisation, etc? Well, the issue is far greater than not having anonymizeIp set to true. It comes down to how and where data is processed and who owns those servers.

With Google Analytics you push user data with variables “ga(‘set’, ‘anonymizeIp’, true);” to the external JavaScript Google provides. Each client connects directly to Google Analytics revealing their IP address in step 1, downloading a JavaScript where you can manually set a variable to return IP data anonymised. The client will return this information directly to Google Analytics in step 2.

So, you may well see it anonymised, but Google is still processing the user data with IP address and only anonymising for us. A controller is still not allowed to process or store any personally identifiable information on US cloud services where the encryption is not solely managed by that controller.

So, what do we need to consider?

  • Check that the company you are buying services from is located outside the US
  • Ensure no personally identifiable information is being stored or processed within the US without being highly encrypted and with you in control of the encryption and keys before it is stored there.

If you are designing a SaaS product, consider your infrastructure and cloud service provider

Data security is a key consideration for any product, but it becomes even more important when personally identifiable information (PII) is involved. Then, you must consider how and where that data is processed and who owns those servers.

Even if you must export some data outside of Europe, utilising European servers to process and encrypt a European’s user data before it is stored anywhere else can be part of the solution.

At Klikk, we care about security and privacy. We are a cloud provider offering state-of-the-art firewalls and modern hardware stored in secure Norwegian data centres. We aren’t in the business of selling data – just great cloud services – so when you’re utilising our infrastructure you can control and process the data at speed without us wanting to peek.

Check out our cloud VPS offering