The Swedish Authority for Privateness Safety (Integritetsskyddsmyndigheten – IMY) has fined two corporations with 12.3 million SEK (€1 million/$1.1 million) for utilizing Google Analytics and warned two others about the identical observe.
In a call revealed yesterday, the company explains that through the use of Google Analytics to generate net statistics the companies have been breaching European Union’s Common Knowledge Safety Regulation (GDPR).
Particularly, the businesses have been in violation of the GDPR Article 46(1), which forbids the switch of private information to international locations or worldwide organizations that lack safeguards that warrant security and authorized remediation mechanisms.
The USA has been deemed as a dangerous location for the storage of knowledge of European customers, as per the July 2020 “Schrems II” judgment, the place the Courtroom of Justice of the European Union (CJEU) dominated that any information transfers to the U.S. within the context of the then-existing mechanism, “Privateness Defend,” have been unlawful.
This violation is similar for which the Irish Knowledge Safety Fee (DPC) fined Meta $1.3 billion for transferring EU-based person information to servers within the U.S.
IMY, following the submission of a related grievance by the Austrian digital rights group None of Your Enterprise (NOYB), carried out audits to find out the kind of information the Google Analytics instrument sends within the U.S. and concluded that it constitutes private info.
The audits involved a model of the Google Analytics instrument from August 14, 2020.
“IMY considers that the info transferred to the U.S. through Google’s statistics instrument is private information as a result of the info will be linked with different distinctive information that’s transferred,” states.
“The authority additionally concludes that the technical safety measures that the businesses have taken aren’t ample to make sure a degree of safety that primarily corresponds to that assured inside the EU/EEA” – IMY
The 4 corporations which were reprimanded are:
Tele2 SA – a telecommunications and web service supplier in Sweden, has not too long ago determined to cease utilizing Google Analytics by itself initiative.
The opposite three organizations are ordered to cease utilizing Google Analytics and to implement enough information safety measures no later than one month after IMY’s choice, which was introduced on June 30, 2023.
Using Google Analytics has been deemed non-GDPR-compliant once more up to now by the info safety authorities in Austria, France, and Italy.
Nonetheless, IMY’s choice to impose monetary penalties on the violators makes this the primary of its form.
These selections additionally function steerage for the entire business, and different corporations utilizing Google Analytics might determine to regulate their technique to adjust to the foundations and laws within the EU.
