Sweden’s knowledge safety watchdog has issued a few fines in relation to exports of European customers’ knowledge by way of Google Analytics which it discovered breach the bloc’s privateness rulebook owing to dangers posed by US authorities surveillance. It has additionally warned different corporations in opposition to use of Google’s device.
The fines — simply over $1.1 million for Swedish telco Tele2 and fewer than $30k for native on-line retailer CDON — are notable as they’re the primary such fines following a raft of strategic privateness complaints focusing on Google Analytics (and Fb Join) again in August 2020.
The regulator discovered that so-called supplementary measures utilized by Google to European customers’ knowledge despatched to the US for processing had been inadequate to boost the extent of safety to the required authorized customary. Together with Google’s use of IP deal with truncation (an anonymization measure) as, within the Tele2 case, it stated the corporate didn’t make clear whether or not the truncation was carried out earlier than or after the switch of the info to the US so had did not display there’s “no potential entry to all the IP deal with earlier than the final octet is truncated”.
The watchdog additionally discovered breaches of the bloc’s Common Information Safety Regulation (GDPR) guidelines on transfers to 3rd nations within the case of two different corporations’ use of Google Analytics, Coop and Dagens Industries, however didn’t subject fines in these circumstances.
“In its audits, IMY [the Swedish DPA] considers that the info transferred to the US by way of Google’s statistics device is private knowledge as a result of the info might be linked with different distinctive knowledge that’s transferred. The authority additionally concludes that the technical safety measures that the businesses have taken should not enough to make sure a stage of safety that basically corresponds to that assured inside the EU/EEA,” the regulator wrote in a assertion.
“All 4 corporations have primarily based their selections on the switch of private knowledge by way of Google Analytics on customary contractual clauses. From IMY’s audits, it seems that not one of the corporations’ further technical safety measures are enough. IMY points an administrative superb of 12 million SEK in opposition to Tele2 and 300,000 SEK in opposition to CDON, which has not taken the identical intensive protecting measures as Coop and Dagens Industri. Tele2 has lately stopped utilizing the statistics device by itself initiative. IMY orders the opposite three corporations to cease utilizing the device.”
Within the weblog submit — which is entitled “Firms should cease utilizing Google Analytics” — the regulator added that the 4 selections ought to be handled as steerage, emphasizing what it couched as wider implications.
Final 12 months plenty of European Union DPAs, together with the French and Italian watchdogs, warned in opposition to use of Google’s analytics device after discovering plenty of customers to be non-compliant with the bloc’s guidelines on worldwide knowledge transfers. Nevertheless different regulators haven’t issued monetary sanctions, in line with NGO noyb, which was behind the unique complaints — seemingly favoring a softer method to imposing the GDPR on customers of such a well-known device regardless of the identical knowledge switch subject underlying all of them.
noyb’s authentic 101 strategic complaints focused quite a lot of web sites round Europe utilizing Google Analytics or related Fb providers within the wake of a landmark ruling by the Court docket of Justice of the European Union in July 2020 which invalidated an EU-US knowledge switch deal known as Privateness Protect only a few years after placing down its predecessor, Secure Harbor.
The EU and US are within the strategy of finalizing a 3rd knowledge switch association, known as the EU-US Information Privateness Framework, which is predicted to be accomplished later this month — and can, within the brief time period no less than, raise the authorized uncertainty that’s been clouding EU-US knowledge transfers for the reason that CJEU strike downs.
That stated, authorized challenges to the incoming framework are anticipated and varied European establishments have raised issues that elements of the renegotiated association don’t go far sufficient to handle the judges’ issues. So it stays to be seen whether or not it’ll be third time fortunate for a excessive stage resolution to the conflict between EU privateness rights and US surveillance practices.
In an announcement commenting on the Swedish watchdog’s resolution to subject the primary penalties for illegal use of Google Analytics noyb’s Marco Blocher, a knowledge safety lawyer, stated: “We’re very glad in regards to the additional clarification by the Swedish DPA. It is usually essential to see that there are fines — it’s the solely solution to get different corporations to conform.”
Google was contacted for touch upon the DPA’s selections.