The Swedish Privacy Protection Authority, known as the Integritetsskyddsmyndigheten (IMY), has recently issued penalties of 12.3 million SEK, which equates to approximately $1.1 million or €1 million. This disciplinary action is towards two organizations, while two others are given warnings. These Swedish entities have allegedly broken European Union’s data protection laws for data transfer by using Google Analytics.
EU’s GDPR Violated Through Data Transfer
According to the IMY’s announcement, the implicated firms used Google Analytics to produce web statistics. This practice reportedly infringes the General Data Protection Regulation (GDPR) of the European Union.
Reports suggest that these companies have violated Article 46(1) of the GDPR. This law actively restricts the transfer of personal data to countries or international entities that fail to provide adequate security measures or legal redress mechanisms.
The US, where Google Analytics stores data, has been getting a identity of risky destination for European user data. This identification dates back to the “Schrems II” judgment in July 2020. The European Union’s Court of Justice declared the transfer of data to the US, under the “Privacy Shield” agreement, to be illegal. The breach mirrors the reason why Meta faced a $1.3 billion fine from the Irish Data Protection Commission (DPC).
NOYB’s Complaints Ignite Investigation
After receiving a complaint from the Austrian digital rights group, None of Your Business (NOYB), IMY launched an investigation. The probe focused on identifying the kind of data that Google Analytics dispatches to the US. As the IMY concludes the investigation, they identify the data as personal.
The investigators assert that they can link the data sent through Google’s statistics tool to other unique data transferred, thus categorizing it as personal. The scrutiny pertained to the Google Analytics version as of August 14, 2020.
The Repercussions for the Four Firms for Data Transfer
The entities receiving punitive actions are Tele2 SA, CDON AB, Coop SA, and Dagens Industri. Specifically, Tele2 SA, an internet and telecom service provider, faced a fine of 12 million SEK. The IMY warns CDON AB about GDPR compliance and imposes a fine of 300,000 SEK. Similarly, it issues warnings to Coop SA and Dagens Industri, urging them to comply with GDPR.
Interestingly, Tele2 SA has already elected to stop using Google Analytics of its own accord.
Setting a Precedent in Data Protection during Data Transfer
IMY’s decision stands as the first instance of levying financial penalties for these types of infractions. Meanwhile, data protection authorities in Austria, France, and Italy are identifying previous instances of GDPR non-compliance involving Google Analytics.
The consequences handed down by IMY serve as a guideline for the broader industry. Other businesses utilizing Google Analytics might reassess their approach to abide by the EU’s rules and regulations.
The remaining three organizations have been instructed to halt Google Analytics usage. They also must establish appropriate data protection measures within one month from the decision, which IMY announced on June 30, 2023.