In a significant first for Europe, Sweden’s privacy watchdog has fined two companies for transferring personal data to the US via Google Analytics. In addition, it is urging other firms to stop using Google’s web statistics tool.
In response to allegations issued by digital rights organisation None of Your Business (NYOB), the Swedish Authority for Privacy Protection (IMY) audited four companies in total: CDON, Coop, Dagens Indusri, and Tele2.
IMY found that personal data had indeed been transferred across the Atlantic and, alarmingly, without sufficient safeguards in place.
According to the GDPR, personal data may be transferred to third countries outside the EU/EAA area as long as they provide an equivalent level of protection. However, a ruling by the European Court of Justice has determined that the US doesn’t meet the legally required standards.
The Swedish authority concluded that the four companies have taken insufficient technical security measures to ensure the level of protection required by the EU. As a result, it has issued a fine of €1mn against Tele2 and €25,405 against CDON, as the two firms were found to have the least extensive set of measures.
Furthermore, IMY ordered CDON, Coop, and Dagens Industri to stop using Google Analytics, while Tele2 has already done so voluntarily.
Apart from Sweden, multiple data protection agencies in the EU, including Italy, France, and Austria have found company uses of Google’s tool to be in breach of the GDPR. But Sweden is the first country in the bloc to proceed towards a fine — which could have a ripple effect across the union.
“These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics,” said Sandra Arvidsson, legal advisor at IMY. She also noted that now there’s clarity on the required measures when it comes to transferring personal data to third countries.