The Swedish Privacy Protection Authority (IMY), the equivalent of Guarantor for the protection of personal data Europen, has decided to impose a fine of around 1 million euros on two companies with registered offices in the Scandinavian country. The reason for the measure is improper use of the service Google Analytics within their respective websites. According to the General Data Protection Regulation (GDPR) in force in Europe, i personal data can be transferred to third countries, i.e. countries outside the EU/EEA borders (European Economic Area), if and only if the European Commission has decided that the country in question has an adequate level of protection of personal data which corresponds to that established at European level.
The transfer of personal data to the USA is currently not permitted due to the Schrems II judgment
The Court of Justice of the European Union, with the now famous Sentenza Schrems II of 16 July 2020, ruled out that the USA can guarantee – compared to subjects based in Europe – an adequate level of protection. The so-called Privacy Shieldor the EU-US agreement that allowed the transfer of data overseas against specific guarantees, has been declared no longer valid.
Since then, many associations that deal with defending citizens’ rights and, in particular, wish for a data management more responsible and transparent, they “ridden” the historic decision by presenting a long series of disputes before the Guarantor Authorities of the various Member States.
NOYB (None of Your Business), for example, is a non-governmental organization for the defense of digital rights and privacy. It was founded in 2017 by Max Schrems, an Austrian lawyer and activist known for his privacy lawsuits against big tech companies. Not surprisingly, the decision of the Court of Justice bears his name.
NOYB presented 101 “pilot complaints” against as many companies operating in various European countries, including Europe. And today the organization celebrates the decision of the Swedish Privacy Guarantor.
Google Analytics always in the eye of the storm regarding the transfer of data to the United States
Almost certainly due to its vast diffusion among websites all over the world, Google Analytics it immediately became one of the services most heavily targeted by activists. As we highlighted in another article from a year ago, data transfers to the USA have only the tip of the iceberg in Google Analytics. In fact, there are dozens, if not hundreds, of the services used at various levels that somehow exchange data with servers located on the other side of the Atlantic Ocean.
The fact is that the responsibility remains with the data controller or to the subject based within the European borders who must ensure that they manage the personal data of its users in compliance with the provisions of the GDPR. In the case of Analytics, in short, Google is never called to answer for any offences: instead, it is the managers of the websites who have to personally deal with any investigations and to support the sanctions applied in case of irregularities.
And in this sense, as the experts observe, the lively involvement of the companies that provide services to end users is required from many quarters.
The Swedish Ombudsman has administrative sanctions for the first time
It is the first time that a Guarantor Authority has chosen to dispose financial penalties against companies subject to a verification measure for the incorrect use of Google Analytics.
The measures published by IMY focus on the implementations of Google Analytics by four Swedish companies: Tele2 SA, CDON AB, Coop SA and Dagens Industri. While the last two are obliged to comply with the provisions of the GDPR, Tele2 and CDON are subject to one sanctionrespectively of around 1 million and around 25,000 euros.
IMY believes that the data transferred to the USA through Google Analytics is personal data because they can be linked to other unique data equally transferred overseas. The Swedish Authority has also established that the technical security measures adopted by the companies are not sufficient to guarantee a level of protection substantially corresponding to that guaranteed within the EU and the EEA.
A new EU-US Privacy Shield is coming
The decision of the Swedish Guarantor is a consequence of the checks carried out after the complaints presented at the time by NOYB and comes when there is a new EU-US agreement in sight: it should restore the possibility of legally transferring data. Activists argue that it will in any case soon be invalidated by the Court of Justice due to its very similar structure to the previous one.
“Several other supervisory authorities within the EU/EEA have established that the transfer of personal data to third countries (USA, n.d.r.) took place while using the tool (Google Analytics, n.d.r.) because it is possible to combine IP addresses with other data (…), thus allowing data differentiation and identification of the IP address“, reads one of the measures. “This in itself is sufficient to establish that it is a processing of personal data“.
IMY reiterates the thesis according to which Google is able to connect the public IP addresses of users with other information in its possession relating to web browsing activities. This information, taken as a whole, can make it possible to trace an “identikit” of the user and possibly go back to its precise identity.