General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy
Sweden Fines Firms for Google Analytics Use, Privacy Issues
Swedish Authority for Privacy Protection: Companies Must Not Use Google AnalyticsThe Swedish Authority for Privacy Protection issued fines against two of four companies found to have violated rules against the export of European users' data due to their use of Google Analytics, which was found to contravene the European Union's privacy regulations due to the potential risks of U.S. government surveillance.
Regulators at the agency, which is known as IMY, found that Google's protection of European users' data during transfer to the United States for processing did not meet legal requirements. In the case of Swedish telecommunications company Tele2, the agency said that in Google's use of IP address truncation as an anonymization measure, the company failed to clarify whether the truncation occurred before or after data transfer to the United States - failing to demonstrate the absence of "potential access to the entire IP address before the last octet is truncated."
The fines, totaling just over $1.1 million for Tele2 and less than $30,000 for local online retailer CDON, mark the first penalties following a series of privacy complaints filed against Google Analytics and Facebook Connect in August 2020. The authority also issued a warning to two other companies, Coop and Dagens Industries, saying regulators had found GDPR-related breaches in their use of Google Analytics. The authority did not issue fines against the two companies because they implemented extensive protective measures, officials said.
"IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA," the notice read.
The regulator's blog post, titled "Companies must stop using Google Analytics," outlined the decisions as guidance, but it ordered the companies to cease using the Google Analytics tool.
The agency said its decision would "have implications not only for these four companies but for other organizations that use Google Analytics."