Jump to content
  • Google Analytics data transfer to U.S. brings $1 million fine to Swedish firms

    alf9872000

    • 316 views
    • 3 minutes
     Share


    • 316 views
    • 3 minutes

    The Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten – IMY) has fined two companies with 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics and warned two others about the same practice.

     

    In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics the firms were breaching European Union's General Data Protection Regulation (GDPR).

     

    Specifically, the companies were in violation of the GDPR Article 46(1), which forbids the transfer of personal data to countries or international organizations that lack safeguards that warrant safety and legal remediation mechanisms.

     

    The United States has been deemed as a risky location for the storage of data of European users, as per the July 2020 "Schrems II" judgment, where the Court of Justice of the European Union (CJEU) ruled that any data transfers to the U.S. in the context of the then-existing mechanism, "Privacy Shield," were illegal.

     

    This violation is the same for which the Irish Data Protection Commission (DPC) fined Meta $1.3 billion for transferring EU-based user data to servers in the U.S.

     

    IMY, following the submission of a relevant complaint by the Austrian digital rights organization None of Your Business (NOYB), carried out audits to determine the type of data the Google Analytics tool sends in the U.S. and concluded that it constitutes personal information.

     

    The audits concerned a version of the Google Analytics tool from August 14, 2020.

     

    "IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," states.

     

    "The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA" - IMY

     

    The four companies that have been reprimanded are:

     

     

    Tele2 SA - a telecommunications and internet service provider in Sweden, has recently decided to stop using Google Analytics on its own initiative.

     

    The other three organizations are ordered to stop using Google Analytics and to implement adequate data protection measures no later than one month after IMY's decision, which was announced on June 30, 2023.

     

    The use of Google Analytics has been deemed non-GDPR-compliant again in the past by the data protection authorities in AustriaFrance, and Italy.

     

    However, IMY's decision to impose financial penalties on the violators makes this the first of its kind.

     

    These decisions also serve as guidance for the whole industry, and other companies using Google Analytics may decide to adjust their strategy to comply with the rules and regulations in the EU.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...