The companies were ordered to stop using the tool, as the Swedish authority joins counterparts in Italy, France and Austria in claiming the use of Google Analytics breaches GDPR.
A Swedish privacy authority has audited how four companies use Google Analytics, and has issued fines and an order for them to stop using the statistics tool.
The Swedish Authority for Privacy Protection (IMY) investigated complaints from digital rights group NOYB, which alleged that four companies were breaching GDPR law by using Google Analytics. The four companies are CDON, Coop, Dagens Industri and Tele2.
Google Analytics is a tool designed to monitor website traffic. It can be used to generate reports on visitor numbers, browser parameters and which device visitors are using. It does this by placing a cookie – a small piece of code – on the user’s device, which assigns a unique identification number.
In its audits, IMY said that data transferred to the US through Google Analytics is “personal data”, since it can be “linked with other unique data when transferred”.
According to the Schrems II ruling in July 2020, transfers of personal data from the EU to the US can only take place if there is a sufficient level of protection. The watchdog determined that the four companies did not have adequate security to ensure this level of protection.
Two of the companies – Tele2 and CDON – were issued fines that in total amounted to more than €1m. Tele2 recently stopped using Google Analytics “on its own initiative”, while the other three companies were ordered to stop using the tool.
The watchdog’s legal advisor Sandra Arvidsson said the decision can also “provide guidance” for other organisations that use the statistics tool.
NOYB supported the decision and said this was the first financial penalty imposed on a company for using Google Analytics.
“This is a pleasant change compared to other DPAs [data protection authorities] simply holding that there has been a violation but creating no incentive to comply in the future,” said NOYB data protection lawyer Marco Blocher. “We hope that other DPAs follow the Swedish DPAs example and put an end to unlawful data transfers.”
This is the latest in a line of challenges regarding the use of the analytics tool in the EU. In June 2022, the Italian data protection authority issued a warning to websites using Google Analytics.
In February 2022, France’s privacy regulator ordered a French website manager to stop using Google Analytics under certain conditions. A month prior, the Austrian data protection authority found that the use of Google Analytics by an Austrian website did not comply with EU data protection law.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.