The Swedish Authority for Privacy Protection (IMY) has taken action against companies using Google Analytics, issuing fines and warnings for violating the European Union’s General Data Protection Regulation (GDPR).
Two companies were fined 12.3 million SEK (€1 million/$1.1 million) for using Google Analytics, which transfers personal data to countries lacking sufficient safeguards. IMY’s decision is based on the violation of GDPR Article 46(1), which prohibits the transfer of personal data to countries without appropriate safety measures.
The United States, considered a risky location for storing European user data, faced a similar issue with the “Schrems II” judgment and subsequent fines imposed on Meta. IMY’s audits confirmed that data transferred to the U.S. via Google Analytics constitutes personal information and highlighted inadequate security measures implemented by the companies involved.
While one organization voluntarily ceased using Google Analytics, the remaining three have been instructed to discontinue its use and implement stronger data protection measures within one month of IMY’s decision.
This landmark action provides industry guidance and may prompt other companies to review their strategies to ensure compliance with EU regulations.
