Google Analytics was declared non-trustworthy by Swedish Data Protection Authority

The Swedish data protection watchdog has cautioned companies about using Google Analytics due to concerns over U.S. government surveillance. This follows similar actions taken by Austria, France, and Italy last year.

This development occurred after the Swedish Authority for Privacy Protection (IMY) audited four companies: “CDON, Coop, Dagens Industri, and Tele2. IMY stated that the data transferred to the U.S. through Google’s statistics tool qualifies as personal data because it can be linked to other unique data transferred. The authority also determined that the companies’ implemented technical security measures were inadequate to provide a level of protection equivalent to that guaranteed within the EU/EEA.”

Additionally, the data protection authority imposed a fine of $1.1 million on the Swedish telecom service provider Tele2 and a fine of less than $30,000 on the local online marketplace CDON for failing to implement sufficient security measures to anonymize data before the transfer.

Moreover, CDON, Coop, and Dagens Industri have been instructed to discontinue using Google Analytics. Tele2 reportedly chose to cease using the service voluntarily.

What was the initiation point?

The investigation conducted by IMY was prompted by a complaint lodged by the privacy non-profit organization None of Your Business (noyb), which alleged violations of the General Data Protection Regulation (GDPR).

“In a groundbreaking decision, the Austrian Data Protection Authority (“Datenschutzbehörde” or “DSB”) has decided on a model case by noyb that the continuous use of Google Analytics violates the GDPR.”

What are the principles of GDPR?

Personal data can only be processed if there is a valid reason. Here’s what the law says:

(a) If the individual has given their consent to the processing of their data;

(b) To fulfill contractual obligations with an individual or for tasks requested by an individual who is in the process of entering into a contract;

(c) To comply with the legal obligations of the data controller;

(d) To protect the essential interests of an individual or another person;

(e) To carry out a task in the public interest or the exercise of official authority;

(f) For the legitimate interests of the data controller or a third party, unless these interests are outweighed by the interests or rights of the individual, particularly in the case of children.

This decision is based on the fact that EU-U.S. data transfers have been deemed illegal due to concerns about potential surveillance, as data stored on U.S. servers could be accessible to intelligence agencies in the country.

Google Privacy Shield invalidation ruling 2020

As part of the preparations for the 2018 General Data Protection Regulation (GDPR), Google designated its Irish entity, Google Ireland Limited, as the “data controller” responsible for handling the information of users from the European Economic Area (EEA) and Switzerland. 

This move aimed to ensure GDPR compliance by placing a European entity in charge of European data.

However, in practice, the data of EEA consumers was still primarily transferred and processed in the United States, where most of Google’s data centers are located. Initially, such cross-border data transfers were considered lawful under the Privacy Shield framework.

In July 2020, the Court of Justice of the European Union ruled that the Privacy Shield framework did not provide sufficient data protection against US surveillance laws for digitally transmitted data. As a result, companies like Google could no longer rely on it. 

The Swiss Federal Data Protection and Information Commissioner (FDPIC) reached the same conclusion in September 2020.

Source: Matomo

The invalidation of the Privacy Shield framework created a challenging situation for Google. 

According to Article 14(f) of the GDPR, companies intending to transfer personal data to a recipient in a third country or an international organization must inform their users about the location of data processing and storage.

With the Privacy Shield framework no longer viable, Google was prohibited from transferring data to the US. However, GDPR provisions required them to disclose the proper data location. 

Unfortunately, Google Analytics and many other products lacked mechanisms to guarantee intra-EU data storage, select a designated regional storage location, or inform users about data storage locations or transfers outside the EU. As a result, Google Analytics was in direct violation of GDPR.

GDPR and Google

Since the 2020 ruling, Google has faced GDPR lawsuits and fines from country-specific data regulators. Google Analytics, in particular, has been heavily scrutinized. 

• Sweden fined Google for not complying with GDPR obligations regarding data delisting in 2020. 
• France deemed the IP address anonymization function of Google Analytics 4 inadequate for protecting cross-border data transfers, as US intelligence services could still access  IPs and other personally identifiable information. 
• France declared Google Analytics illegal and imposed a €150 million fine. Austria also found Google Analytics to be non-compliant with GDPR and labeled the service as “illegal,” seeking a fine as well. 
• The Dutch Data Protection Authority and the Norwegian Data Protection Authority have also determined that Google Analytics breached GDPR and are seeking to restrict its usage.

Source: Google

While Google has introduced new privacy controls in Google Analytics 4, these measures do not address unregulated and non-consensual data transfer between the EU and the US.

Has this been done before?

Meta received an unprecedented fine of 1.2 billion euros ($1.3 billion) and was ordered to stop transferring data collected from Facebook in Europe to the United States. 

This ruling deals a significant blow to the social media giant as it has been found to violate data protection regulations established by the European Union. 

The penalty, revealed by Ireland’s Data Protection Commission, is one of the most substantial consequences a company has faced since implementing the General Data Protection Regulation (GDPR) five years ago. 

BREAKING NEWS: Mark Zuckerberg and META Fined A RECORD $1.3 Billion by the EU for Violating Privacy Laws. ELON MUSK WILL PUT FACEBOOK OUT OF BUSINESS SOONER RATHER THAN LATER!

— Matt Wallace (@MattWallace888) May 22, 2023

Regulators allege that Meta failed to comply with a 2020 decision made by the highest court of the European Union, which declared that data transferred across the Atlantic lacked adequate safeguards against surveillance by American intelligence agencies.

What should we expect?

Every ordinary person considers Google one of the most reliable digital platforms and expects it to comply with all regulations regarding the privacy and security of personal data. 

Here, we understand that relying on anyone regarding data protection is not safe. Precaution must be exercised at every level. Your data is your asset, and it’s your right to protect it!