The Swedish privacy watchdog IMY has imposed a fine of one million euros on Tele2 Sweden. The regulator concludes that the telecom company sends data to the US via Google Analytics as personal data. In addition, the company needs to take more technical measures to offer a good level of protection.
The Swedish regulator writes this in a press statement.
The level of protection of personal data in the US is insufficient
Following a complaint from the Austrian privacy foundation Noyb, IMY investigated Tele2 Sweden. The foundation alleged that the telecom company transfers and stores personal data to the US. This is contrary to European privacy legislation because the US does not offer the same level of protection as in the EU.
For example, Europeans can’t go to court if they suspect the US government is unlawfully processing their data. In addition, we apply strict legislation in Europe when it comes to accessing personal data by intelligence and investigation services. These services have much more room in the US to request this data. For that reason, in the summer of 2020, the European Court of Justice struck down the Privacy Shield, the treaty that European and American companies used to exchange data.
Since then, companies and organizations have been allowed to exchange personal data with so-called Standard Contractual Clauses or model contracts. The condition is that there is an equivalent level of protection in the country outside the EU. If not, additional measures must be taken.
Additional Tele2 measures are insufficient
After an investigation, IMY concludes that the telecom company’s data to the US via Google Analytics must be regarded as personal data. This data can be linked to specific users because it can be linked to other data that is passed through the statistics program.
Furthermore, the Swedish regulator notes that the technical measures taken by Tele2 Sweden need to be revised to provide an equivalent level of protection. In this case, using a model contract is insufficient to guarantee this level of protection. For these reasons, IMY has determined that Tele2 Sweden must pay a fine of one million euros.
In addition to Tele2 Sweden, the regulator has reprimanded three other companies for using Google Analytics. These are CDON, Coop and Dagens Industri. Of these three, only online retailer CDON was fined EUR 25,000. Tele2 has now voluntarily stopped using Google Analytics.
First-time regulator imposes a fine for using Google Analytics
It is not the first time that the use of Google Analytics has been questioned. Last year, the Austrian, Norwegian, Italian and French regulators already concluded that companies and organizations violate the General Data Protection Regulation (GDPR) when they use Google’s statistics program. Google Analytics continuously collects IP addresses, location data, data from cookies and other personal data of European internet users and forwards this information to American servers.
This violation was established several times last year. However, the Swedish regulator is the first body to impose a fine for using Google Analytics. Marco Blocher, a privacy lawyer at Noyb, thinks this is good.
“This is a pleasant change from other data protection authorities who simply determine that there has been a breach but do not create an incentive to comply in the future. We hope that other regulators will follow the Swedish privacy watchdog’s lead and end unlawful data transfers,” Blocher said in a response.