European Martech
Back to Blog
GDPR2026-03-19·5 min read

Google Analytics Has Been Ruled Illegal in These EU Countries

Multiple EU data protection authorities have found Google Analytics non-compliant with GDPR. Here's what happened, what changed, and what European alternatives exist.

Google Analytics Has Been Ruled Illegal in These EU Countries
Photo by Werner Pfennig on Pexels

Between January 2022 and mid-2023, data protection authorities across the EU issued a series of rulings declaring the use of Google Analytics in violation of the GDPR. These rulings — coordinated through an EDPB task force — marked a turning point for European businesses relying on US-based analytics tools.

Here's a factual breakdown of what happened, where things stand now, and what alternatives are available.

The Rulings: Country by Country

The rulings stemmed from 101 model complaints filed by noyb (the privacy organization led by Max Schrems) in August 2020, following the landmark Schrems II decision that invalidated the EU-US Privacy Shield.

Austria — January 2022

Austria's DSB (Datenschutzbehorde) was the first EU DPA to rule against Google Analytics. The decision found that a website operator's use of Google Analytics violated GDPR Articles 44-49 because data transfers to Google in the US lacked adequate safeguards. No fine was imposed — it was a declaratory decision.

France — February 2022

France's CNIL issued a formal notice to an unnamed website operator, ruling that Google Analytics constituted an unlawful transfer of personal data to the US. CNIL gave operators one month to comply and subsequently issued multiple similar decisions.

Italy — June 2022

Italy's Garante ruled against Caffeina Media S.r.l., finding that Google Analytics transferred personal data to the US without adequate protection. The company was given 90 days to bring its operations into compliance.

Denmark — September 2022

Denmark's Datatilsynet concluded that specific Google Analytics implementations it examined were non-compliant. The Danish approach was more nuanced — it addressed specific configurations rather than issuing a blanket ban.

Sweden — June 2023

Sweden's IMY (Integritetsskyddsmyndigheten) went the furthest, issuing actual fines:

  • Tele2: ~SEK 12 million (~EUR 1 million)
  • CDON: ~SEK 300,000 (~EUR 25,000)
  • Dagens Industri: ~SEK 1 million
  • Akademibokhandeln: ~SEK 500,000

These were among the first financial penalties issued for Google Analytics use in the EU.

The Core Legal Issue

The DPA rulings were not primarily about cookies or IP addresses. The fundamental problem was data transfers to the United States.

Under US law — specifically FISA Section 702 and Executive Order 12333 — US-based companies like Google can be compelled to provide data to US intelligence agencies. The Schrems II ruling found that this level of government access was incompatible with EU fundamental rights, and that Standard Contractual Clauses (SCCs) alone could not fix the problem.

The key finding across all rulings: even pseudonymous identifiers (like Google Analytics client IDs) constitute personal data, and transferring them to a US-based company subject to US surveillance laws violated GDPR.

What Changed: The EU-US Data Privacy Framework

On July 10, 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). This was based on Executive Order 14086, signed by President Biden in October 2022, which introduced new safeguards including a Data Protection Review Court (DPRC).

Google LLC is certified under the DPF, which means data transfers to Google now have a legal basis — provided the DPF remains valid.

Is the DPF Stable?

The DPF's long-term viability is uncertain. Its two predecessors — Safe Harbor (2000-2015) and Privacy Shield (2016-2020) — were both struck down by the CJEU.

Key risk factors:

  • noyb has signaled its intent to challenge the DPF at the CJEU (a potential "Schrems III" case)
  • The European Parliament passed a resolution in 2024 expressing concerns about the DPF's durability
  • Changes in the US political landscape raise questions about whether the institutional safeguards underpinning the DPF will be maintained
  • The Privacy and Civil Liberties Oversight Board (PCLOB), a key safeguard in the DPF framework, has faced staffing concerns

For European businesses, this creates a practical dilemma: Google Analytics is technically legal under the DPF today, but the legal basis could be invalidated — again — by a CJEU ruling.

What About Google Analytics 4?

Google Analytics 4 (GA4) replaced Universal Analytics in July 2023 and introduced several privacy improvements:

  • IP anonymization enabled by default
  • EU-based data storage options
  • Consent Mode v2 (required from March 2024 for EEA traffic)
  • Reduced data retention

However, CNIL clarified that these technical improvements alone were not sufficient to resolve the transfer problem. The DPF adequacy decision — not GA4's features — is what provides the legal basis for compliance.

European Alternatives to Google Analytics

Rather than depending on a legal framework with an uncertain future, many European businesses are switching to analytics tools that store data exclusively in the EU.

Privacy-First Analytics

  • Plausible Analytics — Lightweight, open-source, cookie-free analytics. Fully GDPR compliant with EU data hosting. No consent banner required.
  • Fathom Analytics — Simple, fast analytics with EU data isolation. Cookie-free and privacy-focused.
  • Pirsch Analytics — German-built, cookie-free analytics with EU-only data processing.
  • Simple Analytics — Privacy-first analytics from the Netherlands. No cookies, no personal data collection.

Full-Featured Analytics Platforms

  • Matomo — Leading open-source analytics platform. Self-host in the EU or use Matomo Cloud with EU hosting. Feature-rich alternative with full GA-equivalent reporting.
  • Piwik PRO — Enterprise analytics suite from Poland with EU-only data processing, consent management, and a customer data platform.
  • TWIPLA — Web analytics with heatmaps and session recording. EU data hosting.

Behavior Analytics

  • Mouseflow — Heatmaps, session replay, and behavior analytics. Danish company with EU-only data processing.
  • Smartlook — Session recording and analytics. Czech company with EU hosting.

All of these tools are listed in our Google Analytics alternatives directory with verified GDPR compliance data.

What Should You Do?

  1. Audit your current setup. Check whether your Google Analytics implementation transfers data outside the EU and whether you have proper consent mechanisms in place.

  2. Assess your risk tolerance. If the DPF is invalidated, you could find yourself in the same position Austrian and French website operators were in 2022 — non-compliant overnight.

  3. Evaluate European alternatives. Tools like Plausible, Matomo, and Fathom provide analytics without cross-border data transfer concerns. Many don't require cookie consent banners at all.

  4. Document your decisions. Whatever you choose, maintain records of your Transfer Impact Assessment and the legal basis for any data transfers.

The DPA rulings of 2022-2023 established a clear precedent: European regulators are willing to enforce GDPR's data transfer rules against widely-used tools. Whether Google Analytics remains legal in Europe depends entirely on the durability of the DPF — and history suggests that's not something to take for granted.

Browse our full Web Analytics category to compare European analytics tools with verified GDPR compliance data, EU hosting, and pricing information.

Looking for GDPR-compliant alternatives?

Browse our directory of European marketing tools — all verified for GDPR compliance and EU data hosting.