Google Analytics violates GDPR, Swedish watchdog says
3 mins read

Google Analytics violates GDPR, Swedish watchdog says

The Swedish Data Protection Authority (IMY) has warned companies against using Google Analytics due to the surveillance risks posed by the US government.

The warning comes amid growing concerns about the legality of transferring European data to the US under laws such as the General Data Protection Regulation (GDPR).

Concerns about GDPR and data portability

The GDPR requires strict data protection and consent for the handling of individuals’ personal data.

Google Analytics was found to violate this by transferring data from websites and mobile apps to the US, where privacy laws are weaker and intelligence agencies can access the information.

With the Schrems II judgment of the highest European court of justice in 2020, the Privacy Shield data transfer agreement was declared invalid and these transfers were put to the test.

IMY investigation puts spotlight on Google Analytics

IMY investigated four Swedish companies – CDON, Coop, Dagens Industri and Tele2 – after data protection group NOYB filed a complaint that they were using analytics illegally.

IMY audits found violations of GDPR consent and data transfer requirements. The agency fined CDON $30,000 and Tele2 $1.1 million, and ordered everyone except Dagens Industri to stop using Analytics.

Experts say the penalties, while small, set an important precedent.

Tele2 and CDON plan to appeal, arguing the fines are disproportionate but said they will comply with the orders.

The EU and the US are fighting to forge a new data transfer agreement

EU and US policymakers are negotiating a new data transfer pact to replace the Privacy Shield. However, critics argue that this will neither prevent US snooping nor increase the power of Europeans in US courts.

IMY’s decision follows a similar scrutiny of Meta’s data practices, which recently saw a $1.3 billion EU fine.

Regulators around the world are stepping up enforcement of laws like the GDPR, China’s Personal Data Protection Act and Brazil’s Data Protection Act. While some aim to curb the power of big tech companies, the rules often diverge, creating hurdles for global corporations.

These decisions affect these four companies and impact all non-GDPR compliant organizations.

Google and others may need changes to analytics and advertising models, which have long been based on the free exchange of personal data around the world.

With the global spread of data protection, this era could come to an end.

Google’s answer

In a statement to TechCrunch regarding IMY’s decisions, Google emphasizes that Google Analytics does not identify or track any specific individual across the web.

The company states that website publishers are responsible for compliance and ethical data use. Google is doing its part by providing safeguards, controls, and resources.

Google says:

“People want the websites they visit to be well-designed, user-friendly and respect their privacy. Google Analytics helps publishers understand how well their websites and apps are performing for their visitors — but not by identifying individuals or tracking them across the web. These organizations, and not Google, control what data these tools collect and how it is used.”


Featured image: sdx15/Shutterstock