Sweden has ordered four companies to stop using a Google tool that measures and analyzes web traffic, saying the program transfers users’ personal data to the United States.
Sweden's privacy protection agency, the IMY, said on Monday that it examined the use of Google Analytics by those companies following a complaint by the Vienna-based European Center for Digital Rights, NOYB, which has filed dozens of complaints against Google across Europe.
NOYB said the use of Google Analytics for measuring web statistics by the companies resulted in the transfer of European data to the United States, which violated the European Union's General Data Protection Regulation, or the GDPR.
The GDPR allows the transfer of data to third countries only after the European Commission determines that those countries offer at least the same level of privacy protection as the EU.
In addition, an EU Court of Justice ruling in 2020 nullified a data transfer deal with the US as being insufficient.
The IMY described the data sent to Google Analytics in the United States by the four companies as personal data, adding that "the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU."
The body has moved to fine Tele2 telecommunications firm 12 million kronor and CDON online marketplace 300,000 kronor. However, Coop grocery store chain and Dagens Industri newspaper were not fined as they had taken measures to protect the data being transferred.
IMY legal advisor, Sandra Arvidsson, said the agency has made it clear "what requirements are placed on technical security measures and other measures when transferring personal data to a third country, in this case the United States."
NYOB welcomed the IMY's ruling, saying in a statement, "Although many other European authorities (e.g. in Austria, France and Italy) already found that the use of Google Analytics violates the GDPR, this is the first financial penalty imposed on companies for using Google Analytics."
The European Commission said in late May that it hoped to conclude a new legal framework for data transfers between the EU and the United States by the end of the summer.
The RGPD, which has been in place since 2018, can lead to penalties of up 20 million euros or four percent of a company's global revenue.