Swedish companies are required to stop using Google Analytics: what happened?

On Monday, the Swedish Agency for Personal Data Protection (IMY) ordered four large companies to stop using the service Google Analytics, as its use entails the transfer of user data to the United States. The telecommunications company Tele2 was fined more than $1.1 million.

IMY’s decision was made after considering a complaint filed by the Austrian data protection organization NOYB (None Of Your Business). NOYB argued that the use of Google Analytics by the four companies resulted in the illegal transfer of European data to the US, thereby violating the EU General Data Protection Regulation (GDPR).

Under the GDPR, data transfers to other countries are only permitted if they provide a level of privacy protection equal to that of the EU. A 2020 EU Court of Justice decision stopped the EU-US data transfer agreement, deeming it insufficient.

IMY said in a statement that it considers data transmitted to Google Analytics in the United States to be personal data. The agency also stressed that the technical security measures taken by the companies do not provide a sufficient level of protection, similar to that guaranteed within the EU.

In addition to Tele2, Internet site CDON was fined $27,700, while grocery store chain Coop and newspaper Dagens Industri avoided fines by taking additional measures to protect transmitted data.

Telecommunications giant Tele2 has already stopped using Google Analytics. IMY requires other companies to stop using this tool as well.

The Austrian organization NOYB welcomed IMY’s decision, noting that while many European authorities (such as Austria, France and Italy) have already recognized the use of Google Analytics as a violation of the GDPR, this is the first time that companies have been fined for using the service.

At the end of May, the European Commission expressed its hope to develop a new legal framework for data transfer between the EU and the US by the end of the summer. Under the GDPR in force since 2018, fines for violations can reach €20 million, or 4% of a company’s global revenue.

Note that in MayEuropean regulators in the field of personal data protection fined Meta* for a record amount €1.2 billion for the transfer of user data from the EU to the US . The decision is related to the case of Austrian activist Max Schrems to protect data privacy rights. Schrems argued that the existing mechanism for transferring data from EU citizens to America does not protect Europeans from American surveillance.

* The Meta company and its products (Instagram and Facebook) are recognized as extremist, their activities are prohibited on the territory of the Russian Federation.