Jul 04, 2023 12:18:00

First fine for data transfer using Google Analytics

Based on the EU General Data Protection Regulation (GDPR) policy that the Swedish data protection authority said, ``It is illegal to move EU user data to a server in the United States,'' Google Analytics is used to send data to the United States. A fine of 12 million kronor (about 160 million yen) was imposed on the communication provider that was transferring, and a fine of 300,000 kronor (about 4 million yen) was imposed on the retailer. This is the first time a company using Google Analytics has been fined under GDPR.

noyb win: First major fine (€ 1 million) for using Google Analytics

https://noyb.eu/en/noyb-win-first-major-fine-eu-1-million-using-google-analytics

Companies must stop using Google Analytics

https://www.imy.se/en/news/companies-must-stop-using-google-analytics/

Stop using Google Analytics, warns Sweden's privacy watchdog, as it issues over $1M in fines | TechCrunch
https://techcrunch.com/2023/07/03/google-analytics-sweden-gdpr-fines/

Despite the European Court of Justice ruling in 2020 that ``it is fundamentally illegal to transfer data between the EU and the United States,'' many EU companies have ignored the ruling, ``additional measures'' and `` We continue to use services from Google, Meta, Microsoft, Amazon, etc., relying on claims over 'Standard Contractual Clauses.'

Consumer rights group noyb, based in Vienna, Austria, has sued 101 websites in EU member states that have been identified as sending data to Google.

In January 2022, the Austrian data protection authority, Datenschutzbehörde, ruled that the transfer of data by an anonymous German company violated the GDPR. There were no penalties against the German company in question at this time.

Google Analytics may become illegal in the EU due to ruling that ``data transfer to Google is illegal'' - GIGAZINE

In February 2022, French authorities also determined that data transfer by Google Analytics is illegal.

``Use of Google Analytics is illegal'' declared by data protection agency, ordering website operator to exclude Google Analytics - GIGAZINE

This time, Integritetsskyddsmyndigheten (IMY), a Swedish data protection authority, conducted an audit of four companies: provider Tele2, retailer CDON, Coop, and Dagens Industri. All four companies used Google Analytics to transfer personal data in accordance with the Standard Contractual Clauses.

IMY determined that the technical security measures were inadequate and decided to impose an administrative fine of 12 million kronor on Tele2 and 300,000 kronor on CDON. In addition, 3 companies except Tele2, which has already stopped using Google Analytics, have been ordered to stop using Google Analytics. This is the first time a company has been fined for violating the GDPR for using Google Analytics.

The GDPR allows data transfers to and from countries determined by the European Commission to provide an adequate level of protection for personal data. However, as a result of the lawsuit brought against Facebook by Mr. Maximilian Schrems of Austria, the 2000 Safe Harbor Agreement , which was the basis for data transfer from the EU to the United States, was invalidated by the 'Schrems II judgment', and the United States does not meet the required level of protection for data transfer partners from the EU. This decision once again presents a refusal to transfer data from the EU to the United States.

In addition, noyb states that a new agreement between the EU and the United States will be issued in July 2023. However, since the content of the agreement is the same as the previous one, it seems very likely that it will be canceled by the European Court of Justice.