The Swedish data protection supervisory authority – Integritetsskydds Myndigheten (IMY) – has investigated a total of four businesses in connection with their use of the web analytics tool Google Analytics. The starting point were corresponding complaints from the privacy organisation None of Your Business (NOYB). The businesses audited by IMY were CDON, Coop, Dagens Industri and Tele2. In each case, personal data was transferred to the United States in connection with the use of Google Analytics. Corresponding fines were subsequently imposed on two of the businesses. The administrative fines amounted to 12 million Swedish kronor (SEK) for Tele2 and SEK 300,000 for CDON. Tele2 had stopped using the service in the meantime. The three other businesses were instructed by IMY to also refrain from using it.
When using Google Analytics, personal data is transferred to the United States, which at the time of the decision was not considered a secure third country within the meaning of the GDPR. Accordingly, the technical security measures taken by the businesses were not sufficient for IMY to ensure the level of protection required under EU law. All businesses based the data transfer on the GDPR Standard Contractual Clauses for international data transfers. Additional technical security measures implemented by Google and the businesses themselves, which were meant to prevent access to the personal data by U.S. intelligence agencies, were deemed insufficient.
Potential impact of the TADPF on this decision
Now, one might assume that the decision can no longer be upheld after the new EU-US Data Privacy Framework (TADPF) comes into force – so the decision is deprived of its basis and Google Analytics can continue to be used without any problems?
At least temporarily, that is the case – but there is no certainty in the long term. In the meantime, we have already learned that the dispute over data transfer to the U.S. continues despite the new agreement. A “Schrems III” case is in the making. In addition, it is still questionable to see that Google further processes the analytics data for its own purposes, for which the consent of the affected users must probably be obtained. In light of these circumstances, our experts continue to recommend exercising caution and, if possible, replacing Google Analytics with an EU provider with EU hosting and a stronger commitment to data minimisation. Our data protection experts will be happy to explain the necessary steps.