The Swedish Authority for Privacy Protection (IMY) has cautioned companies against using Google Analytics due to surveillance risks posed by the U.S. government.
The warning comes amid growing concerns over the legality of transferring Europeans’ data to the U.S. under laws like the General Data Protection Regulation (GDPR).
The GDPR & Data Transfer Concerns
GDPR requires strict privacy protections and consent for handling individuals’ personal information.
Google Analytics has been found to violate this by transferring data from websites and mobile apps to the U.S., where privacy laws are weaker, and intelligence agencies can access the information.
The 2020 Schrems II ruling by Europe’s top court invalidated the Privacy Shield data transfer pact and put these transfers under scrutiny.
IMY Investigation Puts Spotlight On Google Analytics
IMY investigated four Swedish companies—CDON, Coop, Dagens Industri, and Tele2—following a complaint by privacy group NOYB that they were illegally using Analytics.
IMY audits revealed violations of GDPR’s consent and data transfer requirements. The agency fined CDON $30,000 and Tele2 $1.1 million and ordered all but Dagens Industri to stop using Analytics.
Experts say the penalties, though small, set an important precedent.
Tele2 and CDON plan to appeal, arguing the fines are disproportionate, but said they would comply with the orders.
E.U. & U.S. Struggle To Forge New Data Transfer Deal
The E.U. and U.S. policymakers are negotiating a new data transfer pact to replace Privacy Shield. But critics argue it won’t prevent U.S. snooping or empower Europeans in U.S. courts.
IMY’s decision follows similar scrutiny of Meta’s data practices, which recently drew a $1.3 billion E.U. fine.
Regulators worldwide are ramping up enforcing laws like GDPR, China’s Personal Information Protection Law, and Brazil’s Data Protection Law. While some aim to check big tech’s power, rules often differ—creating hurdles for global companies.
These decisions affect these four companies and have implications for all organizations that fail to comply with GDPR.
For Google and others, changes may be needed to analytics and ad models that have long depended on freely moving personal data worldwide.
As data privacy goes global, that era could be coming to an end.
In a statement to TechCrunch regarding IMY’s decisions, Google emphasizes that Google Analytics doesn’t identify or track specific individuals across the web.
The company says website publishers are responsible for compliance and ethical data use. Google does its part by providing safeguards, controls, and resources.
“People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used.”
Featured Image: sdx15/Shutterstock