Sweden: IMY takes action against four companies over use of Google Analytics
The Swedish Authority for Privacy Protection (IMY) announced, on July 3, 2023, that it had taken action against four companies, for violation of the General Data Protection Regulation (GDPR), following the receipt of complaints from None of Your Business (NOYB).
In particular, the IMY:
- fined Tele2 Sverige AB SEK 12 million (approx. $1.105 million);
- fined CDON AB SEK 300,000 (approx. $27,644); and
- issued injunctions to Coop Sverige AB and Dagens Industri Aktiebolags to remedy their deficiencies.
Background to the decisions
In particular, the IMY detailed that NOYB's complaints alleged that Tele2, CDON, Coop Sverige, and Dagens transferred personal data to the US unlawfully using Google Analytics, further to which the IMY had initiated audits on such practices. The audits concerned a version of Google Analytics from August 14, 2020.
Findings of IMY
The IMY found that the four companies had based their transfers of personal data to the US using Google Analytics on Standard Contractual Clauses (SCCs). However, the IMY took the view that neither the additional measures taken by each company, nor the measures taken by Google LLC, were effective enough to prevent US intelligence services from gaining access to the personal data transferred using Google Analytics, or to render such access ineffective. As such, the IMY found Tele2, CDON, Coop Sverige, and Dagens in breach of Article 44 of the GDPR.
In light of the nature of the violations, the IMY imposed fines on Tele2 and CDON; however, it considered the more extensive protective measures taken by Coop Sverige and Dagens as mitigating factors, and therefore deemed it sufficient to issue injunction orders against the same.
In conclusion, in addition to imposing the aforementioned sanctions, on the one hand, the IMY ordered CDON, Coop Sverige, and Dagens to cease the use of the version of the Google Analytics tool that was in use on August 14, 2020, unless adequate safeguards are in place. On the other hand, the IMY noted that Tele2 had already stopped using Google Analystics, and therefore no further orders were needed.
Notably, Sandra Arvidsson, the IMY Legal Advisor who led the audits, commented that the four decisions have implications not only for the companies involved, but can also provide guidance for other organizations that use Google Analytics.