Is Google Analytics Illegal in Europe?

The short answer: it depends on who you ask and when you ask them. Multiple European data protection authorities have declared Google Analytics illegal, those rulings were partially defused by a new EU-US data transfer deal, and that deal is now under political threat. If you run a website with European visitors, here's what you need to know.

The rulings that started it all

In August 2020, activist Max Schrems and his organization noyb filed 101 complaints across the EU against websites using Google Analytics and Facebook Connect. The complaints argued that these tools transfer European personal data to the US, where surveillance laws like FISA Section 702 allow government access — violating GDPR's requirements for adequate data protection.

The rulings came one after another:

Austria (January 2022) — The Austrian Data Protection Authority (DSB) was the first to rule, declaring that a website's use of Google Analytics violated the GDPR because it transferred personal data to the US without adequate safeguards.
France (February 2022) — The CNIL ruled that Google Analytics violated Article 44 of the GDPR, citing insufficient data protection in the US.
Italy (June 2022) — The Garante ruled similarly, giving websites 90 days to stop using Google Analytics or find compliant alternatives.
Denmark (September 2022) — Datatilsynet concluded that Google Analytics could not be used in compliance with the GDPR.
Norway (2023–2024) — Datatilsynet issued a preliminary ruling finding Google Analytics in violation of GDPR, later confirming its position.

These weren't fringe opinions. They were coordinated enforcement actions based on a shared legal analysis by the European Data Protection Board (EDPB).

The Data Privacy Framework: a temporary fix?

On July 10, 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF), the third attempt at creating a legal basis for transatlantic data transfers. Google LLC became certified under the DPF in August 2023, which means — in theory — that data transfers to Google's US servers now have a valid legal basis.

This made Google Analytics technically legal to use again in the EU, at least for the data transfer aspect. Several DPAs acknowledged this, including the Norwegian Datatilsynet, which noted that use of Google Analytics had been illegal until the DPF took effect.

But the DPF only solves one part of the problem. Website operators still need to comply with GDPR's other requirements: lawful basis for processing, data minimization, transparency, and — crucially — consent for cookies.

Why the legal ground is still shaky

The DPF is the successor to Safe Harbor (invalidated in 2015 by Schrems I) and Privacy Shield (invalidated in 2020 by Schrems II). Both were struck down by the Court of Justice of the European Union (CJEU) because US surveillance laws weren't compatible with EU fundamental rights.

The Latombe challenge: In September 2023, French politician Philippe Latombe filed for annulment of the DPF. On September 3, 2025, the EU General Court dismissed his case, upholding the framework's validity. But Latombe appealed to the CJEU on October 31, 2025. The CJEU — the same court that killed Safe Harbor and Privacy Shield — will now review whether the DPF provides adequate protection. Its track record suggests this won't be a formality.

The Trump factor: In January 2025, President Trump signed an executive order requiring review of all Biden-era national security decisions within 45 days — including the executive order that the DPF relies on for its privacy protections. Noyb's Max Schrems has warned that the DPF is built on a "fragile patchwork" of US legal mechanisms, and that the failure of just one element could make EU-US data transfers instantly illegal again.

The PCLOB problem: The US Privacy and Civil Liberties Oversight Board (PCLOB), a key oversight mechanism cited in the DPF, was effectively gutted in early 2025, leaving it unable to function properly. Without working oversight, the EU's justification for trusting US data protection weakens considerably.

Google Analytics still requires a cookie banner

Even if the DPF holds up, Google Analytics 4 still sets cookies and collects personal data (IP addresses, device identifiers, browsing behavior). Under both the GDPR and the ePrivacy Directive, this means you need:

A consent banner that meets strict requirements (equally prominent "Accept" and "Reject" buttons, no pre-ticked boxes, no dark patterns)
To only load GA4 after the user consents
A comprehensive privacy policy explaining what data you collect and why

Studies consistently show that 30–40% of visitors reject tracking when given a fair choice. That means your GA4 data is incomplete from day one — and you're adding page weight, complexity, and legal risk for the privilege.

What you can do instead

If you want to track website traffic without the legal uncertainty, look for analytics tools that:

Don't use cookies — no ePrivacy consent needed
Don't collect personal data — no GDPR consent needed
Don't transfer data to the US — no dependency on the DPF
Have a small footprint — better performance, happier visitors

Tools like Plausible, Fathom, and Fairlytics all take this approach. They give you the metrics that matter — page views, referrers, top pages, device types — without the legal baggage. Fairlytics goes furthest on privacy defaults: at 510 bytes it's the smallest tracker available, and it's the only one that respects both Do Not Track and Global Privacy Control signals by default.

The bottom line

Is Google Analytics illegal in Europe right now? Technically no — the DPF provides a legal basis for data transfers. But the DPF is being challenged at the CJEU, its political foundations are under threat, and you still need a consent banner that most visitors will reject. For most websites, the practical answer is the same either way: there are simpler, safer options.

Want analytics without the legal uncertainty? Try Fairlytics free — 10,000 page views/month, no cookies, no consent banner needed.