The Swedish Authority for Privacy Protection (IMY) announced this week that it has issued three cease and desist orders to Swedish companies. The order is a result of complaints lodged by privacy rights group NOYB.
Swedish authorities accused these firms of violating EU privacy laws and ordering them to stop using Google Analytics immediately. The move follows a precedent-setting action against the use of Google Analytics by the Austrian privacy regulator last January.
The Swedish privacy watchdog had initially put four companies under the microscope, but one of the target companies agreed to cease using the Google tool of its own volition. The IMY thus issued the stop orders to the other three.
EU-US data transfer is the problem
At the request of the privacy rights group None of Your Business (NOYB), IMY examined how the companies in question transfer personal data to the US via Google Analytics, a popular tool for measuring and analysing traffic on websites.
Under the EU’s general data protection regulation, GDPR, personal data may be transferred to countries outside the bloc only if the European Commission has decided that the country in question has an adequate level of protection for personal data. Namely, one which corresponds to that within the EU. The CJEU’s Schrems II ruling decreed that the United States did not have an adequate level of protection.
The US and EU are currently working on a new Data Privacy Framework (DPF) that could allow transatlantic data transfers. The new scheme, which is due to be finalised in October, is already coming under fire from the European Data Protection Board (EDPB), the body tasked with enforcing the GDPR.
Failing to find a valid workaround
Currently, there is still a way for companies to transfer personal data outside the EU using a legal mechanism called standard contractual clauses. However, these clauses must be used in conjunction with certain “additional safeguards.”
The Swedish authority determined that none of the four companies it investigated met this requirement with their Google Analytics deployments, so it ordered them to stop using the service.
Of the four companies audited, Tele2 AB, a local ISP, stopped using Google Analytics voluntarily. The other three have been ordered by IMY to stop as well. In addition, the authority fined Tele2 and one of the three other companies over their Google Analytics usage practices, as they failed to implement any “additional safeguards”, according to IMY.