Sweden’s data protection authority has fined Swedish telco Tele2 and local online retailer CDON for violating the EU’s privacy regulations by exporting European users’ data through Google Analytics, citing concerns about U.S. government surveillance. The fines, totaling over $1.1 million for Tele2 and less than $30,000 for CDON, mark the first penalties imposed following numerous privacy complaints lodged against Google Analytics and Facebook Connect in August 2020.
The regulatory authority determined that the additional measures implemented by Google to protect European users’ data during processing in the U.S. were inadequate to meet the required legal standards. It specifically highlighted Google’s use of IP address truncation as insufficient in ensuring the anonymization of data. Furthermore, the authority found violations of the General Data Protection Regulation (GDPR) relating to data transfers to third countries by two other companies, Coop and Dagens Industries, but did not impose fines in those cases.
The data protection authority stated that the transferred data via Google Analytics constitutes personal data since it can be linked with other unique information. It concluded that the technical security measures adopted by the companies were inadequate to ensure a level of protection equivalent to that within the EU/EEA. As a result, the authority issued fines against Tele2 and CDON, while ordering all four companies to cease using Google Analytics.
The regulator emphasized that its decisions should serve as guidance, underscoring the broader implications for companies. While several European Union data protection authorities previously warned against the use of Google Analytics due to non-compliance with international data transfer rules, financial penalties were not imposed by other regulators, according to the NGO noyb (None of Your Business), which filed the original complaints. This suggests a lenient enforcement approach towards users of widely used tools like Google Analytics, despite the shared underlying data transfer issue.
The original complaints filed by noyb targeted various websites across Europe that employed Google Analytics or similar Facebook services following a significant ruling by the Court of Justice of the European Union in July 2020, which invalidated the EU-U.S. data transfer agreement known as Privacy Shield. The EU and U.S. are currently finalizing a new data transfer arrangement called the EU-U.S. Data Privacy Framework, expected to be completed soon. However, concerns have been raised by European institutions regarding potential inadequacies in addressing privacy rights and U.S. surveillance practices, potentially leading to legal challenges.
noyb’s Marco Blocher, a data protection lawyer, expressed satisfaction with the Swedish DPA’s clarification and the imposition of fines, emphasizing their role in promoting compliance among other companies. Google was contacted for comment on the DPA’s decisions.
Google provided the following statement in response:
People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.