Hot on the heels of the eagerly awaited Meta decision (and just 10 days before the European Commission (EC) adopted its highly anticipated adequacy decision on the EU-US Data Privacy Framework (DPF)), the Swedish Data Protection Authority (DPA), IMY, issued decisions against four companies and imposed two fines in relation to the unlawful export of European users’ data to the US, via “Google Analytics” (GA) in breach of the GDPR’s restricted transfer requirements.
In the absence of an adequacy decision, these requirements permit such transfers only if the controller/processor has provided adequate safeguards and on condition that enforceable data subject rights and effective legal remedies are available.
All four companies based their decisions on the transfer of personal data via GA (which measures and analyses traffic on websites) on standard contractual clauses.
IMY held that the transfers to the US were unlawful, largely due to ongoing risks posed by US government surveillance and the lack of redress for EU citizens in the event of governmental access (as highlighted in the CJEU’s “Schrems II” decision in July 2020). In Schrems II, the CJEU invalidated the EU-US data transfer arrangement called “Privacy Shield” (just a few years after striking down its predecessor, “Safe Harbor”). Whilst the CJEU upheld EU standard contractual clauses (SCCs) as a valid transfer mechanism, it held that the SCCs may need to be supplemented with “additional safeguards” (so called “supplementary measures”) to ensure that the protection that the SCCs are intended to provide are maintained in practice.
The fines (€1 million for Swedish telco, Tele2, and just over €25,000 for online retailer, CDON) are the first fines relating to the use of GA issued by an EU regulator, following a raft of strategic privacy complaints issued by NGO nyob, targeting GA (and similar Facebook services) in August 2020, post Schrems II. (For more information see our article here.)
IMY held that the data transferred to the US via GA is personal data because it can be linked with other unique data that is transferred. As in the Meta decision, IMY also found that the “supplementary measures” applied by Google and Tele2 to EU users’ data sent to the US for processing were neither individually nor collectively “sufficiently effective to prevent the possibility for US intelligence agencies to access the personal data or render such access ineffective” . In the Tele2 decision, this included the use of IP address truncation (an anonymisation measure) – IMY found that Tele2 did not clarify whether the truncation was performed before or after the transfer of the data to the US and had failed to demonstrate that there is “no potential access to the entire IP address before the last octet is truncated”.
IMY also found breaches of the GDPR’s restricted transfer rules in the case of two other Swedish companies’ use of GA (Coop and Dagens Industries) but did not issue fines because they “had taken extensive protective measures”. Telco recently stopped using GA on its own initiative and IMY ordered the other three companies to stop using the tool. In its statement, IMY warned other companies against the use of Google’s popular tool which measures and analyses traffic on websites.
Last year a number of EU regulators, including the French and Lichtenstein DPAs, warned against the use of GA after finding a number of users to be non-compliant with the GDPR’s rules on international data transfers. However, they stopped short of issuing fines – which noyb claimed signified a softer approach to enforcing the GDPR on users of the tool, despite the same data transfer issue underlying all complaints.
The timing of these fines/decisions are unfortunate for the four companies involved as ten days later, the EC announced its adoption of its adequacy decision on the DPF, which entered into force with immediate effect. The DPF seeks to address core Schrems II concerns by introducing new binding safeguards to limit access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court, which will independently investigate complaints lodged by Europeans. (For more information see our article here.)
Despite the IMY fines, businesses using Google’s popular analytics tool can breathe a sigh of relief – for now at least – as the adequacy decision will provide legal certainty in respect of data transfers from the EEA (and soon hopefully the UK) to US certified businesses. Google LLC has signed up to the DPF for both EU and Swiss transfers, and we expect it will also sign up to the UK extension to the DPF when it is finalised, giving those using GA more confidence that the transfers are indeed compliant. That said, Max Schrems and noyb have confirmed their intention to challenge the DPF so as usual this will be something everyone will be keeping their eye on (in the longer term).
“In its audits, IMY……. concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.” Sandra Arvidsson, IMY
https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/