iubenda logo

Swedish Authority for Privacy Protection (IMY) Cracks Down on Data Transfers to the US



In a recent development, the Swedish Authority for Privacy Protection (IMY) has conducted an audit on the utilization of Google Analytics by four prominent companies. As a result of the investigation, IMY has imposed administrative fines on two of the companies, while ordering the remaining three to discontinue their use of the web statistics tool. The audits were prompted by complaints filed by the organization None of Your Business (NOYB), citing violations of the law concerning the transfer of personal data to the United States.

The Audits and Complaints

The four audited companies, namely CDON, Coop, Dagens Industri, and Tele2, were examined based on their implementation of a specific version of Google Analytics dating back to August 14, 2020. IMY focused on scrutinizing the transfer of personal data to the United States via this popular platform used for measuring and analyzing website traffic.

CJEU’s Schrems II Ruling and Data Protection Regulations

Under the provisions of the General Data Protection Regulation (GDPR), personal data can be transferred to countries outside the EU/EEA (European Union/European Economic Area) if the European Commission has deemed the destination country to possess an adequate level of protection for personal data, comparable to that within the EU/EEA. However, in the landmark ruling of Schrems II, the European Court of Justice (CJEU) concluded that the United States did not provide such a level of protection at the time of the ruling.

IMY’s Determinations

IMY’s audits determined that the data transferred to the United States through Google Analytics constituted personal data, as it could be linked with other identifiable information. Furthermore, the authority determined that the technical security measures employed by the companies were inadequate to ensure a level of protection commensurate with that guaranteed within the EU/EEA.

Penalties and Orders

Sandra Arvidsson, a legal advisor who oversaw the audits, emphasized the significance of IMY’s simultaneous decisions, clarifying the expectations placed on technical security measures and other precautions when transferring personal data to third countries, in this case, the United States.

In the absence of a European Commission decision on an adequate level of protection, data transfers may still occur based on standard contractual clauses approved by the European Commission. However, the CJEU stipulated that such clauses may require supplementary safeguards to effectively maintain the intended level of protection.

All four companies had relied on standard contractual clauses for their transfers of personal data through Google Analytics. IMY’s audits revealed that none of the additional technical security measures implemented by the companies were deemed sufficient. Consequently, Tele2 was fined 12 million SEK, while CDON received a penalty of 300,000 SEK for not adopting the same extensive protective measures as Coop and Dagens Industri. Tele2 has already taken the initiative to cease using the statistics tool, while IMY has ordered the other three companies to follow suit.

Implications for Data Transfers and Privacy

Sandra Arvidsson underscored the far-reaching implications of these decisions, not only for the four companies directly involved, but also for other organizations utilizing Google Analytics. The outcomes of this case are likely to serve as guidance for those navigating the complexities of data transfers and ensuring compliance with privacy regulations.

The IMY’s actions highlight the growing importance of safeguarding personal data and upholding privacy standards in an increasingly interconnected digital landscape. It remains crucial for businesses and organizations to stay vigilant, adapt to evolving regulations, and prioritize the protection of individuals’ privacy rights.


Display Advertising for Google AnalyticsGoogle Analytics Data Processing Agreement for EuropeGoogle Analytics User ID in Your Privacy Policy

About Us

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app
www.iubenda.com

Generate a privacy policy now

Ready in a few steps and built to meet the needs of both website and mobile app owners

Generate your privacy policy now

Sometimes the best choice is to "just give it a try"

iubenda is the easiest and most professional way to generate a privacy policy for your website, mobile app and facebook app

Generate your privacy policy now