Is Google Analytics Legal in Finland? The EUR 1.1M Pharmacy Fine and Three Rulings

Finland's largest GDPR fine on record is EUR 1.1 million. It was issued in June 2025 to a pharmacy chain that loaded Google Analytics, Google Tag Manager, Google Maps, Google Fonts, and Meta Pixel across a website selling sensitive health products. Two earlier rulings had already named Google Analytics by name. The country's privacy regulator runs no analytics on its own website. The cookie regulator runs Matomo. Sixty percent of top Finnish ecommerce sites still load Google trackers.

The Finnish privacy paradox

The country that produced F-Secure, MyData Global, and the Nordic Model for personal data sovereignty also produced Anu Talus, who has chaired the European Data Protection Board since 2025. Finland's privacy infrastructure has roots that run deeper than GDPR. The Office of the Data Protection Ombudsman opened its doors in 1987, six years before the Maastricht Treaty brought the EU into being and a decade before most of Europe had a real data protection regime to call its own.

A 2025 Government Digital Security Barometer found that 87% of Finns trust public authorities with their data and 75% trust Finnish online stores. The same survey put trust in foreign online stores at 23%. The gap between domestic institutions and foreign commercial entities is one of the widest in Europe. Put another way: when you ask a Finn whether they trust a US-based ad-tech platform with their data, the default answer is no.

That trust did not appear from nowhere. Academic work on "Finlandization" describes a Finnish self-censorship culture from 1948 to 1991, when the Soviet Union sat next door and the country's politics were calibrated to that fact. The Finnish Security and Intelligence Service declassified its 1949-1959 archives in 2009. The Finns who grew up around that history raised the Finns who built Sitra, the Innovation Fund whose data-economy work treats sovereignty over personal data as a structural priority.

What the country built next is unusual for Europe. Suomi.fi, the national digital services portal, identified 4.3 million Finns at least once in 2023. That is 77% of the population. Where most countries layered e-government onto existing surveillance infrastructure, Finland built e-government on the presumption that the citizen owns their identity and the state earns access to it.

If you're reading this from outside Finland, I think that presumption is the part you need to absorb first. Everything else here sits on top of it.

Two regulators, two laws

Finnish cookie and analytics enforcement splits across two authorities, and the powers are not the same. If you only know one of them, you only see half the picture.

Tietosuojavaltuutettu (the Office of the Data Protection Ombudsman) sits under the Ministry of Justice and enforces the GDPR plus Finland's national Data Protection Act 1050/2018. It can issue administrative fines. The office processed 13,291 cases in 2024 and received 7,152 data breach notifications, with more than 30,000 logged cumulatively since GDPR took effect.

Traficom (the Finnish Transport and Communications Agency) sits under the Ministry of Transport and Communications. It enforces Finland's electronic communications law, which contains the country's cookie provisions. Traficom can't issue administrative fines for cookie violations. It issues compliance orders, can attach conditional fines to those orders, and can threaten to suspend service operations as a last resort.

The framing on Traficom's own page is direct: "the competent authority in matters related to the processing of personal data is the Office of the Data Protection Ombudsman, not Traficom." Traficom owns the act of storing or accessing a cookie. Tietosuoja owns what you do with the personal data once you've collected it. A site running Google Analytics without valid cookie consent is potentially Traficom's problem at the storage layer and Tietosuoja's problem at the processing layer.

Anu Talus, appointed Data Protection Ombudsman in November 2020 and reappointed in June 2025 for a second five-year term, has chaired the European Data Protection Board since 2025. Deputy Ombudsmen sign most published decisions, but the office's standing among European DPAs is unusually high for a country of 5.6 million people.

Three rulings, one big fine

Finland has issued three public decisions naming Google Analytics. None is the kind of jurisdiction-wide formal notice that France's CNIL or Austria's DSB published in 2022. All three are controller-specific. Together they tell a clearer story than any single ruling does.

January 17, 2023. Helmet libraries. The Helmet public library network covering Helsinki, Espoo, Vantaa, and Kauniainen received a reprimand from Deputy Data Protection Ombudsman Heljä-Tuulia Pihamaa. The violation: using Google Analytics and Google Tag Manager to transfer visitor search data to the United States without sufficient supplementary safeguards under the Schrems II ruling. The libraries had already migrated to Matomo in September 2022, four months before the decision landed. No fine was issued, because Finnish law prohibits administrative fines against municipalities.

April 27, 2023. Finnish Meteorological Institute. Case 2023/1823. The Deputy Data Protection Ombudsman issued a formal notice against Ilmatieteen laitos for using Google Analytics and Google reCAPTCHA without a valid transfer basis. The institute was ordered to remove both tools and to delete the unlawfully transferred data. Again no fine: another government body.

June 4, 2025. Yliopiston Apteekki. EUR 1.1 million. The decision covers the period May 2018 through September 2022. During those years, the pharmacy chain's online store loaded Google Analytics, Google Tag Manager, Google Maps, Google Fonts, and Meta Pixel. The data flowing through those tools included sensitive health-related purchase information: which medicines a customer was buying, when, and from where. The pharmacy is a private company, and Finnish law does allow administrative fines against private controllers. The fine is the largest GDPR penalty Finland has ever issued. Yliopiston Apteekki has announced it will appeal.

Annina Hautala, the Deputy Data Protection Ombudsman who issued the pharmacy decision, put the bar plainly: "Website tracking technologies can be implemented in a manner that also allows appropriate protection of personal data. For example, organisations can choose services that allow them to genuinely control the personal data processing or that do not transmit personal data at all."

I'd put it this way: that isn't a ban. It's a standard. The pharmacy didn't meet it, and you shouldn't bet that your site will either if you build it the same way.

What the EUR 1.1M pharmacy fine actually says

The EUR 1.1 million number is the headline. The underlying decision is more specific, and the specifics are what matter for anyone running a Finnish site today.

The investigation looked at the pharmacy's online store across a four-year window. The site was running five separate Google services (Analytics, Tag Manager, Maps, Fonts, plus the non-Google Meta Pixel). Each of those endpoints made first-party data accessible to processors outside the European Economic Area. The pharmacy could not produce a Transfer Impact Assessment documenting adequate supplementary safeguards. The legal basis for processing failed at multiple points.

The aggravating factor was the data category. Article 9 of the GDPR singles out health-related data for stricter protection, and a pharmacy's order history reveals what medications a person takes. That's health data in the most direct sense. The Office found that the controls applied to that data did not match the sensitivity of the category, and that the breach extended over years rather than days.

The appeal is ongoing as of May 2026. Even if it succeeds in reducing the figure, the precedent is set: a Finnish private-sector controller running GA on a sensitive-data site post-Schrems-II can be assessed at a seven-figure penalty. That's a different risk profile than the libraries and the meteorological institute faced. Public bodies can be reprimanded but not fined. Private-sector pharmacies, telecoms, banks, insurance companies, and ecommerce stores can be both.

If you run a Finnish site that handles health, financial, or other Article 9 data and you're loading Google Analytics on it, your risk profile in 2026 looks closer to Yliopiston Apteekki's than to a generic SaaS company's. You're not legally banned. You're sitting in the seven-figure zone of the regulator's discretion, and the appeal isn't going to lower the ceiling for the next site that lands there. Clickport is one option for replacing GA with first-party tracking that doesn't transfer personal data to the US. The Finnish state uses a self-hosted Matomo for the same reason.

The Data Privacy Framework: who it helps, who it leaves exposed

The EU-US Data Privacy Framework took effect July 10, 2023, replacing the Privacy Shield that the Schrems II ruling had struck down. A US company that self-certifies under the DPF is treated as adequate for personal data transfers from the EU. The European General Court upheld the DPF in September 2025 in the Latombe case, dismissing the annulment challenge.

For private-sector controllers, that genuinely shifts the analysis. A Finnish ecommerce store using a DPF-certified version of Google Analytics 4 now has a documented adequacy basis for the transfer that it did not have between 2020 and 2023. The Yliopiston Apteekki investigation looked at behavior ending September 2022, before the DPF existed. If the same fact pattern played out post-DPF, the transfer-mechanism question would have looked different. The data-category and consent questions would not have.

For the Finnish public sector, the DPF doesn't resolve the question. The adequacy decision is technically available to any EU controller, but Finnish municipalities, ministries, agencies, public broadcasters, universities, and hospitals operate under public-law procurement rules and sovereignty constraints that compound the transfer-basis question in ways that don't apply to private controllers. Tietosuoja's actual enforcement record (the Helmet libraries and FMI reprimands) is against public-sector GA use specifically, and neither ruling has been softened in response to the DPF. A municipal website transferring visitor data to a US-based analytics provider, even one certified under DPF, sits in a different legal posture than a private ecommerce store does. This is the structural gap that none of the existing English-language coverage of Finland's GA situation has addressed.

There's a second wrinkle. The PCLOB (Privacy and Civil Liberties Oversight Board) is one of the core DPF safeguards. The Trump administration's removal of three PCLOB members on January 27, 2025 left the board without a quorum (a federal court later ruled the firings unlawful in May 2025). Max Schrems suggested the European Commission could effectively pause or stop the deal on its own before any formal court case. The DPF is technically in force, but the political weather around it has shifted.

My read: the DPF is currently a workable transfer basis for Finnish private-sector controllers, but it's not the durable insurance policy it was sold as in 2023. If you're building an analytics stack today and want it to survive a 2027 ruling, "DPF self-certified US vendor" is a riskier foundation than "first-party EU-resident tooling that doesn't transfer at all."

We crawled 110 Finnish sites

In early May 2026, I ran a crawl across two domain sets: the 40 most-visited Finnish government, municipal, and regulator sites, and 70 of the highest-traffic .fi ecommerce domains. Each homepage was fetched with a desktop browser User-Agent, no cookies accepted, no JavaScript executed. The HTML was scanned for analytics and consent-management signatures. The full methodology and per-site results are preserved in the Clickport research repository for reproducibility.

Two findings carry the article.

The first is the government picture. Of 38 government sites that responded successfully, 10 loaded a Google tracker (Google Analytics 4 directly or via Google Tag Manager). Seven loaded Matomo. The remainder loaded no analytics at all in the initial HTML. The cookie regulator (Traficom) runs Matomo on a self-hosted subdomain at stat.traficom.fi. The Office of the Data Protection Ombudsman runs no analytics at all. The Office of the President runs Matomo. The Justice Administration runs Matomo. The National Archives run Matomo. Sitra runs Matomo.

The second is the ecommerce picture. Of 54 ecommerce sites that responded successfully, 33 loaded a Google tracker. Zero loaded Matomo. The same privacy-first analytics that Finnish regulators chose has not been adopted by a single one of the top Finnish ecommerce destinations we tested.

There's a methodology caveat worth stating up front. We measured what loads in the initial HTML, before any consent click. Sites that gate analytics behind a consent banner (the compliant pattern) register as "no analytics" in this measurement. The 61% ecommerce number is a strict lower bound on Google tracker presence, not an upper bound. The real number is higher.

The 26% government number is more troubling on its own terms. The Helmet and FMI rulings show what happens when a public-sector controller loads Google Analytics. A site like a major Finnish city or university running GTM today is in roughly the same legal posture the Helmet libraries were in when their reprimand landed.

Why Finnish government chose Matomo

The shift wasn't coordinated by any single ministry, and there's no published Finnish government policy that recommends Matomo over Google Analytics. What we have instead is convergent practice plus an infrastructure layer.

A 2022 market survey by the Finnish digital agency North Patrol described Matomo's Finnish user base as "primarily government organizations that switched from Google Analytics." The migration appears to have started around 2020, the year of the Schrems II decision, and accelerated through 2022. By the time the Helmet libraries decision landed in January 2023, the libraries had already migrated, four months before the ruling. The Finnish public sector did not wait for the regulator to act.

The infrastructure layer is real. KEHA-keskus, the Finnish state agency that handles digital services for ELY centres and TE offices, operates the shared domain ahtp.fi. Within it, analytiikka.ahtp.fi serves Matomo containers to multiple agencies. Individual ministries run their own Matomo subdomains, like stat.traficom.fi. The pattern is self-hosted Matomo on Finnish government infrastructure, not Matomo Cloud.

Three agencies have published their reasoning. Kela cites first-party data collection, anonymous storage, and exclusive use by Kela itself. KEHA-keskus describes a system managed by KEHA, first-party only. Each agency's stated motivation reduces to two ideas: keep the data in Finland, and keep it within the controller's control. The European Commission and the Council of Europe use Matomo for the same reasons.

What's missing is a published procurement standard. Sitra's data sovereignty position aligns with this pattern but doesn't name a tool. VAHTI, the Finnish public-sector cybersecurity coordination body, doesn't publish analytics tool recommendations. I read the convergence as real but informal: it's the product of dozens of individual procurement decisions taken in the same direction, not a top-down mandate. If you're a Finnish public-sector procurement lead reading this, you have a lot of peer cover for choosing Matomo without anyone telling you to.

What this means for your Finnish site in 2026

The legal picture is more specific than the existing English-language coverage suggests. Here's how the rules apply to four different situations.

The standard the regulator applies to itself is the standard the regulator applies to you. Traficom ran a cookie audit of its own website in December 2021. The Office of the Data Protection Ombudsman runs no analytics at all on tietosuoja.fi. Whatever level of tracking you decide is appropriate for your Finnish visitors, you should be ready to defend it on those terms. I would not want to be the controller whose decision tree is "GA + cookie banner that nudges accept" in front of a regulator that runs Matomo on stat.traficom.fi.

Frequently asked questions

Is Google Analytics banned in Finland?

No. There is no jurisdiction-wide ban on Google Analytics in Finland. There are three Tietosuoja decisions naming Google Analytics, all controller-specific. Two are against public-sector bodies (reprimands, no fine) and one is against a private pharmacy (EUR 1.1 million fine, June 2025). What gets enforced is the combination of valid cookie consent, an adequate transfer mechanism, and controls proportionate to the data category.

Does the EU-US Data Privacy Framework make Google Analytics legal in Finland?

For private-sector controllers using a DPF-certified Google entity, the DPF eases the transfer-mechanism question. It doesn't resolve cookie consent, controller documentation, or data category obligations. The June 2025 Yliopiston Apteekki fine covered behavior that ended before the DPF existed, but Annina Hautala's standard ("services that allow controllers to genuinely control the processing or that do not transmit personal data at all") is not satisfied by DPF self-certification alone.

What did the Helmet libraries decision actually decide?

The January 17, 2023 Helmet decision was a reprimand against the public library network of Helsinki, Espoo, Vantaa, and Kauniainen for using Google Analytics and Google Tag Manager to transfer visitor search data to the United States without sufficient supplementary safeguards under Schrems II. The libraries had already migrated to Matomo four months earlier. No fine was issued because Finnish law prohibits administrative fines against municipalities.

How much was the Yliopiston Apteekki fine and what triggered it?

EUR 1.1 million, issued June 4, 2025. The fine covered the period May 2018 through September 2022, during which the pharmacy chain's online store loaded Google Analytics, Google Tag Manager, Google Maps, Google Fonts, and Meta Pixel on a site selling sensitive health products. The aggravating factor was Article 9 data (health information). It's Finland's largest GDPR fine on record. The pharmacy is appealing.

Is Matomo legal in Finland?

Yes, with the same Section 205 cookie consent obligation as any other analytics tool, unless it's configured not to store data on visitor devices. Self-hosted Matomo with anonymous tracking and no third-party transfers is the configuration Finnish government bodies have converged on, including Traficom (the cookie regulator), the Office of the President, the Justice Administration, and Sitra.

What about Finnish municipalities and public-sector sites?

The DPF doesn't apply to public-sector controllers transferring data to non-certified US recipients. A municipal website running Google Analytics post-DPF sits in roughly the same legal posture as one running it pre-DPF: the transfer mechanism question is unresolved. The Helmet and FMI rulings show the enforcement pattern: reprimand plus order to remove the tool. Public-sector controllers can't be fined, but they can be ordered to migrate on a short timeline.

Who actually runs Google Analytics on Finnish government sites?

Per a May 2026 crawl of 40 government domains, 10 still loaded a Google tracker in the initial HTML, mostly via Google Tag Manager. The list includes several major cities (Helsinki, Lahti, Pori, Vantaa, Turku, Oulu) and universities (Aalto, UEF, VTT). The privacy and cookie regulators don't appear on that list. The Office of the President, the Justice Administration, the National Archives, and Sitra all run Matomo instead.

What the Finnish state built for itself

What the Finnish regulators built for themselves isn't exotic. It's a self-hosted analytics stack that respects the Section 205 consent rule, doesn't transfer personal data to the United States, and produces the behavioral data a team needs to understand what's working. The infrastructure pattern is reproducible. The trade-off between satisfying a regulator and understanding your traffic was never a real trade-off.

Clickport does this same job for sites that want the standard the Finnish state holds itself to without running their own Matomo cluster. First-party tracking, no cookies, no cross-site fingerprinting, EU-hosted in Germany, and a dashboard that makes the data legible without sending it through Mountain View. The trial is 30 days. No credit card required.

The country that built MyData, hosts the EDPB Chair, and runs no analytics on its own privacy regulator's website has been showing the rest of Europe what privacy-respecting analytics looks like for a decade. The pharmacy fine is what I think happens when a private controller doesn't read the room. If you're running a Finnish site in 2026, you have a clearer template than your peers in most other EU countries. Use it.