Background information
- Date of decision: 30 June 2023
- Cross-border case or national case: National case
- Controller: CDON, Coop, Dagens Industri, Tele2
- Legal references: Article 4 (Definitions), Article 46 (Transfers by way of appropriate safeguards)
- Decision: Administrative fine, Compliance order
- Key words: International transfer, Pseudonymisation, Definition of personal data, Data security
Summary of the Decision
Origin of the case
IMY has audited how four companies transfer personal data to the US via Google Analytics, which is a tool for measuring and analysing traffic on websites. The companies audited are CDON, Coop, Dagens Industri and Tele2. The audits concern a version of Google Analytics from 14th of August 2020.
The audits are based on complaints from the organisation None of Your Business (NOYB) in the light of the Schrems II ruling by the European Court of Justice (CJEU). The complaints allege that the companies, in violation of the law, transfer personal data to the United States.
Key Findings
If there is no decision on an adequate level of protection by the European Commission, data may be transferred to a third country based on standard contractual clauses that the European Commission has decided on. However, according to the CJEU, such standard contractual clauses may need to be supplemented with additional safeguards if it is necessary for the protection that the clauses are intended to provide to be maintained in practice.
In its audits, IMY considers that the data transferred to the US via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.
Decision
All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY's audits, it appears that none of the companies' additional technical security measures are sufficient. IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which have not taken the same extensive protective technical supplementary measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY orders the other three companies to stop using the tool.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.