Swedish data protection authority rules against the use of Google Analytics

Swedish data protection watchdog warns companies against using Google Analytics due to the risk of surveillance operated by the US government.

The Swedish data protection watchdog warned businesses against using Google Analytics due to the risk of surveillance carried out by the US government.

The Swedish Authority for Privacy Protection (IMY) conducted audits against CDON, Coop, Dagens Industri, and Tele2 and determined how they use Google Analytics for web statistics.

The audits are based on complaints from the organization None of Your Business (NOYB) in light of the Schrems II ruling by the European Court of Justice (CJEU). 

The audits relate to a version of the Google tool from August 14, 2020.

The authority determined that Google’s statistics tool was transferring personal data to the US. IMY states that the data transferred to the US is personal data because the data can be linked with other unique data that is transferred.

GDPR rules that personal data may be transferred to a country outside the EU/EEA, if the European Commission has decided that the country adopted an adequate level of protection for personal data that corresponds to that within the EU/EEA.

“In its audits, IMY considers that the data transferred to the US via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred.” reads the announcement published by the Swedish data protection watchdog. “The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.”

The results of the audits revealed that the four companies failed to implement sufficient additional technical security measures. IMY issues an administrative fine of 12 million SEK ($1.1 million) against Tele2 and 300,000 SEK ($27K) against CDON. Tele2 has voluntarily stopped using the Google statistics tool, the IMY ordered the other three companies to stop using the tool too.

“These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics” says legal advisor Sandra Arvidsson, who led the audits of the companies.

On June 23, 2022, Italy’s data protection authority determined that the websites using Google Analytics are not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States.

The Austrian Data Protection Authority (DPA) decided on April 22, 2022, that the use of Google Analytics (GA) violates the GDPR.

In February 2022, the French privacy regulator ruled against the use of Google Analytics.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, surveillance)