Sweden’s information safety watchdog has issued a few fines in relation to exports of European customers’ information through Google Analytics which it discovered breach the bloc’s privateness rulebook owing to dangers posed by US authorities surveillance. It has additionally warned different firms towards use of Google’s software.
The fines — simply over $1.1 million for Swedish telco Tele2 and fewer than $30k for native on-line retailer CDON — are notable as they’re the primary such fines following a raft of strategic privateness complaints concentrating on Google Analytics (and Fb Join) again in August 2020.
The regulator discovered that so-called supplementary measures utilized by Google to European customers’ information despatched to the US for processing have been inadequate to boost the extent of safety to the required authorized normal. Together with Google’s use of IP deal with truncation (an anonymization measure) as, within the Tele2 case, it mentioned the corporate didn’t make clear whether or not the truncation was carried out earlier than or after the switch of the info to the US so had didn’t display there may be “no potential entry to your complete IP deal with earlier than the final octet is truncated”.
The watchdog additionally discovered breaches of the bloc’s Basic Knowledge Safety Regulation (GDPR) guidelines on transfers to 3rd nations within the case of two different firms’ use of Google Analytics, Coop and Dagens Industries, however didn’t situation fines in these circumstances.
“In its audits, IMY [the Swedish DPA] considers that the info transferred to the US through Google’s statistics software is private information as a result of the info could be linked with different distinctive information that’s transferred. The authority additionally concludes that the technical safety measures that the businesses have taken aren’t adequate to make sure a degree of safety that basically corresponds to that assured throughout the EU/EEA,” the regulator wrote in a assertion.
“All 4 firms have primarily based their selections on the switch of non-public information through Google Analytics on normal contractual clauses. From IMY’s audits, it seems that not one of the firms’ further technical safety measures are adequate. IMY points an administrative effective of 12 million SEK towards Tele2 and 300,000 SEK towards CDON, which has not taken the identical intensive protecting measures as Coop and Dagens Industri. Tele2 has lately stopped utilizing the statistics software by itself initiative. IMY orders the opposite three firms to cease utilizing the software.”
Within the weblog put up — which is entitled “Corporations should cease utilizing Google Analytics” — the regulator added that the 4 selections ought to be handled as steering, emphasizing what it couched as wider implications.
Final 12 months plenty of European Union DPAs, together with the French and Italian watchdogs, warned towards use of Google’s analytics software after discovering plenty of customers to be non-compliant with the bloc’s guidelines on worldwide information transfers. Nevertheless different regulators haven’t issued monetary sanctions, in accordance with NGO noyb, which was behind the unique complaints — seemingly favoring a softer strategy to imposing the GDPR on customers of such a well-known software regardless of the identical information switch situation underlying all of them.
noyb’s unique 101 strategic complaints focused a wide range of web sites round Europe utilizing Google Analytics or related Fb providers within the wake of a landmark ruling by the Courtroom of Justice of the European Union in July 2020 which invalidated an EU-US information switch deal known as Privateness Protect just some years after placing down its predecessor, Secure Harbor.
The EU and US are within the means of finalizing a 3rd information switch association, known as the EU-US Knowledge Privateness Framework, which is predicted to be accomplished later this month — and can, within the brief time period a minimum of, raise the authorized uncertainty that’s been clouding EU-US information transfers for the reason that CJEU strike downs.
That mentioned, authorized challenges to the incoming framework are anticipated and varied European establishments have raised considerations that features of the renegotiated association don’t go far sufficient to handle the judges’ considerations. So it stays to be seen whether or not it’ll be third time fortunate for a excessive degree answer to the conflict between EU privateness rights and US surveillance practices.
In a press release commenting on the Swedish watchdog’s determination to situation the primary penalties for illegal use of Google Analytics noyb’s Marco Blocher, an information safety lawyer, mentioned: “We’re very glad in regards to the additional clarification by the Swedish DPA. It’s also vital to see that there are fines — it’s the solely technique to get different firms to conform.”
Google was contacted for touch upon the DPA’s selections.
