Sweden Has Fined 4 Companies That Use Google Analytics After Finding Privacy Violations
The Swedish Authority for Privacy Protection (IMY) has sanctioned companies CDON, Coop, Dagens Industri and Tele2 due to insufficient safeguarding measures as a result of using Google Analytics. The key reason for this ruling was that there was a risk that US governmental departments could access personal data through Google Analytics.
Background
Personal data can be transferred from the EU to a third country such as the US (or other countries outside of the EU and EEA) based on standard contractual clauses that the European Commission established to ensure EU data is transferred safely. In some cases, standard contractual clauses may need to be supplemented with extra safeguards to further protect personal data.
The Schrems II ruling found that the US did not have an adequate standard of data protection. After this, the European Data Protection Board decided that data protection in the transfer of data between the US and EU should be considered on a case-by-case basis to establish whether the right privacy protections are in place. When an EU user’s data is transferred to the US, it may lose the protections it gets from the GDPR rules.
In this case, data was transferred to the US through Google Analytics which assesses information about users. The Swedish Authority for Privacy Protection found that four companies did not have suitable technical security measures that met the adequate standard of protection that is guaranteed within the EU area.
In the audit carried out by IMY, the data on Google Analytics was considered to be personal data because it could be linked to other unique and personal data. As such, IMY fined the companies. Tele 2 was fined 12 million SEK and CDON was fined 300,000 SEK.
Key Takeaways for Businesses
This is not the only instance where using Google Analytics was found to be a risk to users’ data due to the lack of adequate safeguards for data transfers. The Italian watchdog banned the use of Google Analytics in June 2022 in another case.
In that situation, Caffeina Media S.r.l. used Google Analytics to collect data through cookies and other user interactions including user device IP addresses. The Italian Supervisory Authority (SA) said that IP addresses are considered to be personal data. As such, user data transferred to the U.S. was in violation of Chapter V of the GDPR and Caffeina Media S.r.l. had to bring its processing into compliance with an adequate level of protection.
Businesses should carefully consider the standard contractual clauses that are applicable to them and avoid liability by implementing the correct data safeguards as those outlined in the GDPR. They should assess the risk of data transfers and conduct Transfer Impact Assessments to make sure they are in line with European Data Protection Board (EDPB) recommendations and ensure that company policies adhere to them too. If companies are unsure whether they meet the required standards, they should seek legal advice.
How Can Gerrish Legal Help?
Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property.
We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements.
We are here to help you, get in contact with us today for more information.