Schrems II in practice: what it means for your web analytics
The Data Privacy Framework made GA4 technically legal again. It did not make the lawyers any less cautious. Here is what you actually need to know to make a sensible decision.
Summary for those in a hurry
- Schrems II (2020) invalidated Privacy Shield and with it the basis for transferring personal data to the US. Standard contractual clauses (SCCs) still worked, but only with supplementary technical safeguards.
- The Data Privacy Framework (2023) is the replacement. US companies that certify can receive EU personal data without SCCs. Google, Meta, Amazon, Microsoft are all certified.
- The risk is not gone. The DPF can be invalidated again, just like its two predecessors. Schrems himself has already sued it. And the DPF does not protect against US legislation like the CLOUD Act, FISA 702 and Executive Order 12333.
- For web analytics specifically there is no value in US-based processing. You get exactly the same numbers from an EU-hosted service without legal digging.
- 2000Safe Harbor
The first EU-US transfer agreement.
- 2015Schrems I invalidates Safe Harbor
NSA surveillance makes the US not adequate.
- 2016Privacy Shield
Replacement for Safe Harbor.
- 2020Schrems II invalidates Privacy Shield
FISA 702 and EO 12333 still a problem.
- 2023Data Privacy Framework (DPF)
New mechanism, new complaint mechanism (DPRC).
- 2023Schrems III lawsuit filed
Max Schrems argues the DPF is the same thing again.
- 2027-2030?Likely DPF outcome
If the pattern holds we get a third annulment.
What Schrems II actually said
The Court of Justice of the EU ruled in case C-311/18 (Schrems II) on July 16, 2020 that the Privacy Shield agreement between the EU and the US does not provide sufficient protection for EU citizens’ personal data. The core of the ruling is technical: US legislation, in particular FISA 702 and Executive Order 12333, gives the NSA and other federal agencies the right to demand access to data held by US tech companies, without the person concerned ever finding out.
EU citizens have, under GDPR, a right to legal protection, a right to information and a right to know how their data is processed. US legislation gives them none of these rights when data ends up in an NSA request. That is the conflict in its simplest form.
The Data Privacy Framework, summarized
In July 2023 the EU-US Data Privacy Framework entered into force. It is the result of a political agreement between the EU and the US, plus a US Executive Order (14086) that establishes a new dispute resolution mechanism for EU citizens, called the Data Protection Review Court (DPRC). Companies in the US can join the DPF, commit to following GDPR-like principles, and thereby legally receive EU personal data without SCCs.
Technically this means that Google Analytics 4, since Google is DPF-certified, is legal to use in the EU again, provided you have consent and inform users in your privacy policy.
But several things have not changed:
- FISA 702 and Executive Order 12333 remain. They are US legislation and cannot be changed via a political agreement with the EU.
- The CLOUD Act from 2018 gives US authorities the right to demand data from US companies regardless of where the data is physically stored, including European data centers.
- The DPRC is not a court in the classic sense. It is administrative, the process is secret and no complainant gets to know the outcome of their individual case.
Why the lawyers do not trust it
Max Schrems, the lawyer who won the first two cases, filed a new lawsuit against the DPF in September 2023. His argument is that the DPF is in practice the same thing as Privacy Shield, just with a new court that is not a court.
Historically, every EU-US transfer mechanism has been brought before the Court of Justice of the EU and invalidated within 4 to 6 years: Safe Harbor (1999 - 2015), Privacy Shield (2016 - 2020), DPF (2023 - ?). If the pattern holds we are heading toward a third annulment sometime between 2027 and 2030.
For you as a data controller that means that if you build your web analytics on the DPF today, you may have to rebuild it in two to four years. For a web analytics installation that is not a disaster. For an entire CRM stack it is expensive.
What IMY says
The Swedish data protection authority (IMY) has been consistent: the DPF is a risk-acceptable solution for most individuals and for the private sector, but for the public sector and particularly sensitive organizations an EU-based service is recommended. In practice that means municipalities, regions, agencies, healthcare and schools continue to choose EU alternatives even when it would technically be legal to stay in the Google stack.
For private companies it is more a question of business risk and resources. How much is it worth to spend five hours per quarter defending a GA4 installation in procurement questions and vendor questionnaires?
What you can actually do about it
There are three realistic paths for a Swedish organization in 2026:
1. Keep GA4 and manage the risk
A perfectly valid choice for many. It assumes you have consent collection (a cookie banner) in place, that the privacy policy mentions the DPF, and that you document why you have assessed the DPF to be sufficient for your specific processing (transfer impact assessment, TIA).
2. Switch to an EU-hosted service
The simplest way to eliminate the US transfer entirely. Cookie-free alternatives like Spårlös, Plausible or Fathom move all processing to EU data centers. Schrems II and the DPF then become irrelevant for your web analytics. You no longer need a cookie banner either, because the services do not set cookies or store direct identifiers.
3. Self-hosted Matomo or Umami on your own servers
Maximum control, but it requires someone on your side to handle updates, backups and security monthly. For medium and large companies with an IT team it is a good path. For SMBs it is usually oversized.
What you save by moving
These are the concrete things that disappear when you remove the US transfer from your web analytics:
- The need for a TIA (transfer impact assessment) specifically for the web analytics.
- A sub-processor you have to list in your own DPA toward your customers.
- The cookie banner friction (provided you also remove other trackers that require consent).
- A recurring question in vendor questionnaires from larger customers.
- The risk of having to change platform if the DPF is invalidated.
What you need to do if you have already switched
If you have made the switch, update the following documents:
- Privacy policy: remove the mention of Google Analytics and add the new service. Our privacy policy example is written to be copied and adapted.
- Cookie banner: if web analytics was the only basis for the banner you can remove it entirely. Otherwise simplify it by removing the analytics category.
- DPA list: replace Google LLC with the new provider. Our DPA is pre-prepared under Article 28 GDPR and can be signed directly.
- Security policy: note that the data flow now stays within the EU. The details are on the security page if you want to cite them.
More reading
- Is Google Analytics illegal in Sweden in 2026? - the Swedish legal situation summarized
- Why Swedish companies are switching from Google Analytics in 2026 - what actually drives the decision
- Spårlös vs Google Analytics - comparison table