Sweden’s data protection authority (DPA), IMY, issued the first major fines for companies that sent personal data to the US via Google Analytics. It also ordered Swedish businesses to refrain from using Google’s analytics tool.
IMY’s decision aligns with previous opinions by the Austrian, French, Danish, Norwegian, and Italian DPAs. It also indicates that in the absence of an adequate EU-US data deal, using tools such as Google Analytics might have severe consequences for businesses.
The investigations are a direct response to 101 complaints filed by a non-profit organization NOYB against websites that use Google Analytics after the invalidation of Privacy Shield (see: Schrems II).
NOYB argued that without a proper legal framework, transfers of personal data from the European Economic Area (EEA) to the US violate the privacy rights of EU residents. The list of sued businesses included Swedish Coop, CDON, Dagens Industri, and Tele2.
Read more about the NOYB’s complaints and invalidation of the Privacy Shield.
IMY has investigated complaints against the four companies. On July 3, 2023, the DPA released a statement ordering them to stop using Google Analytics. The authority has also fined two of them an equivalent of €25 thousand (CDON) and €1 million (Tele2).
The decision by IMY made it the first data protection authority to hand out fines for using Google’s product.
In its official press release titled “Four companies must stop using Google Analytics”, the DPA explains that:
In its reviews, IMY considers that the data transmitted to the United States via Google’s statistical tool is personal data because the data can be linked to other unique data transmitted. The authority also considers that the technical safeguards taken by the companies are not sufficient to ensure a level of protection that is essentially equivalent to that is guaranteed within the European Union and European Economic Area.
In the case of Tele2, the regulator has also found other types of violations, including insufficient IP anonymization methods.
You might also like: Is Google Analytics GDPR-compliant?
A new data agreement between the EU and the US legitimizing the use of tools like Google Analytics is underway. The final version is expected to be signed in July. But this might not necessarily mean the end of the controversy surrounding data transfers.
The current shape of the framework dissatisfies EU bodies and privacy watchdogs such as NOYB. Both the European Data Protection Board and the European Parliament raised concerns about the privacy safeguards afforded by the deal, calling on the European Commission to renegotiate the agreement or challenge it before the Court of Justice of the European Union (CJEU).
And until all parties work out a solution that meets the privacy standards set out in GDPR, Google Analytics might not be the safest choice for EU businesses.
To explore more privacy-friendly alternatives, read our product comparisons.
- What is privacy-friendly analytics? Including the comparison of 9 platforms
- Google Analytics alternatives – free and paid
- Piwik PRO vs. Google Universal Analytics & Google Analytics 360 & Google Analytics 4 & Google Analytics 4 360
And if you’d like to learn how Piwik PRO Analytics Suite combines privacy compliance and effective data collection, be sure to contact us. We’re happy to answer your questions.