Sunday 13 February 2011

Is Google Analytics illegal in Germany?

Update May 25th 2012

It looks like it's OK again  to use Google Analytics in Germany 
Today I stopped using Google Analytics (GA) on this blog. The reason is that the German Data Protection Authorities have recently said that usage of GA is illegal. They are of the opinion that the way GA uses IP addresses breaches their laws.  I know that some readers of this blog come from Germany. How do I know? Google Analytics.

This blog also uses StatCounter to analyse visitor traffic. StatCounter is based in the EU - Ireland. So that should be OK - at least in Europe. Anyway,  I prefer StatCounter so GA is no great loss.

The irony is that this blog is hosted on Google Blogger which is based in the US. This should be OK because Google is signed up to the Safe Harbor framework. This roughly means that it is acceptable to store personal information of EU citizens on Google infrastructure.

An added complication is that Google Blogger has a feature called Stats, which also offers visitor tracking functionality. This is separate to GA, so hopefully it will not be a problem. It is all a bit mind boggling!

So should you remove Google Analytics from your website?


PS:  I have just noticed that the Information Commissioner's website in the UK uses Google Analytics. So maybe he shouldn't visit Germany anytime soon.

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. Surely the fine will only affect German companies using German servers? I would have thought if you are using a server outside of Germany they have no jurisdiction over that?

  2. Toby, I would say the devil is in the legal detail. Given that the servers and owners are outside Germany, you are right, it would be very difficult to enforce. But legally (I would imagine) it would still be in breach of German Law. But I wouldn't worry to much about it in any event!


  3. It does raise the question as to whether you are legally responsible for complying with the laws of every country from which people access your site irrespective of where your company/servers are located...

    I reckon your stated goal of "designing security in from the start" would seem easy in comparison...

  4. Hi Eoghan, The following example from 2007 is a bit extreme, but it shows the potential risks. So I suppose it's worth being aware of the legal implications - depending on the business that you are in.

    "Two former NETELLER executives were detained while traveling separately through the United States yesterday (Jan. 15) in “connection with the creation and operation of an Internet payment services company that facilitated the transfer of billions of dollars of illegal gambling proceeds from United States citizens to the owners of various Internet gambling companies located overseas"