A number of European data protection authorities in Austria, France, Italy and Denmark have ruled in the past year that the use of Google Analytics violates the General Data Protection Regulation (GDPR). But now, for the first time, a financial penalty has also been imposed on companies that carry out EU-US data transfers via the tool without sufficient additional measures.
The Swedish data protection authority (IMY) has taken action against four companies for illegal data transfers from the EU to the USA.
Telecommunications provider Tele2 was fined SEK 12 million (€1 million), while online retailer CDON was fined SEK 300,000 (€25,000). The reason for the sanctions was the use of Google Analytics on their websites without sufficient additional measures.
Coop Sweden and Dagens Industry were also warned and asked to stop using Google Analytics.
The decision of the Swedish data protection authority marks a significant step in the enforcement of the GDPR and the protection of personal data. It sends a clear message to companies that violations of data protection regulations can also be punished with severe fines in relation to data transfers to the USA.
Q&A – What you need to know
Q: What are the main findings from the decisions of the Swedish Data Protection Authority?
A: Firstly, that the decisions of several EU data protection authorities that Google Analytics is not legally compliant without additional measures will now also be enforced.
Secondly, that it is not sufficient for the operator of a website to use the IP anonymisation of Google Analytics. Even if this is done exclusively on European servers, according to recent decisions by the Swedish data protection authority, the IP address can be traced back to a specific person in the USA on the basis of the entire transmitted data.
Thirdly, that penalties also depend on whether further measures have been taken to protect the personal data in addition to the measures recommended by Google, which are not sufficient in themselves.
Q: Why were two companies fined and two not?
A: For all four companies, it was assessed as aggravating that the data transfer was automatic and systematic and involved a large volume of data over a long period of time. Without mitigating factors, this would lead to a fine.
However, Tele2 relied exclusively on the IP anonymisation of Google Analytics and did not take any further protective measures. This negatively influenced the authority’s assessment, and a comparatively high fine followed.
The mitigating factors for the companies that were not penalised were that they used proxy servers.
One of the companies used server-side tracking and replaced IP addresses and sent them to Google. However, ClientIDs, Google ClickIDs and TransactionIDs, among others, were still sent along, making individuals identifiable again. However, the use of server-side tracking was sufficient to avoid a fine.
One company had used a proxy server, shortened the IP addresses by one octet and hashed the cookie identifiers. However, according to the authority, the shortening of the IP address is not sufficient to prevent the identification of a person if additional data, such as the visitor’s device and the time of the visit, are sent at the same time.
Q: What does this mean for the companies concerned?
A: The decisions are not yet final and can be appealed. Only when the appeal period has passed and no further legal remedies are available does the decision become final. Within one month of the decision becoming final, companies must stop using Google Analytics or introduce additional measures.
Q: Do the decisions affect all users of Google Analytics?
A: The press release explicitly states that the decisions also have an impact on other companies that use Google Analytics.
Q: What can companies do in this situation?
A: They should not rely on the measures offered by Google being sufficient, even with GA4.
Server-side tracking with privacy features such as pseudonymisation of personal data are proven and effective measures to ensure the protection of personal data also in the US and to continue using US tools such as Google Analytics.
Q: What impact could the new EU-US Data Privacy Framework have, although it is not yet in force?
A: The problem is that an important legal basis has disappeared with the end of the Privacy Shield and standard contractual clauses are not sufficient to protect personal data in the US. The legal situation could change with the new Data Privacy Framework.
However, it is important to note that the DPF will have no retroactive effect on data processing operations that have already been completed. Data processing that does not comply with the law cannot therefore be corrected retrospectively. As soon as penalties become legally enforceable, they must also be paid.
Update: In July 2023, the EU Commission approved the new EU-US Data Privacy Framework (DPF), removing many of the restrictions of Schrems II and making it much easier for organisations to transfer EU personal data to the US. However, the new framework will be challenged legally by NGOs (possible “Schrems III”). Therefore some legal uncertainty will remain until the Court of Justice of the EU (CJEU) rules on the matter.
Gain peace of mind with compliant server-side tracking for Google Analytics
The JENTIS Data Capture Platform enables you to use Google Analytics in a future-proof, GDPR-compliant manner with server-side tracking and integrated pseudonymisation features.