Sweden’s data protection watchdog recently issued fines to two companies for violating the bloc’s privacy rules.
The body claims they exported European users’ data through Google Analytics, citing concerns about US government surveillance.
YOU MAY ALSO LIKE: Reliance Jio Announces Release Of $12 Internet-Enabled Phones
Tele2, a Swedish telecom company, faced fines exceeding $1.1 million, while local online retailer CDON received fines below $30,000.
These fines mark the first penalties in response to a series of privacy complaints lodged against Google Analytics and Facebook Connect in August 2020.
The regulator’s investigation revealed that the additional measures implemented by Google to protect European users’ data during its transfer to the US were inadequate.
Specifically, the use of IP address truncation, a method for anonymization, lacked clarity in the Tele2 case, as the company failed to specify whether truncation occurred before or after the data was transferred.
Consequently, the regulator found no guarantee that the entire IP address was inaccessible before the last octet was truncated.
Additionally, the watchdog identified GDPR violations related to data transfers to third countries in the cases of Coop and Dagens Industries, two other companies using Google Analytics.
However, no fines were imposed on these companies.
In a statement, the Swedish Data Protection Authority (commonly referred to as IMY) stated that data transferred to the US via Google’s statistics tool qualified as personal data since it could be linked to other unique data transferred.
Furthermore, the technical security measures implemented by the companies did not ensure a level of protection equivalent to that guaranteed within the EU/EEA.
All four companies involved in the case based their data transfer decisions on standard contractual clauses.
Despite this, IMY’s audits indicated that none of the companies’ additional technical security measures were adequate.
As a result, the regulator issued administrative fines of 12 million SEK against Tele2 and 300,000 SEK against CDON. Tele2 has since proactively stopped using the statistics tool.
IMY’s blog post, titled “Companies must stop using Google Analytics,” emphasized that the decisions should serve as guidance, underlining the wider implications of data transfer practices.
In the previous year, various European Union DPAs, including those in France and Italy, warned against using Google Analytics due to non-compliance with the bloc’s international data transfer rules.
However, financial sanctions were not universally imposed, with some regulators favoring a softer approach to enforcing GDPR compliance concerning such widely used tools.
One of the key actors behind the original complaints, noyb, filed 101 strategic complaints targeting multiple websites across Europe utilizing Google Analytics or similar Facebook services.
This action followed a significant ruling by the Court of Justice of the European Union in July 2020.
The ruling invalidated the EU-US data transfer deal Privacy Shield, which came after the annulment of its predecessor, Safe Harbor.
The EU and US are currently finalizing the EU-US Data Privacy Framework, a third data transfer arrangement expected to curb the legal uncertainties that arose after the CJEU’s rulings.
However, concerns have been raised about the framework’s efficacy in addressing the judges’ apprehensions, leading to the anticipation of legal challenges.
YOU MAY ALSO LIKE: Tiny Acquires HappyFunCorp For $30 Million
Commenting on the Swedish DPA’s penalties, Marco Blocher from noyb expressed satisfaction with the clarification provided by IMY.
He further emphasized the importance of fines as a means to compel companies to comply with privacy regulations. Google has yet to issue a public response regarding the DPA’s actions.
