Sweden has imposed the first major fine for the illegal transfer of personal data through a Google device.
As is known, the Swedish Data Protection Inspectorate imposed a significant fine for the first time in Europe on two companies for using Google Analytics personal data was transferred to the United States. It also called on other companies to stop using Google’s web analytics tool.
The Swedish Data Protection Authority (IMY) inspected a total of four companies: CDON, Coop, Dagens Indusri and Tele2, in response to allegations made by the digital rights protection organization None of Your Business (NYOB).
The IMY found that personal data had indeed been transferred across the Atlantic, alarmingly, without adequate safeguards.
According to the GDPR, personal data can be transferred to third countries outside the EU, provided that they provide an equivalent level of protection. However, the judgment of the European Court found that the USA does not comply with the legal requirements.
The Swedish authority concluded that the four companies did not take sufficient technical security measures to ensure the level of protection required by the EU. As a result, it fined Tele2 EUR 1 million and CDON EUR 25,405, as the two companies were found to have the least extensive set of measures.
IMY also called on CDON, Coop and Dagens Industri to stop using Google Analytics, while Tele2 has already done so voluntarily.
In addition to Sweden, several data protection authorities in the EU, including Italy, France and Austria, have found that the company’s use of Google’s tool violates the provisions of the GDPR. However, Sweden is the first country in the bloc to move towards imposing a fine – which could have an EU-wide impact.
“These decisions not only affect these four companies, but may also provide guidance for other organizations using Google Analytics,” said Sandra Arvidsson, IMY’s legal advisor. He also noted that the necessary measures are now clear when it comes to transferring personal data to third countries.