Concern about the compliance of Google Analytics with data protection legislation has been alleviated following the EU decision

The European Commission's decision on the adequacy of the United States' data protection level came into effect on 10 July. Under the adequacy decision, personal data can be transferred to certified American companies committed to the safeguards agreed upon in the EU-US data protection framework.

The transfer of personal data from Europe to the United States has caused headaches for numerous companies in both Europe and the US since the EU determined in its decision that the previous Privacy Shield arrangement was insufficient in the summer of 2020.  Essentially, the core issue has been the discrepancies between Europe's privacy law (GDPR) and the United States' surveillance laws. It has been clear from the outset that a potential resolution to the problem would be found at the negotiation table, through agreeing on new practices. Simultaneously, companies and cloud service providers have significantly improved their compliance with GDPR requirements.

The EU's adequacy decision on 10 July 2023 resolves the ambiguity in the transfer of personal data from Europe to the United States, provided the American company involved in the transfer is certified in the DPF (Data Privacy Framework) with agreed-upon safeguards. The United States has launched an online service where one can easily search and verify information about companies included in the DPF. The registry includes major cloud service providers such as Amazon, Google, and Microsoft, which allows us to confirm that Google Analytics is fundamentally compliant with the GDPR regulation.

Registry search for companies included in the data privacy framework:
https://www.dataprivacyframework.gov/s/participant-search