Swedish privacy concerns result in fines over Google Analytics

The Swedish Authority for Privacy Protection (IMY) has issued fines against companies over the use of Google Analytics.

Four companies were handed complaints alleging the transfer of personal data to the United States via Google Analytics, a tool for measuring and analyzing traffic on websites.

The fines issued to the four companies together exceeded $1.1 million after the IMY concluded that their practices violated recent EU privacy rulings.

Three of the four companies were ordered to stop using Google Analytics for web statistics, while one had recently stopped on its own initiative.

Coop, Tele2, Dagens Industrie, and CDON were audited by the authority, and while none had technical security measures deemed sufficient, it was Tele2 to which a 12 million SEK ($1.1 million) fine was issued. A 300,000 SEK ($27,700) fine was issued to CDON.

Coop and Dagens Industrie had taken some protective measures, and Tele2 had already stopped using the tool.

The action was taken following complaints from the organization None of Your Business (NYOB) and come in light of the Schrems II ruling by the Court of Justice of the European Union (CJEU).

In the 2020 Schrems II judgement, the CJEU declared the European Commission’s Privacy Shield decision invalid on account of what it called invasive US surveillance programs. 

The ruling effectively made the transfer of personal data on the basis of the Privacy Shield illegal.

It also stipulated stricter requirements for the transfer of personal data on the basis of standard contract clauses, granting a level of protection essentially equivalent to that guaranteed by the General Data Protection Regulation (GDPR).

In this case, the authority considered that the data transferred to the US via Google Analytics by the audited companies was personal data since it could be linked with other unique data transferred. 

“By the fact that IMY has decided on these cases at the same time, it is made clear what requirements are placed on technical security measures and other measures when transferring personal data to a third country, in this case the United States,” said Sandra Arvidsson, IMY’s legal advisor, who led the audits of the companies.

“These decisions have implications not only for these four companies, but can also provide guidance for other organizations that use Google Analytics.”

The audits themselves concern a version of Google Analytics from 14 August 2020.

A Google spokesperson said to ITPro: “Google Analytics helps publishers understand how well their sites and apps are working for their visitors – but not by identifying individuals or tracking them across the web”. 

“These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls, and resources for compliance."

Google and Microsoft - as well as other tech giants - have taken steps to reassure European users of data sovereignty and privacy in recent years.

At the beginning of 2023, Microsoft began the phased rollout of the EU Data Boundary for Microsoft Cloud, aimed at permitting customers to store and process data within the EU Data Boundary for Microsoft 365, Azure, Power Platform, and Dynamics 365 services.

In 2022, Google announced Sovereign Controls for Google Workspace to control, limit and monitor transfers of data to and from the EU. 

Google Analytics, however, continues to operate data centers globally - including the United States - but user IP addresses are anonymized depending on customer configuration. Its latest analytics product, Google Analytics 4, does not store IP addresses.