Image credit: Thomas Trutchell/Getty Images
The Swedish data protection watchdog has ruled that the export of European users’ data via Google Analytics violates the EU’s privacy rulebook, citing the risks posed by US government surveillance, and has imposed several fines. imposed. It also warns other companies not to use Google’s tools.
The fine (just over $1.1 million for Swedish telco Tele2 and less than $30,000 for local online retailer CDON) was awarded in August 2020 for a strategic privacy breach targeting Google Analytics (and Facebook Connect). It’s notable because it was only imposed after numerous complaints.
The regulator has found that the so-called supplementary measures applied by Google to European users’ data sent to the United States for processing are insufficient to raise the level of protection to the required legal standards. Including that Google used IP address truncation (a means of anonymization), as was the case with Tele2, the company clarified whether the truncation occurred before or after the transfer of data to the United States. He said he couldn’t prove it because he didn’t have it. “There is no possibility of accessing the entire IP address until the last octet is truncated.”
The watchdog also found violations of the EU General Data Protection Regulation (GDPR) regulation on transfers to third countries in the use of Google Analytics by two other companies, Corp and Dagens Industries, but in these cases did not impose a fine.
“In an audit, IMY [the Swedish DPA] , data transferred to the United States via Google’s statistical tools is considered personal data because it may be linked to other unique data transferred. The authorities also conclude that the technical security measures taken by the companies are not sufficient to ensure a level of protection comparable to that which is basically guaranteed within the EU/EEA,” the regulator said. said in a statement.
“All four companies base their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. IMY’s audit shows that none of the companies’ additional technical security measures appear to be sufficient.” IMY imposed an administrative fine of SEK 12 million against Tele2 and an administrative fine of SEK 300,000 against CDON for not having the same broad protections as Coop and Dagens Industri. We made a decision to stop using the statistical tool, and the IMY has ordered the other three companies to stop using the tool.”
In a blog post titled “Businesses Must Stop Using Google Analytics,” the regulator added that the four decisions should be treated as guidance, highlighting broader implications. .
Last year, many European Union DPAs, including French and Italian watchdogs, issued warnings against using Google’s analytics tools after finding that many users were not complying with European Union rules on international data transfers. bottom. However, no other regulators have imposed financial sanctions, according to the NGO noyb behind the initial complaint. Despite the same underlying data transfer issues, it seems to favor a softer approach to enforcing GDPR for users of such familiar tools.
noyb’s original 101 strategic complaints follow a landmark ruling by the European Court of Justice in July 2020 that invalidated the EU-US data transfer agreement known as the Privacy Shield. It targeted various websites across Europe using Google Analytics and similar Facebook services. Only a few years after overthrowing its predecessor, Safe Harbor.
The EU and US are finalizing a third data transfer agreement, dubbed the EU-US Data Privacy Framework, which is expected to be completed later this month, clearing legal uncertainties, at least in the short term. would Since the CJEU strike, data transfers between the EU and the US have been hampered.
However, legal challenges to the upcoming framework are expected, and various European institutions fear that aspects of the renegotiated deal do not adequately address judges’ concerns. is expressed. So it remains to be seen whether a high-level solution to the conflict between EU privacy rights and US surveillance practices will be a third time lucky.
In a statement commenting on the Swedish watchdog’s decision to impose its first fine for illegal use of Google Analytics, noyb’s data protection lawyer Marco Brotscher said: It’s also important to make sure there are fines. This is the only way to encourage other companies to comply..“
Google was asked to comment on the DPA’s decision.
update: Google sent the following statement:
People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are performing with their visitors, but it does not identify individuals or track them around the web. These organizations, not Google, control the data collected by these tools and how they are used. Google helps by providing a variety of safeguards, controls, and resources for compliance.
#Stop #Google #Analytics #Swedish #privacy #watchdog #warns #fines #million