Swedish Authority Warns companies against using Google Analytics

Four major companies(CDON, Tele2, Dagens, COOP) have been restricted from accessing Google Analytics and fined for violating the law by transferring personal data to third countries.

Google Analytics is a platform that collects data from your websites and apps to create reports that provide insights into your business.

The Swedish Authority for Privacy Protection (IMY) has audited how four companies use Google Analytics for web statistics and found personal data being transferred.

IMY issued an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON; Tele2 has recently stopped using the statistics tool on its own initiative. 

Based on the allegations raised by the organization, None of your business; these companies were audited by the European Court of Justice (CJEU) for transferring personal data.

According to the data protection regulation GDPR, personal data may be transferred to third countries, i.e. countries outside the EU/EEA, if the European Commission has decided that the country in question has an adequate level of protection for personal data that corresponds to that within the EU/EEA. 

However, the CJEU ruled through the Schrems II ruling that the United States could not be considered to have such an adequate level of protection at the time of the ruling.

In its audits, IMY considers that the data transferred to the US via Google’s statistics tool is personal data because it can be linked with other unique data transferred. 

The companies also have not taken sufficient security measures in handling data to meet the protection that is guaranteed within the EU/EEA.

According to legal advisor Sandra Arvidsson, who led the companies’ audits, it is clear what requirements are placed on technical security measures and other measures when transferring personal data to a third country.

According to the CJEU, If the European Commission doesn’t decide on an acceptable level of protection, which is decided on standard contractual clauses, these normal contractual clauses may need to be supplemented with extra protections if it is important to keep the protections that the clauses are meant to provide.

All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. 

But from IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient. 

IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which has not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative.

IMY orders the other three companies to stop using the tool.

These decisions have implications not only for these four companies but can also provide guidance for other organizations that use Google Analytics, says Sandra Arvidsson

“AI-based email security measures Protect your business From Email Threats!” – .

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.