The Norwegian Data Protection Authority (Datatilsynet) has come to the preliminary conclusion that the use of Google Analytics may violate GDPR’s transfer rules. The authority expects to adopt a final decision on this matter at the earliest in late April. This decision may result in practically banning Google Analytics in Norway. However, nothing is confirmed yet, but we can take an educated guess based on the bigger picture. The issue is that the use of Google Analytics requires the transfer of personal data to Google LLC in California, which exposes data to the risk of State surveillance in the US. The GDPR and the Schrems II ruling of the EU Court of Justice require personal data to be protected through adequate safeguards against surveillance. However, noyb, the Austrian privacy-focused non-profit organization, claims that the data transfers lack these required safeguards. For this reason, the Austrian, French, and Italian authorities have already agreed with noyb, and the Danish and Finnish ones embraced the same position in different circumstances.
The use of Google Analytics is not allowed under GDPR if it violates data protection rules. Therefore, if Norwegian authorities confirm their preliminary conclusion, Norway will become the first non-EU country to rule against Google Analytics on the issue of data transfers. Additionally, it is essential to note that many US-based services require transfers of personal data and may come under fire next.
The Norwegian agency refers to a previous decision from Denmark that mentions using a reverse proxy such as Filterly, as a potential solution. You can read the full announcement here (only available in Norwegian):
https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2023/varsel-om-vedtak-i-google-analytics-saken/
If you have further questions about using Google Analytics in Norway please contact us or reach out to our Norwegian partner, Semway.