Sweden’s data protection watchdog has issued a couple of fines in relation to exports of European users’ data via Google Analytics which it found breach the bloc’s privacy rulebook owing to risks posed by U.S. government surveillance. It has also warned other companies against use of Google’s tool.
The fines — just over $1.1 million for Swedish telco Tele2 and less than $30,000 for local online retailer CDON — are notable as they are the first such fines following a raft of strategic privacy complaints targeting Google Analytics (and Facebook Connect) back in August 2020.
The regulator found that so-called supplementary measures applied by Google to European users’ data sent to the U.S. for processing were insufficient to raise the level of protection to the required legal standard. Including Google’s use of IP address truncation (an anonymization measure) as, in the Tele2 case, it said the company did not clarify whether the truncation was performed before or after the transfer of the data to the U.S. so had failed to demonstrate there is “no potential access to the entire IP address before the last octet is truncated”.
The watchdog also found breaches of the bloc’s General Data Protection Regulation (GDPR) rules on transfers to third countries in the case of two other companies’ use of Google Analytics, Coop and Dagens Industries, but did not issue fines in those cases.
“In its audits, IMY [the Swedish DPA] considers that the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA,” the regulator wrote in a statement.
“All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient. IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which has not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY orders the other three companies to stop using the tool.”
In the blog post — which is entitled “Companies must stop using Google Analytics” — the regulator added that the four decisions should be treated as guidance, emphasizing what it couched as wider implications. (Update: Since this article was published the Swedish watchdog has slightly edited the title of its post, which now refers more specifically to the four instances where it has ordered companies to stop using the tool: “Four companies must stop using Google Analytics”.)
Last year a number of European Union DPAs, including the French and Italian watchdogs, warned against use of Google’s analytics tool after finding a number of users to be non-compliant with the bloc’s rules on international data transfers. However other regulators have not issued financial sanctions, according to NGO noyb, which was behind the original complaints — seemingly favoring a softer approach to enforcing the GDPR on users of such a familiar tool despite the same data transfer issue underlying them all.
noyb’s original 101 strategic complaints targeted a variety of websites around Europe using Google Analytics or similar Facebook services in the wake of a landmark ruling by the Court of Justice of the European Union in July 2020 which invalidated an EU-U.S. data transfer deal called Privacy Shield just a few years after striking down its predecessor, Safe Harbor.
The EU and U.S. are in the process of finalizing a third data transfer arrangement, called the EU-U.S. Data Privacy Framework, which is expected to be completed later this month — and will, in the short term at least, lift the legal uncertainty that’s been clouding EU-U.S. data transfers since the CJEU strike downs.
That said, legal challenges to the incoming framework are expected and various European institutions have raised concerns that aspects of the renegotiated arrangement do not go far enough to address the judges’ concerns. So it remains to be seen whether it’ll be third time lucky for a high level solution to the clash between EU privacy rights and U.S. surveillance practices.
In a statement commenting on the Swedish watchdog’s decision to issue the first penalties for unlawful use of Google Analytics noyb’s Marco Blocher, a data protection lawyer, said: “We are very happy about the further clarification by the Swedish DPA. It is also important to see that there are fines — it is the only way to get other companies to comply.”
Google was contacted for comment on the DPA’s decisions.
Update: Google sent this statement:
People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.