GDPR Fines Issued for Google Analytics Use

IMY News (Sweden DPA)

Filed July 3rd, 2023

Detected February 24th, 2026

Summary

The Swedish Authority for Privacy Protection (IMY) has fined two companies and ordered three others to stop using Google Analytics due to non-compliance with GDPR regarding personal data transfers to the US. Fines total 12.3 million SEK.

View original document View source feed page

What changed

The Swedish Authority for Privacy Protection (IMY) has issued administrative fines totaling 12.3 million SEK against CDON (300,000 SEK) and Tele2 (12 million SEK) for violating GDPR by transferring personal data to the US via Google Analytics. IMY also ordered Coop and Dagens Industri to cease using the service. These enforcement actions stem from audits initiated by complaints from None of Your Business (NOYB), citing the Schrems II ruling which invalidated the EU-US Privacy Shield and questioned the adequacy of US data protection. IMY found that the companies' technical security measures were insufficient to ensure an adequate level of data protection.

Companies using Google Analytics, particularly those transferring data to the US, must review their data transfer mechanisms and implement adequate supplementary measures beyond standard contractual clauses. Failure to comply with GDPR's data transfer requirements can result in significant fines and orders to cease data processing activities. The IMY's decisions provide guidance on the expected technical and other safeguards for international data transfers.

What to do next

Review data transfer mechanisms for Google Analytics and other US-based services.
Implement supplementary technical and organizational measures to ensure GDPR compliance for data transfers to third countries.
Cease use of Google Analytics if adequate safeguards cannot be implemented.

Penalties

Administrative fines totaling 12.3 million SEK (12 million SEK for Tele2, 300,000 SEK for CDON). Orders to stop using Google Analytics for other companies.

Source document (simplified)

Svensk version Listen

Four companies must stop using Google Analytics

Published: 3 July 2023 The Swedish Authority for Privacy Protection (IMY) has audited how four companies use Google Analytics for web statistics. IMY issues administrative fines against two of the companies. One of the companies has recently stopped using the statistics tool on its own initiative, while IMY orders the other three to also stop using it. IMY has audited how four companies transfer personal data to the US via Google Analytics, which is a tool for measuring and analysing traffic on websites. The companies audited are CDON, Coop, Dagens Industri and Tele2. The audits concerns a version of Google Analytics from 14th of August 2020.

The audits are based on complaints from the organisation None of Your Business (NOYB) in the light of the Schrems II ruling by the European Court of Justice (CJEU). The complaints allege that the companies, in violation of the law, transfer personal data to the United States.

According to the data protection regulation, GDPR, personal data may be transferred to third countries, i.e. countries outside the EU/EEA, if the European Commission has decided that the country in question has an adequate level of protection for personal data that corresponds to that within the EU/EEA. However, the CJEU ruled through the Schrems II ruling that the United States could not be considered to have such an adequate level of protection at the time of the ruling.

In its audits, IMY considers that the data transferred to the US via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.

– By the fact that IMY has decided on these cases at the same time, it is made clear what requirements are placed on technical security measures and other measures when transferring personal data to a third country, in this case the United States, says legal advisor Sandra Arvidsson, who led the audits of the companies.

If there is no decision on an adequate level of protection by the European Commission, data may be transferred based on standard contractual clauses that the European Commission has decided on. However, according to the CJEU, such standard contractual clauses may need to be supplemented with additional safeguards if it is necessary for the protection that the clauses are intended to provide to be maintained in practice.

All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY's audits, it appears that none of the companies' additional technical security measures are sufficient. IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which has not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY orders the other three companies to stop using the tool.

– These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics, says Sandra Arvidsson.