EU-owned proxy server for sGTM or how to use Google Analytics GDPR compliant way

Europe has been hit with a series of Google Analytics restrictions in recent months. There are several incidents in different countries, but the most widely spread incidence was related to the regulations in Italy, France, and Austria, where data protection regulators said that the use of Google Analytics is not GDPR compliant.

In this article, I want to talk about the regulations prohibiting the data transfer of European users to US companies. I will also cover how you can use Stape Europe to set up an EU proxy server for server GTM that will help make the use of Google Analytics GDPR compliant.

What is the backstoryCopy link to this section

The legal story of data sharing between EU and US companies started in 2016 when the European Commission approved the Privacy Shield (a legal framework that regulates data transfer for commercial purposes between US and EU companies). 

In 2020 the European Court of Justice declared that Privacy Shield has a disability. It happened since US law does not offer sufficient personal data protection for European residents.

The extensive discussion in this ruling was about Google services (like Google Analytics or Google Fonts) which can’t guarantee that EU user data is safe. 

Regulators declared that asking for user consent (or standard contractual clauses) on the site and triggering a US-based intelligent tracking tool based on user consent won’t make it GDPR compliant. 

What are the privacy rulesCopy link to this section

The two most famous incidents related to data transfer of EU users to the US were in Italy and France. Let’s start with the French one. 

The French data protection authority (CNIL) received complaints from French users who asked if the use of Google Analytics (an intelligence tool that belongs to the USA company) complies with the GDPR rules. 

The CNIL stated that using Google Analytics by French websites resulted in a data transfer of European users to US companies. This violates the GDPR rules since US companies do not provide enough evidence that the personal data of EU users are safe. Besides that, the CNIL has confirmed that Google's implementation of SCCs is not enough to meet the GDPR requirements. 

The situation in Italy is somehow similar. The Italian SA regulator received questions from several users on whether a particular Italian site's use of Google Analytics falls under the GDPR. After the lengthy investigations, the Italian regulator warned companies to stop using Google Analytics or set up GA in a GDPR-compliant way in 90 days. 

Besides that, the Italian regulator released a public notice that they received multiple complaints about the data transfer to the USA companies. All Italian website owners should consider this in implementing US-based intelligent tracking tools. Otherwise, penalties may be applied. 

So, to sum up, the data transfer of EU users to US companies is not GDPR compliant. The biggest question relates to using Google Analytics since it’s the most widely spread analytics tool. 

What methods DO NOT make Google Analytics GDPR compliantCopy link to this section

Data encryption. 

The Italian regulator says that transferring encrypted data is not an acceptable way and can’t guarantee user data protection. The reason is that encryption technology expects encryption keys on Google's side that can be used to see and process raw user data. So as long as the encryption key is available to the Data importer (in this case, Google), this method cannot be considered GDPR compliant. 

Built-in Google Analytics features that remove PII.

Google tried to adapt to the EU privacy rules by implementing features designed to anonymize user data. EU regulators said that in practice, such technologies as redacting user IP might have close to zero effect on preventing user identification. Mainly because of constant IP processing by Google. 

User consent.

Google Analytics is still not GDPR if a user consents to analytics cookies. They stated that data transfer to US companies and consent are different. User consent does not help fix the issue with data transfer outside the EU. 

What is the solutionCopy link to this section

According to both regulators, the possible solution is to use an EU proxy-server. This proxy-server aims to break the interaction of US intelligence tracking tools with user browsers. One of the ways, and maybe the easiest, to implement such proxy-server is using server Google Tag Manager.

Proxy servers have to meet a set of criteria. The two most important are:

• A company that owns a proxy-server must be registered in the EU
• The proxy server must be physically located in the EU

While the point about EU-registered companies is clear, you can quickly check where a company is registered on their website or by checking public register directories. The second point might be tricky. 

The main misunderstanding comes about the use of Google Cloud for sGTM. You CAN’T use Google Cloud as a proxy server for your sGTM. When setting up a proxy server (which can be a server Google Tag Manager), not only the server zone should be in Europe, but the physical server must be located in Europe and owned by a European company. Google is not an EU company, meaning it does not satisfy two main criteria. 

The bad news is that using a 100% EU proxy server for your server Google Tag Manager is insufficient. You must remove any user data used to fingerprint or identify users by the analytics platform. You must also pseudo-anonymize user data before sending it to the US tracking tool. 

Here are some examples of data that should be removed before sending it:Copy link to this section

1. IP address.

You must remove the IP address from the request to make sure that it can’t be used to identify users. Simply cutting the IP won’t work as it can still be used to identify areas where the user is. 

2. User identifiers. 

When a user visits your site, Google generates a unique client ID that identifies the user browser-device pair and is stored in cookies. Client ID generated by Google must be removed, though you can still use a randomly generated client ID. 

3. External referrer.

You must remove any data about the website the user visited before landing on your site. Usually, this data carries information on whether visitors landed on your site by clicking a link in someone’s blog post, organic search, etc. 

4. URL parameter. 

Often, URL parameters contain information (utm_parameters) about the source, medium, campaign, or click id. Besides that, some websites insert user data (like email, name, phone) into the URL. No matter what URL parameters your site carries, it must be removed. 

5. Any data that can be used for fingerprinting.

A bunch of data can be used for fingerprinting; for now, there is no clear information on what data regulators count as the ones that can be used for fingerprinting. However, it may include browser, device, model, language settings, screen resolution, etc. 

6. Cross-site identifier. 

Basically, any ID can identify the same user on a different website. It might be a user ID, user ID in CRM, user email, etc. 

7. Any data that could be used for user identification. 

Any information about the user. 

For now, there is no way to automate removing all the parameters described above. All these must be manually replaced using the server Google Tag Manager interface. 

How stape can help youCopy link to this section

To address these tracking challenges, we create a new product - Stape Europe. Stape Europe is a European company (registered in Estonia) that uses a 100% EU cloud servers provider Scaleway to host server GTM containers. 

We cover all questions related to the EU-owned proxy server. When setting up an sGTM container using Stape Europe, you do not transfer any data to the US company since Stape Europe itself is an EU-registered company, and we use servers that are physically located in Europe. 

Unfortunately, for now, we do not have a solution for automated user data removal. Though our team is working hard to implement features that will help to remove PII automatically, or at least we will make your life easier by removing some of the PII automatically. 

Conclusion:Copy link to this section

A lot of work must be done to make using Google Analytics GDPR compliant. It might be a real pain if you are unfamiliar with server-side tagging. 

The good thing is that with Stape Europe, you do not need to worry about EU proxy-server. You can directly dive into data anonymisation in the server Google Tag Manager interface. 

How would Google Analytics data look after you remove all the required information? Will it be sufficient to analyze user behavior, site performance, etc.? Well, we will definitely have fewer data. But it looks like this is a new reality we need to get used to. 

Either you decide to stay GDPR compliant and receive fewer data about website visitors. Or neglect these rules and risk receiving warnings or fines for transferring user data to the US. 

Though there were cases related to data transfer in Italy, France, and Austria, some other European countries have already started to talk about similar regulations. So if you implement server-side tracking, I suggest immediately removing the part with data transfer to the US. Do not wait until the same cases happen in your country; you must redo the setup.

Anyway, if you have any questions, feel free to contact us. The Stape team can also help set up an EU proxy server for you! Our team of experts is always happy to help new users get started with tracking and answer any questions.