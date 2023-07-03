



The Swedish data protection watchdog has ruled that the export of European users’ data via Google Analytics violates the EU’s privacy rulebook, citing the risks posed by US government surveillance, and has imposed several fines. imposed. It also warns other companies not to use Google’s tools.

The fine (just over $1.1 million for Swedish telco Tele2 and less than $30,000 for local online retailer CDON) was awarded in August 2020 for a strategic privacy breach targeting Google Analytics (and Facebook Connect). It’s notable because it was only imposed after numerous complaints. .

The regulator has found that the so-called supplementary measures applied by Google to European users’ data sent to the United States for processing are insufficient to raise the level of protection to the required legal standards. Including Google’s use of IP address truncation (a measure of anonymization) as in the case of Tele2, the company has clarified whether the truncation occurred before or after the transfer of data to the United States. He said he couldn’t prove it was possible because he didn’t. There is no possibility of accessing the entire IP address until the last octet is truncated. ”

The watchdog also found violations of the EU General Data Protection Regulation (GDPR) regulation on transfers to third countries in the use of Google Analytics by two other companies, Corp and Dagens Industries, but in these cases did not impose a fine.

“In the audit, IMY [the Swedish DPA] , data transferred to the United States via Google’s statistical tools is considered personal data because it may be linked to other unique data transferred. The authorities also conclude that the technical security measures taken by the companies are not sufficient to ensure a level of protection comparable to that which is basically guaranteed within the EU/EEA,” the regulator said. said in a statement.

“All four companies base their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. IMY’s audit shows that none of the companies’ additional technical security measures appear to be sufficient.” IMY imposed an administrative fine of SEK 12 million against Tele2 and an administrative fine of SEK 300,000 against CDON for not having the same broad protections as Coop and Dagens Industri. We made a decision to stop using statistical tools.The IMY ordered the other three companies to stop using the tools.”

In a blog post titled “Businesses Must Stop Using Google Analytics,” the regulator added that the four decisions should be treated as guidance, highlighting broader implications. .

Last year, many European Union DPAs, including French and Italian watchdogs, issued warnings against using Google’s analytics tools after finding that many users were not complying with European Union rules on international data transfers. bottom. However, no other regulators have imposed financial sanctions, according to the NGO noyb behind the initial complaint. Despite the same underlying data transfer issues, it seems to favor a softer approach to enforcing GDPR for users of such familiar tools.

noyb’s original 101 strategic complaints follow a landmark ruling by the European Court of Justice in July 2020 that invalidated the EU-US data transfer agreement known as the Privacy Shield. It targeted various websites across Europe using Google Analytics and similar Facebook services. Only a few years after overthrowing its predecessor, Safe Harbor.

The EU and US are finalizing a third data transfer agreement, dubbed the EU-US Data Privacy Framework, which is expected to be completed later this month, clearing legal uncertainties, at least in the short term. would Since the CJEU strike, data transfers between the EU and the US have been hampered.

However, legal challenges to the upcoming framework are expected, and various European institutions fear that aspects of the renegotiated deal do not adequately address judges’ concerns. is expressed. So it remains to be seen whether a high-level solution to the conflict between EU privacy rights and US surveillance practices will be a third time lucky.

In a statement commenting on the Swedish watchdog’s decision to impose its first fine for illegal use of Google Analytics, noyb’s data protection lawyer Marco Brotscher said: Making sure there are fines is also important and that’s the only way to encourage other companies to comply. ”

Google was asked to comment on the DPA’s decision.

