Sweden is the latest EU country to come out against Google Analytics, telling companies they “must stop using” it.
Google Analytics has been found by various EU countries as being in violation of the GDPR. In fact, US cloud providers struggle to adhere to the GDPR’s data privacy requirements, since the legislation provides protections against EU user data being exported to the US where it may be accessed by various intelligence agencies. The data sharing issues have been a major sticking point between the bloc and US officials.
The Swedish Authority for Privacy Protection (IMY) is the latest EU government agency to condemn the use of Google Analytics after conducting an audit of how the service is used and how user data is handled. The agency audited CDON, Coop, Dagens Industri and Tele2, following a complaint by the None of Your Business (NOYB) organization in the wake of other rulings that Google Analytics was illegal in the EU.
According to the data protection regulation, GDPR, personal data may be transferred to third countries, i.e. countries outside the EU/EEA, if the European Commission has decided that the country in question has an adequate level of protection for personal data that corresponds to that within the EU/EEA. However, the CJEU ruled through the Schrems II ruling that the United States could not be considered to have such an adequate level of protection at the time of the ruling.
In its audits, IMY considers that the data transferred to the US via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.
This latest ruling is another major setback for Google and will likely result in other EU member states coming to similar conclusions.