Sweden’s data protection watchdog, Swedish Authority for Privacy Protection (IMY) has fined Swedish telco Tele2 and local online retailer CDON for using Google Analytics to transfer European users’ data to the United States.
The fines, totaling over $1.1 million for Tele2 and less than $30,000 for CDON, mark the first penalties resulting from a wave of privacy complaints lodged against Google Analytics and Facebook Connect since August 2020.
IMY said it found that the transfers violated the bloc’s General Data Protection Regulation (GDPR) because they could be accessed by U.S. government surveillance. IMY also found that the companies’ use of Google’s “supplementary measures” to protect the data were not sufficient.
These measures include IP address truncation, which anonymizes IP addresses by removing the last octet. IMY said that Tele2 did not clarify whether the truncation was performed before or after the data was transferred to the U.S., so it could not be sure that the entire IP address was not accessible.
The IMY discovered that Google’s safeguards in the US to secure European users’ data did not fulfil legal norms. The process of truncating IP addresses to anonymize data was unclear, raising worries regarding full IP address access. Coop and Dagens Industries also breached GDPR by utilising Google Analytics to send data to foreign countries, but no penalties were levied.
In addition to the fines, IMY ordered the two companies to stop using Google Analytics.
The sources for this piece include an article in TechCrunch.
