The Swedish Authority for Privacy Protection (IMY) has recently imposed sanctions, totaling approximately one million euros, on two companies, attributing the penalties to their conveyance of personal data to the United States via Google tools. As stated in the official announcement on the IMY website, the authority conducted audits into the usage of Google Analytics by four companies, concluding the investigation by administering administrative fines to two of them.
The aforementioned authority clarified that these companies’ generation of web statistical data using Google Analytics infringes the General Data Protection Regulation (GDPR) of the European Union. More precisely, these companies are in violation of Article 46(1) of the GDPR, which prohibits the transfer of personal data to countries or international organizations bereft of secure safeguards and legal remediation mechanisms.
It is understood that Google Analytics is a tool employed to measure and analyze website traffic. Following a complaint lodged by the Austrian digital rights organization, NOYB, the Swedish Authority for Privacy Protection audited Google Analytics to ascertain the type of data it was transmitting to the United States, eventually concluding it constituted personal information.
“In its audits, IMY considers that the data transferred to the US via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred,” declared the Swedish Authority for Privacy Protection. It further stated that the technological security measures implemented by these companies fall short of ensuring a protection level fundamentally equivalent to what is guaranteed within the European Union/European Economic Area.
According to the General Data Protection Regulation, if the European Commission has determined that a country provides an adequate level of protection that is commensurate with that within the European Union/European Economic Area, personal data can be transferred to that country (a third country outside the European Union/European Economic Area). However, the United States is not recognized as a country with such a level of protection.
Recently, Sweden’s telecommunications and Internet service provider, Tele2 SA, independently decided to discontinue the use of Google Analytics. The other three companies were also mandated to cease the usage of Google Analytics within a month following the announcement of the decision and to implement appropriate data protection measures.
In the past, restrictions on the usage of Google Analytics have been imposed in other European Union countries such as Italy, France, and Austria, but this is the first instance where companies breaching the rules have been fined.
Legal consultant Sandra Arvidsson, who was responsible for auditing these companies, stated, “All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient.” Sandra added, “These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics.“
