The Swedish Authority for Privacy Protection (IMY) has audited how four companies use Google Analytics for web statistics. IMY issues administrative fines against two of the companies. One of the companies has recently stopped using the statistics tool on its own initiative, while IMY orders the other three to also stop using it.

IMY has audited how four companies transfer personal data to the US via Google Analytics, which is a tool for measuring and analysing traffic on websites. The companies audited are CDON, Coop, Dagens Industri and Tele2. The audits concerns a version of Google Analytics from 14th of August 2020.

The audits are based on complaints from the organisation None of Your Business (NOYB) in the light of the Schrems II ruling by the European Court of Justice (CJEU). The complaints allege that the companies, in violation of the law, transfer personal data to the United States.

According to the data protection regulation, GDPR, personal data may be transferred to third countries, i.e. countries outside the EU/EEA, if the European Commission has decided that the country in question has an adequate level of protection for personal data that corresponds to that within the EU/EEA. However, the CJEU ruled through the Schrems II ruling that the United States could not be considered to have such an adequate level of protection at the time of the ruling.

In its audits, IMY considers that the data transferred to the US via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.

– By the fact that IMY has decided on these cases at the same time, it is made clear what requirements are placed on technical security measures and other measures when transferring personal data to a third country, in this case the United States, says legal advisor Sandra Arvidsson, who led the audits of the companies.

If there is no decision on an adequate level of protection by the European Commission, data may be transferred based on standard contractual clauses that the European Commission has decided on. However, according to the CJEU, such standard contractual clauses may need to be supplemented with additional safeguards if it is necessary for the protection that the clauses are intended to provide to be maintained in practice.

All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient. IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which has not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY orders the other three companies to stop using the tool.

– These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics, says Sandra Arvidsson.