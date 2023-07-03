



The Swedish Privacy Agency (IMY) audited how four companies use Google Analytics for web statistics. The IMY has imposed administrative fines on two of them. One of these companies recently voluntarily stopped using statistical tools, and the IMY ordered the other three to also stop using statistical tools.

IMY audited how the four companies transfer personal data to the United States via Google Analytics, a tool that measures and analyzes traffic on their websites. The companies audited are CDON, Coop, Dagens Industri and Tele2. This audit is for versions of Google Analytics from August 14, 2020 onwards.

The audit is based on a complaint from the organization None of Your Business (NOYB) in light of the Schrems II judgment by the European Court of Justice (CJEU). The complaint alleges that the company violates the law by transferring personal data to the United States.

Personal data is transferred to a third country, i.e. outside the EU/EEA, if the European Commission has determined that that country provides a corresponding adequate level of protection for personal data in accordance with the data protection regulation GDPR. there is. Within the EU/EEA. However, the CJEU, through the Schrems II decision, ruled that the United States could not be expected to have such an adequate level of protection at the time of the decision.

In audits, IMY will consider data transferred to the United States via Google’s statistical tools to be personal data as it may be associated with other unique data transferred. The authorities also conclude that the technical security measures taken by the companies are not sufficient to ensure a level of protection that is basically comparable to that guaranteed within the EU/EEA.

– The fact that the IMY decided on these cases at the same time makes it clear what requirements are imposed on technical safeguards and other measures when transferring personal data to a third country (in this case the United States). Sandra Arvidsson, who led audits of both companies, said legal counsel.

In the absence of a decision by the European Commission on an appropriate level of protection, data may be transferred based on standard contractual clauses decided by the European Commission. However, according to the CJEU, such Standard Contractual Clauses may need to be supplemented with additional safeguards where necessary to actually maintain the protections the clauses are intended to provide. there is.

All four companies make decisions regarding the transfer of personal data via Google Analytics under standard contractual terms. According to the IMY audit, none of the companies’ additional technical security measures appear to be sufficient. IMY imposed an administrative fine of SEK 12 million against Tele2 and an administrative fine of SEK 300,000 against CDON, which did not have the same broad protections as Coop and Dagens Industri. Tele2 recently stopped using statistical tools in its own discretion. IMY ordered the other three companies to stop using the tool.

– These decisions will not only affect these four companies, but can also guide other organizations using Google Analytics, said Sandra Arvidsson.

Contact us for more information

Legal Counsel Sandra Arvidsson, Phone 08-515 154 14 Press Service, Phone 08-515 15 415

