Table of contents of the article:
The Swedish privacy authority's case against Google Analytics has raised crucial questions about data protection and consumer rights. Tele2, a major telecommunications company, has been fined €1 million for unauthorized use of Google Analytics, marking the first financial penalty for using the service. This event stands out as an important landmark for organizations preparing for the developments of the new US-EU data transfer protocol. Let's clarify.
The repercussions of the Schrems II judgment
The Schrems II ruling has had a considerable impact on large technology companies, commonly known as Big Tech, especially when it comes to Google Analytics. The Court's decision has highlighted serious security problems concerning the management of personal data, generating important repercussions in terms of data protection.
In detail, the ruling raised issues regarding the safeguarding and protection of personal data that is transferred to the US offices of the companies. Following this decision, regulators began advising against the use of Google Analytics, as it was revealed that the service could not guarantee an adequate level of protection for personal data that was transferred outside the borders of the 'European Union.
In 2022, the Italian Data Protection Authority, in response to the Schrems II ruling, set out its position clearly and unequivocally. He said that in the absence of the Privacy Shield – an agreement that allowed the transfer of personal data between the EU and the US – and without a legally binding agreement or adequate safeguards in accordance with the General Data Protection Regulation (GDPR) , companies would be forced to stop using Google Analytics.
In essence, the Italian regulator has emphasized the importance of complying with data protection regulations, such as the GDPR, underlining the importance of the security of users' personal data. In the absence of a legal framework or adequate protection mechanisms, the use of tools such as Google Analytics, which involve the transfer of personal data internationally, should have been suspended to ensure the protection of citizens' personal data.
Google Analytics under the lens of the Swedish Guarantor
The Swedish Data Protection Authority looked at four companies to understand how they used Google Analytics to extract web statistics. Of these, two were fined and all were ordered to stop using the service. The most severe sanction was imposed on Tele2, which received a fine of 12 million Swedish crowns (about 1 million euros) for using Google Analytics on its web page.
However, the Coop food chain and the Dagens Industri newspaper were not fined, having taken additional measures to protect the data transferred according to indications provided by the European authorities.
The action of NOYB and the delivery of a historic financial sanction
The complaints that led to the decisions of the Swedish Supervisory Authority were filed by the non-profit organization NOYB (None of Your Business), founded by Max Schrems, the activist who gave his name to the Schrems II ruling.
These decisions represent an important precedent in Europe, as it is the first financial sanction for the use of Google Analytics. This marks a crucial point of reference for organizations using this service, pending the developments of the new data transfer protocol between the US and the EU.
Details of complaints and audits conducted
The investigations conducted by IMY were initiated following complaints made by NOYB. The complainants stressed that the GDPR does not allow for the transfer of personal data outside the EU without adequate means to ensure a level of protection similar to that required by the GDPR itself.
In the course of the audits conducted, IMY stated that the data transferred to the United States through Google Analytics is, first and foremost, personal data. These may be linked to other unique data that is also transferred, making it possible to identify a specific individual.
Specifically, the IMY investigative body started the investigated activities, based on a series of complaints made by the NOYB organization. These complaints underlined how the provisions set by the GDPR – the General Data Protection Regulation of the European Union – do not allow the transfer of personal data outside the EU unless specific measures are in place which guarantee such data a level of protection equivalent to that prescribed by the GDPR itself.
The main concerns expressed by the complainants were specifically directed at Google, which is classified as a provider of electronic communications services under US law. In this capacity, Google is subject to surveillance by US intelligence agencies, which raises questions about its ability to ensure adequate protection of personal data once it is transferred to the US, even considering standard contractual clauses current. Indeed, if requested, Google is obliged to hand over this data to the US government.
During the audit conducted, IMY argued, in line with what was stated by other European authorities, that the data transferred to the United States through Google's statistical tools are, above all, personal data. This is because they can be linked to other unique data that is transferred, making it possible to identify a specific individual. More specifically, the information transferred includes:
- Details about your visit to the website, such as pages viewed or clicks made;
- Information about the device used to visit the website, including IP address;
- Information stored in the cookie (_ga cookie) representing the customer ID.
These data, combined with each other, allow the identification of a specific individual through the so-called "network identifiers", especially if combined with other information of a similar nature.
Consequently, the authority applied the provision of recital 30 of the GDPR, which states that "individuals may be associated with online identifiers provided by their devices, such as IP addresses, cookies or other identifiers. This can leave traces which, in combination with unique identifiers and other collected data, can be used to create profiles of individuals and identify them".
Through the integration of the information collected by Google Analytics, divided according to specific indicators created with the intention of distinguishing individual visitors, the latter inevitably become identifiable. This process leads to the full application of the principles established by the GDPR.
The veracity of this statement is further strengthened by the fact that, by logging into his Google account, a complainant can log into his Google account once he arrives on the Tele2 site. This allows Google to use the information collected with Analytics to send personalized ads to the visiting user.
NOYB's opinion and prediction on the new EU/US data transfer protocol
According to Marco Blocher, data protection lawyer and NOYB member, IMY's decision represents a welcome change compared to other data protection authorities. Blocher praised the Swedish authority's action for its decision to impose a significant fine and to prohibit the continued use of a tool that violates the GDPR.
However, NOYB has expressed skepticism about the new EU/US data transfer protocol, arguing that it will not solve the problems related to the transfer of personal data.
The Swedish case against Google Analytics marks a turning point in the protection of personal data. This financial sanction, the first of its kind, could serve as an example for other organizations and regulators around the world. The decision underlines the importance of data protection and the need to comply with the rules of the GDPR. The next step will be to see how organizations respond to this decision and how the new data transfer protocol between the US and the EU develops.