The Norwegian Data Protection Authority Datatilsynet (Norwegian DPA) has concluded that the use of the website analytic tool Google Analytics by two state agencies violated Norway’s data protection law. The two state agencies—Tax Administration and the State Educational Loan Fund—were not able to account for how Google Analytics worked, and found that there was a disconnect between Google’s privacy policy and that of the state agencies.

Google Analytics is a website tool that allows organizations to create reports about how visitors and users utilize a website, and to analyze visitor and user behavior. Google Analytics is widely used, including by some other European-based data protection authorities, such as the UK Information Commissioner’s Office.

Google Analytics collects part of a visitor’s IP address, which, in a 2011 opinion, the European Court of Justice found to be personal data. The Norwegian DPA found that the agencies should be deemed to control the information collected via Google Analytics cookies, but that it appeared the data was actually collected by Google, thus making Google, rather than the state agencies, the data controller. In addition, the Norwegian DPA determined that neither of the two state agencies could demonstrate that data provided to Google had been anonymized, nor that its use was limited to statistical purposes. The agencies’ unconditional acceptance of the terms and conditions appeared to imply that Google could use the IP addresses to provide additional services that would allow them to compile personal information about the visitors from many different websites, and thereby potentially identify the user.

The DPA believed that Google should be functioning as a data processor of each of the agencies; has required both agencies to correct the information on their websites; and has requested that any IP addresses collected are anonymized and used only for analysis. Both state organizations now have a chance to respond to the DPA’s findings before a final ruling is made.

This is the first ruling of its nature in the EEA and, in some ways, is surprising given that the collection of IP addresses by Google Analytics cookies tends to be limited by geographic region rather than comprised of the entire IP address. The final ruling will be one to watch, including whether there is a knock-on effect throughout the EEA with other national authorities taking similar decisions about the use of Google Analytics.