The Swedish data protection watchdog, the IMY, has issued a warning to companies against using Google Analytics due to concerns over U.S. government surveillance, following similar actions taken by other European countries. The warning comes after an audit by the IMY of four companies, where it was found that data transferred to the U.S. via Google Analytics can be considered personal data and lacks adequate protection.
The technical security measures implemented by the companies were also deemed insufficient by the authority.
As a result of the investigation, the IMY has fined Swedish telecom service provider Tele2 $1.1 million and local online marketplace CDON less than $30,000 for failing to implement adequate security measures to anonymize the data prior to transfer.
Additionally, CDON, Coop, and Dagens Industri have been ordered to cease using Google Analytics, while Tele2 has voluntarily stopped using the service.
The IMY’s audit and subsequent actions were initiated based on a complaint filed by privacy non-profit organization noyb, alleging violations of the General Data Protection Regulation (GDPR). The concern underlying the decision is the potential surveillance risks associated with transferring data to U.S. servers and the possibility of access by intelligence agencies.
Notably, similar concerns led to European Union data protection agencies imposing a record $1.3 billion fine on Meta.
To address these issues, the EU and U.S. are currently working on finalizing a new data transfer arrangement, the E.U.-U.S. Data Privacy Framework, as a replacement for the invalidated Privacy Shield agreement.
