Swedish Authority for Privacy Protection (IMY) Cracks Down on Data Transfers to the US
In a recent development, the Swedish Authority for Privacy Protection (IMY) has conducted an audit on the utilization of Google Analytics by four prominent companies. As a result of the investigation, IMY has imposed administrative fines on two of the companies, while ordering the remaining three to discontinue their use of the web statistics tool. The audits were prompted by complaints filed by the organization None of Your Business (NOYB), citing violations of the law concerning the transfer of personal data to the United States.
The Audits and Complaints
The four audited companies, namely CDON, Coop, Dagens Industri, and Tele2, were examined based on their implementation of a specific version of Google Analytics dating back to August 14, 2020. IMY focused on scrutinizing the transfer of personal data to the United States via this popular platform used for measuring and analyzing website traffic.
CJEU’s Schrems II Ruling and Data Protection Regulations
Under the provisions of the General Data Protection Regulation (GDPR), personal data can be transferred to countries outside the EU/EEA (European Union/European Economic Area) if the European Commission has deemed the destination country to possess an adequate level of protection for personal data, comparable to that within the EU/EEA. However, in the landmark ruling of Schrems II, the European Court of Justice (CJEU) concluded that the United States did not provide such a level of protection at the time of the ruling.
IMY’s Determinations
IMY’s audits determined that the data transferred to the United States through Google Analytics constituted personal data, as it could be linked with other identifiable information. Furthermore, the authority determined that the technical security measures employed by the companies were inadequate to ensure a level of protection commensurate with that guaranteed within the EU/EEA.
Penalties and Orders
Sandra Arvidsson, a legal advisor who oversaw the audits, emphasized the significance of IMY’s simultaneous decisions, clarifying the expectations placed on technical security measures and other precautions when transferring personal data to third countries, in this case, the United States.
In the absence of a European Commission decision on an adequate level of protection, data transfers may still occur based on standard contractual clauses approved by the European Commission. However, the CJEU stipulated that such clauses may require supplementary safeguards to effectively maintain the intended level of protection.
All four companies had relied on standard contractual clauses for their transfers of personal data through Google Analytics. IMY’s audits revealed that none of the additional technical security measures implemented by the companies were deemed sufficient. Consequently, Tele2 was fined 12 million SEK, while CDON received a penalty of 300,000 SEK for not adopting the same extensive protective measures as Coop and Dagens Industri. Tele2 has already taken the initiative to cease using the statistics tool, while IMY has ordered the other three companies to follow suit.
Implications for Data Transfers and Privacy
Sandra Arvidsson underscored the far-reaching implications of these decisions, not only for the four companies directly involved, but also for other organizations utilizing Google Analytics. The outcomes of this case are likely to serve as guidance for those navigating the complexities of data transfers and ensuring compliance with privacy regulations.
The IMY’s actions highlight the growing importance of safeguarding personal data and upholding privacy standards in an increasingly interconnected digital landscape. It remains crucial for businesses and organizations to stay vigilant, adapt to evolving regulations, and prioritize the protection of individuals’ privacy rights.