The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY) has fined two companies with 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics and warned two others about the same practice.
In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union’s General Data Protection Regulation (GDPR).
Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.
The United States has been deemed as a risky location for the storage of data of European users, as per the July 2020 “Schrems II” judgment, where the Court of Justice of the European Union (CJEU) ruled that any data transfers to the U.S. in the context of the then-existing mechanism, “Privacy Shield,” were illegal.
This violation is the same for which the Irish Data Protection Commission (DPC) fined Meta $1.3 billion for transferring EU-based user data to servers in the U.S.
IMY, following the submission of a relevant complaint by the Austrian digital rights organization None of Your Business (NOYB), carried out audits to determine the type of data the Google Analytics tool sends in the U.S. and concluded that it constitutes personal information.
The audits concerned a version of the Google Analytics tool from August 14, 2020.
“IMY considers that the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred,” states.
“The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA” – IMY
The four companies that have been reprimanded are:
Tele2 SA – a telecommunications and internet service provider in Sweden, has recently decided to stop using Google Analytics on its own initiative.
The other three organizations are ordered to stop using Google Analytics and to implement adequate data protection measures no later than one month after IMY’s decision, which was announced on June 30, 2023.
The use of Google Analytics has been deemed non-GDPR-compliant again in the past by the data protection authorities in Austria, France, and Italy.
However, IMY’s decision to impose financial penalties on the violators makes this the first of its kind.
These decisions also serve as guidance for the whole industry, and other companies using Google Analytics may decide to adjust their strategy to comply with the rules and regulations in the EU.