IMY (Sweden) - DI-2020-11370: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Sweden |DPA-BG-Color= |DPAlogo=LogoSE.png |DPA_Abbrevation=IMY |DPA_With_Country=IMY (Sweden) |Case_Number_Name=DI-2020-11370 |ECLI= |Original_Source_Name_1=IMY |Original_Source_Link_1=https://www.imy.se/globalassets/dokument/beslut/2023/beslut-tillsyn-ga-dagens-industri.pdf |Original_Source_Language_1=Swedish |Original_Source_Language__Code_1=SV |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Sou...")
 
No edit summary
 
(One intermediate revision by the same user not shown)
Line 92: Line 92:
See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/
See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/


This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: CDON, Coop
This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: [[IMY (Sweden) - DI-2020-11397|CDON,]] [[IMY (Sweden) - DI-2020-11368|Coop]] and [[IMY (Sweden) - 2020-11373|Tele2]].


== Further Resources ==
== Further Resources ==

Latest revision as of 08:36, 5 July 2023

IMY - DI-2020-11370
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 44 GDPR
Article 46 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 30.06.2023
Published:
Fine: n/a
Parties: Dagens Industri Aktiebolag
National Case Number/Name: DI-2020-11370
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: n/a

The Swedish DPA held that by using Google Analytics provided by Google LLC, Dagens Industri breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.

English Summary

Facts

Dagens Industri Aktiebolag (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor which stored it on servers in different countries, including in the US.

In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.

The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.

In its defense, the controller stated that according to its internal assessments, individuals were not identifiable on the basis of the transferred data. It added that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards.

Holding

Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.

Secondly, the DPA held that Dagens decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Dagens qualified as the controller.

Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.

Fourthly, considering that the SCC’s were not sufficient, the DPA assessed whether the controller and the processor implemented additional safeguards for the data transfers. It noted that technical measures were in place but that these measures did not prevent the US intelligence agency from accessing the data

In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Taking into account that the controller carried out an extensive analysis of the processing and implemented measures to try to limit risks of breaches, the DPA decided not to impose a fine and to only order the controller to remedy the deficiency.

Comment

See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/

This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: CDON, Coop and Tele2.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(27)






                                                                        Dagens Industri Aktiebolag
                                                                        Gjörwellsgatan 30
                                                                        11260 Stockholm






Diary number:
DI-2020-11370 Decision after supervision according to

                                 data protection regulation - Today's

Date:
2023-06-30 Industri Aktiebolag's transfer of

                                 personal data to third countries





                                 Content

                                 The Privacy Protection Authority's decision................................................... ............................3

                                 1 Description of the supervisory matter ............................................... .....................................3

                                        1.1 The processing................................................... ............................................3

                                        1.2 What is stated in the complaint............................................. ..............................3
                                        1.3 What Dagens Industri has stated............................................ ......................4

                                               1.3.1 Who has implemented the Tool and for what purpose, etc. ........4

                                               1.3.2 Recipient of the data ............................................. .....................5

                                               1.3.3 The data processed in the Tool and what constitutes it
                                               personal data ................................................ ........................................5

                                               1.3.4 Categories of persons affected by the processing......................5
                                               1.3.5 When the code for the Tool is executed and recipients are provided access .5

                                               1.3.6 How long is the personal data stored............................................ ......6

                                               1.3.7 In which countries the personal data is processed...................................6

                                               1.3.8 Dagens Industri's relationship with Google LLC............................................ 6
                                               1.3.9 Ensuring that the processing does not take place for the recipients' own benefit

                                               purpose ................................................ ................................................... .6
                                               1.3.10 Description of Dagens Industri's use of the Tool..........7

                                               1.3.11 Own checks on transfers affected by the judgment Schrems II7

Postal address: 1.3.12 Transfer tool according to chapter V of the data protection regulation .......7
Box 8114
104 20 Stockholm 1.3.13 Control of obstacles to enforcement in legislation in third countries............8
                                               1.3.14 Additional safeguards taken in addition to those taken by Google
Website:
www.imy.se ............................................ ................................................ ...................8
E-mail: 1.3.15 Dagens Industri's assessment and conclusion regarding
imy@imy.se
                                               the data can be considered identifiable................................................. ..11
Phone: 1.4 What Google LLC has stated............................................. ............................12
08-657 61 00


                                                               Page 1 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 2(27)
                                       Date: 2023-06-30






                                       2 Justification of the decision................................................... ................................................... 14

                                                2.1 The framework for the review............................................... ................................14

                                                2.2 This concerns the processing of personal data............................................. .14

                                                         2.2.1 Applicable regulations, etc. ................................................... ...14

                                                         2.2.2 The Privacy Protection Authority's assessment...................................16

                                                2.3 Dagens Industri is the personal data controller for the processing......................18
                                                2.4 Transfer of personal data to third countries............................................. ....19

                                                         2.4.1 Applicable regulations, etc. ................................................... ...19

                                                         2.4.2 The Privacy Protection Authority's assessment...................................21

                                       3 Choice of intervention................................................... ................................................... .......25

                                                3.1 Legal regulation................................................ ..........................................25

                                                3.2 Should a penalty fee be imposed?............................................ ..........................25

                                                3.3 Other interventions................................................... ........................................26

                                       4 Appeal reference ................................................ ..........................................27

                                                4.1 How to appeal .............................................. ........................................27















































                                                                            Page 2 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 3(27)
                               Date: 2023-06-30






                               The Privacy Protection Authority's decision


                               The Swedish Privacy Protection Authority states that Dagens Industri Aktiebolag processes
                               personal data in violation of article 44 of the data protection regulation by then it

                               August 14, 2020 and until the day of this decision use the Google Analytics tool,
                               which is provided by Google LLC, on its website www.di.se, and thereby
                               transfer personal data to third countries without the conditions according to chapter V of the regulation

                               are fulfilled.

                               The Privacy Protection Authority orders Dagens Industri Aktiebolag with the support of

                               article 58.2 d of the data protection regulation to ensure that the company's processing of
                               personal data within the framework of Dagens Industri's use of the Google tool
                               Analytics complies with Article 44 and other provisions of Chapter V. This

                               shall in particular be done by Dagens Industri Aktiebolag ceasing to use it
                               version of the Google Analytics tool used on August 14, 2020, if not
                               sufficient protective measures have been taken. The measures must be completed no later than

                               month after this decision became final.


                               1 Description of the supervisory matter


                               1.1 The processing

                               The Swedish Privacy Protection Agency (IMY) has started supervision of Dagens Industri
                               Limited company (hereinafter "Dagens Industri" or "the company") due to a complaint.

                               The complaint concerns an alleged violation of the provisions of Chapter V i
                               data protection regulation linked to the transfer of the complainant's personal data to
                               third country. The transfer allegedly took place when the complainant visited the company's website,

                               www.di.se (hereinafter "the company's website" or the "Website") through the Google tool
                               Analytics (hereinafter the “Tool”) provided by Google LLC.


                               The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
                               Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority
                               in the country where the complainant has filed his complaint (Austria) in accordance with

                               the regulation's provisions on cooperation in cross-border processing.

                               The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies

                               cross-border treatment, IMY has used the mechanisms for cooperation
                               and uniformity found in Chapter VII of the Data Protection Regulation. Concerned regulatory
                               authorities have been the authorities in Germany, Norway, Denmark, Estonia and

                               Portugal.

                               1.2 What is stated in the complaint


                               The complaint essentially states the following.


                               On August 14, 2020, the complainant visited Dagens Industri's website. During the visit
                               the appellant was logged into his Google account, which is linked to the appellant's e-
                               mailing address. The company had implemented a Javascript code on its website for

                               Google services, including Google Analytics. In accordance with clause 5.1.1 b of the terms of

                               1
                               regarding the processing of personal data and about the free flow of such data and about the cancellation of aver med
                               directive 95/46/EC (General Data Protection Regulation).



                                                             Page 3 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 4(27)
                               Date: 2023-06-30







                               Google's processing of personal data for Google's advertising products and also
                               Google's terms for processing "the New Order Data Processing Conditions for
                               Google Advertising Products” Google processes personal data for it

                               the personal data controller's (i.e. the company's) account. Google LLC shall therefore according to above
                               said conditions are classified as the company's personal data assistant.


                               During the complainant's visit to the company's website, the complainant was treated
                               personal data of Dagens Industri, at least the complainant's IP address and data

                               collected through cookies. Some of the data collected was transferred directly to
                               Google. In accordance with clause 10 of the terms and conditions for the processing of personal data for

                               Google's advertising products, Dagens Industri has approved that Google may process
                               personal information about the complainant in the United States. Such transfer of data requires legal
                               support in accordance with chapter V of the data protection regulation.


                               According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2

                               the company can no longer rely on a decision on an adequate level of protection for the transfer of
                               data to the United States according to Article 45 of the Data Protection Regulation. The company should not base
                               the transfer of data on standardized data protection regulations according to article

                               46.2 c of the data protection regulation if the recipient country does not ensure adequate protection
                               with regard to Union law for the personal data that is transferred.


                               Google shall be classified as a provider of electronic communications services in it
                               meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance

                               by US intelligence agencies in accordance with 50 US § 1881a (section 702 i
                               Foreign Intelligence Surveillance Act, hereinafter “702 FISA”). Google provides it
                               US government with personal data in accordance with these regulations.

                               The company cannot therefore ensure adequate protection of the complainant's personal data
                               when these are transferred to Google.


                               1.3 What Dagens Industri has stated


                               Dagens Industri Aktiebolag has essentially stated the following.


                               1.3.1 Who has implemented the Tool and for what purpose, etc.
                               Dagens Industri has made the decision to implement the Tool on the Website, which

                               has taken place by embedding the code for the Tool on the Website. The tool is
                               still active. The company is established in Sweden and has not made such a decision for
                               any other European website.


                               The purpose of embedding the code for the Tool on the Website is that Dagens Industri should
                               be able to analyze how the Website is used, in particular to be able to follow the use

                               of the Website over time.


                               The website is aimed at Swedish visitors, but it cannot be ruled out that individuals
                               from other countries have visited the Website and thus can be covered by the statistics.








                               2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.
                               3See https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-subchapVI-
                               sec1881.htm and https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-
                               subchapVI-sec1881a.htm.



                                                             Page 4 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 5(27)
                                Date: 2023-06-30






                                The data (including any personal data) that is transferred to the Tool may come
                                to be stored on servers in various countries, including the United States. As a user of the Tool, it works

                                not to control which servers are used to store data in the Tool.


                                1.3.2 Recipient of the data
                                Within the framework of Dagens Industri's use of the Tool on the Website is provided
                                personal data out to a number of actors, all of whom are personal data processors or

                                subcontractors to Dagens Industri, including Google LLC, Google Ireland Ltd and
                                their assistants.


                                1.3.3 The data processed in the Tool and what constitutes it
                                personal data

                                Within the framework of Dagens Industri's use of the Tool on the Website processes
                                the company and its personal data assistants (the Recipients) the information specified below.


                                         • Page view data – for example URL, clicks in menus, articles visited,
                                             reading time and how long the visitor watches a video.
                                         • Technical information about device – for example, cookie value (which is hashat

                                             before it is transferred to the Tool, but was not hashed when the complainant visited
                                             The website), operating system and screen size.
                                         • User category – for example, a flag that shows whether the visitor is
                                                                     4
                                             subscriber or not.
                                         • So-called "own dimensions" – for example which version of
                                             publishing platform on which a page view occurred, information about the article

                                             (for example, authors).
                                         • IP addresses – IP addresses are processed partly when the Google Analytics measurement script
                                             is read in, partly when measured data is to be transferred to the Tool. The IP address

                                             which is processed together with measured data (page view data etc.)
                                             is anonymized through the company's proprietary process and which
                                             managed on an EU-based infrastructure before being shipped together

                                             with the measured data to the Tool (see more about this below).


                                Dagens Industri assesses that the categories Page view data, Technical information about
                                device, User category and "own dimensions" can be considered as personal data
                                only in cases where the company can link this data to an individual through

                                supplementary information that the company has in other systems, which is not always the case.
                                Dagens Industri regards IP addresses as personal data until these
                                is anonymized.


                                1.3.4 Categories of persons affected by the processing
                                The categories of persons affected by the processing are visitors to the Website.

                                It can be Dagens Industri's paying subscribers or visitors without a digital one
                                account.


                                Information about particularly vulnerable persons is not processed. The site is aimed at first
                                hand to adults in their professional role or who have an interest in economics and business
                                life issues. It is not aimed at children or other particularly vulnerable groups.


                                1.3.5 When the code for the Tool is executed and recipients are provided access

                                The code for the Tool's content, i.e. the script that measures the data sent to
                                The tool is only run if the visitor has given his consent to Dagens Industri

                                4Note that identifying information such as the actual subscription ID is not transferred, but only a value such as
                                represents the category "subscriber" or "not subscriber" (1 or 0).



                                                              Page 5 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 6(27)
                               Date: 2023-06-30






                               uses analysis cookies on the Website. If the visitor has given their consent
                               the data measured by the script will first be sent to Dagens Industris
                               proxy server, where the majority of security-enhancing measures are implemented, for example

                               anonymization of IP address. A subset of the measured data is then transmitted
                               encrypted from the proxy server to the Tool provided by Google (see below).


                               Google LLC, Google Ireland and other personal data agents and sub-agents may
                               access to the pseudonymised data stored in the Tool to the extent that
                               required for the personal data assistant or sub-assistant to be able to perform the service,

                               including support and troubleshooting services.

                               1.3.6 How long the personal data is stored

                               The data measured on the Website and transferred to the Tool is saved in
                               The tool for 26 months and is then deleted. Dagens Industri saves the data to
                               be able to analyze the use of the Website over time, specifically to

                               be able to make annual comparisons and thereby analyze how usage changes.
                               Dagens Industri has judged that it is necessary to be able to compare in any case
                               the use over two annual cycles. To be able to analyze and produce statistics on

                               these changes, the company needs to save the measured data for 26 months.

                               1.3.7 In which countries the personal data is processed

                               The data transferred to the Tool is stored, among other things, in the United States.

                               1.3.8 Dagens Industri's relationship to Google LLC

                               The tool is provided through an agreement between Dagens Industri and a Swedish limited company
                               (hereinafter the "Supplier"). Google Ireland Ltd is in turn a subcontractor to the supplier.
                               Dagens Industri has entered into a personal data processing agreement with the supplier, which regulates

                               The supplier's and its subcontractors' personal data processing.

                               Because the purposes and means of the processing in their entirety are determined by Dagens

                               Industri is Google LLC and Google Ireland Ltd personal data assistants for it
                               personal data processing that becomes relevant in relation to the Tool.


                               Dagens Industri has also entered into a personal data processing agreement directly with Google LLC
                               to meet the formal requirements of the standard contract clauses, ie. that these
                               must be formally entered into directly between the person in charge of personal data and counsel in a third country.


                               1.3.9 Ensuring that the processing does not take place for the recipients' own purposes


                               1.3.9.1 General
                               Dagens Industri cares about only hiring such suppliers who can fulfill
                               the company's high requirements for secure and legal processing of personal data. Before

                               a certain supplier is selected, an assessment is made of the supplier's ability to
                               maintain an acceptable level of security, including protecting personal data that shall
                               treated. Dagens Industri has also worked out an audit plan where the company intends

                               to carry out audits of the most important suppliers, based on a rolling schedule.
                               Dagens Industri also conducts a continuous dialogue with Google, where security and
                               data protection issues are discussed.


                               1.3.9.2 Agreement with the Supplier
                               Through the assistance agreement with the Supplier and the documented instructions which

                               left from Dagens Industri in this regard, it has been contractually ensured that
                               The supplier and its subcontractors do not process personal data for their own or



                                                             Page 6 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 7(27)
                               Date: 2023-06-30






                               third party purposes. The assistance agreement thus contains special provisions
                               (section 3.2.1) that the Supplier may only process personal data in accordance with
                               Dagens Industri's documented instructions. In Appendix 2 to the assistance agreement is made clear

                               that the Supplier is under no circumstances entitled to process personal data for
                               own purposes.


                               As an incentive to comply with the requirements set according to the assistance agreement and to
                               emphasize its importance, the Supplier has a compensation obligation towards Dagens
                               Industry if the Supplier were to breach the agreement or applicable data protection legislation

                               and this causes damage to Dagens Industri.

                               The assistance agreement with the Supplier also enables Dagens Industri to request

                               documentation and conduct audits of systems and procedures to ensure that
                               the processing takes place in accordance with Dagens Industri's documented instructions and
                               applicable data protection legislation.


                               In the event that Dagens Industri has reason to assume that the Supplier does not comply with the requirements
                               that is stated in the assistance agreement, Dagens Industri intends to carry out one

                               audit. The supplier also has the right to request documentation and implement
                               audits in relation to Google (Section 7.5 of the Google Assistant Agreement).


                               Dagens Industri can also request an audit of Google's system and
                               procedures in accordance with the assistance agreement with the Supplier (section 8.5).


                               1.3.10 Description of Dagens Industri's use of the Tool
                               Dagens Industri uses the Tool to collect quantitative data, web statistics,
                               about how the Website is used, and make analyzes based on this data.

                               Web statistics can, for example, show which pages are most visited, which way
                               visitors take through the Website, and from which pages visitors leave the Website.
                               Web analytics can also provide insight into the frequency of visits and which content is visited

                               the longest time. The analysis carried out with the help of the Tool can, for example, form the basis
                               for product improvements.


                               1.3.11 Own checks on transfers affected by the Schrems II judgment
                               After the judgment Schrems II was published on July 16, 2020, Dagens Industri began
                               during the end of July 2020 a project to generally map transfers of
                               personal data to third countries. The project did not refer to the Tool specifically but applied

                               third country transfers in general. In connection with Dagens Industri becoming known
                               about, among other things, the current complaint, on 18 August 2020 a project was launched which
                               specifically related to the use of the Tool. Relatively immediately after the verdict, could

                               the company states that it is relevant for the data transfer that takes place within the framework of
                               Verktyget and Dagens Industri have subsequently taken relevant protective measures, see
                               below.


                               1.3.12 Transfer tool according to chapter V of the data protection regulation
                               Dagens Industri has entered into a personal data processing agreement directly with Google LLC.

                               Google's standard contractual clauses are part of the assistant agreement. Of the assistance agreement
                               it appears that Google is bound by the clauses (clause 10.2). The clauses are based on
                               Commission Decision 2010/87/EU for transfers from a personal data controller

                               within the EU/EEA to a personal data processor outside the EU/EEA. These terms and conditions apply
                               automatically at the conclusion of Google's personal data processing agreement and needs
                               thus not being signed separately to be applicable. It is clear from the preamble to





                                                             Page 7 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 8(27)
                                Date: 2023-06-30






                                Google Standard Terms of Agreement. According to Swedish law, which shall be applied to
                                the standard contract clauses, this means that these become part of the contract.


                                Google's standard contractual clauses also form part of the personal data processor agreement with
                                The Supplier in accordance with Appendix 2 of the assistance agreement with the Supplier.


                                Dagens Industri has also entered into a personal data processing agreement with the Supplier, there
                                Google Ireland Ltd acts as sub-agent and which in turn has certain sub-agents in

                                third country. This agreement also applies Google's standard agreement clauses such as
                                transfer tool.


                                1.3.13 Control of obstacles to enforcement in legislation in third countries
                                Dagens Industri has not yet been able to ascertain with certainty whether there is anything in it
                                third country legislation that prohibits the recipients from fulfilling their contractual obligations

                                according to the standard contract clauses. The company has therefore, for preventive purposes, assumed that
                                this is the case and has taken special technical protective measures to ensure that the protection
                                for the data processed in the Tool achieves an acceptable level.


                                1.3.14 Additional safeguards taken in addition to those taken by Google


                                1.3.14.1 Introduction

                                Dagens Industri has carried out a detailed mapping of the life cycle of personal
                                data that is processed in the Tool, and has thereby identified and implemented one
                                number of additional protective measures. The measures are visualized in an overview in the image below,

                                and is further commented on in subsequent sections.




























                                1.3.14.2 Control over collection and transfer of data to the Tool

                                A common way of using the Tool, if not additional
                                protective measures are taken, means that the data measured via the Website's measurement script
                                is transmitted directly to the Tool's servers, without first going through a checkpoint with it

                                personal data controller using the tool.





                                                              Page 8 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 9(27)
                               Date: 2023-06-30







                               Because the Tool's servers can be located inside and outside the EU/EEA, use of
                               The tool leads to measured data being transferred to third countries. In the Tool there is a function
                               which means that users of the Tool can choose to anonymize the IP address
                                           5
                               (truncation) which is transmitted together with the measured data. Because the anonymization
                               takes place only after the IP address is transferred to the Google Analytics servers occurs according to

                               Dagens Industri a third country transfer before the anonymization takes place.

                               Dagens Industri has taken protective measures before data is transferred to the Tool. To take

                               control over which data is transferred to the Tool's servers outside the EU/EEA
                               the company has implemented technical measures which mean that the data collected

                               via Google Analytics measurement script on the Website in a first step is transferred to a
                               proxy server located within the EU where the data is processed to avoid that they can
                               be used to identify an individual thereafter. The software used has been developed

                               and is owned by Dagens Industri, and is hosted (housed) by Google Ireland Ltd as a part
                               of Google Cloud Platform ("GCP"). The GCP is thus only used as a rental

                               infrastructure to run the proxy server's code on. The data processed on GCP
                               takes place exclusively at data centers within the EU. Dagens Industri is responsible for personal data
                               for the processing that takes place in the proxy server.


                               By Dagens Industri having introduced this control point, the company can ensure that

                               no data is transferred to servers outside the EU/EEA without first having undergone protection
                               actions (see further below). Transmission to the proxy server is encrypted with Secure
                               Sockets Layer (“SSL”), a technology that enables encrypted communication between a

                               browser and a server).

                               1.3.14.3 Anonymization of IP address and algorithm

                               The information that can in some cases be linked to an individual and that is transferred from Web-
                               the location of the proxy server is IP address and cookie value. The examples below illustrate how

                               these numbers can look like before and after they are processed on the proxy server.

                               Before processing on proxy server:


                                   Tasks


                                       • IP address: plain text, e.g. 176.10.253.34
                                       • Cookie value: plain text, e.g. 744100309.1604572939


                               Before the measured data is transferred to the Tool, the following is carried out on the proxy server:


                                       • Anonymization of IP address. The visitor's IP address is anonymized by
                                            generalization and aggregation where the last octet of the IPv4 address

                                            is replaced by ".0".
                                       • Hashing of the cookie value. The cookie value measured on

                                            The website can either be completely anonymous (when the company cannot connect
                                            the cookie value to data in their other systems) or constitute a
                                            pseudonymised personal data (when the company can connect the cookie value to

                                            data in their other systems). As an additional protective measure before
                                            transmission takes place to the Tool, the cookie value is hashed from the visitor's client
                                                          6
                                            with a "salt". The hashing of the cookie value constitutes an additional protection against


                               5 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                               address, a number between 0 and 255).
                               6 See information on "Keyed-hash function with stored key" in the Article 29 Group's guidance on
                               anonymization techniques.



                                                             Page 9 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 10(27)
                               Date: 2023-06-30






                                            the risk that US authorities may connect "intercepted data" (ie data
                                            which could possibly be read by signals intelligence software
                                            either "at rest" in the Tool or "in transfer") with identifying data

                                            which US authorities could potentially gain access to
                                            another way.


                               After the actions described above have been carried out, the IP address and the cookie value can
                               for example, look like the following:


                                   Tasks

                                        • IP address: anonymized, e.g. 176.10.253.00

                                        • Cookie value: hashed, e.g. 35009a79-1a05-49d7-b876-2b884d0f825b

                               The transfer of the data then takes place via SSL encryption from the proxy server to

                               The tool.

                               Anonymization of the visitor's IP address takes place when this is to be transferred together

                               with the measured page view data etc. (see above for which data points are measured).

                               Prior to this, the IP address has been exposed to the Tool on that occasion by Google

                               Analytics measurement script via encrypted transmission was loaded into the visitor's browser from
                               The tool's server. It is not possible to associate the IP address with the page view
                               data etc. which are measured at a later time on the Website. Today's Industry has

                               therefore assessed that this exposure of the IP address does not pose any privacy risk to
                               visitors to the Website.

                               Regarding the time of visit to the Website, Google LLC may indirectly

                               infer the time of the visit, but this possibility is very limited. Google has
                               configured the server on which 'analytics.js' is provided so that the JavaScript file
                               cached in the receiving terminal's application cache for two hours, regardless of

                               which website it is first obtained through (i.e. not necessarily on the Website).
                               During this time period, no more calls are made where the IP address is exposed in its entirety,
                               which means that the measured page view data transmitted via Dagens Industris

                               proxy server to Google LLC (first transfer) very rarely has a temporal
                               the corresponding machine log of Google LLC linked to the transmission via 'analytics.js'
                               (second transfer). In combination with the fact that visitors most often use the Website as

                               source of information at work and/or during the previous two hours visited another
                               website using Google Analytics (most likely given that about 74% of
                               the world's 10,000 most popular websites present) means that a large proportion of

                               the visits to the Website only result in transmitted page view data from Dagens
                               Industri's proxy server and no loading of the Tool with associated transfer of
                               IP address. This greatly hinders any attempts to connect

                               machine logs from transmission of the Tool and transmitted page view data from Dagens
                               industry's proxy server and reduces according to Dagen according to risk to beyond “reasonable
                               probability".













                                                             Page 10 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 11(27)

                                Date: 2023-06-30






                                1.3.14.4 More about checking that additional measures can be implemented in practice, etc.
                                Dagens Industri's considerations regarding the measures the company has implemented

                                are based on the EDPB's recommendations on how individual third country transfers
                                must be assessed based on its specific legal context (point 33). 7


                                The security-enhancing measures mainly consist of the responsibility for and the control that
                                Dagens Industri has taken over the phases of the life cycle before the transfer of the data takes place

                                to the Tool. The risk assessment has had as its starting point the protection of those registered
                                best achieved by the fact that the data transferred outside the EU/EEA is disconnected from

                                the data subject and his technical device used to visit the Website,
                                and that the company controls the process that ensures that these measures are carried out.


                                1.3.14.5 Dagens Industri's conclusion of a sufficient level of security protection
                                Taking into account the implemented measures, Dagens Industri assesses that the risk of

                                that the privacy or rights of the data subjects would be violated through the use of
                                The tool is very small. The company's overall assessment is thus that a sufficient

                                level of protection is achieved through the implemented measures.


                                1.3.15 Dagens Industri's assessment and conclusion regarding whether the data can
                                are considered identifiable


                                1.3.15.1 The company's assessment regarding whether the data can be considered identifiable

                                Dagens Industri believes that it is not obvious that an assessment leads to
                                the data in question – IP address, certain system information and visited web address – constitute

                                personal data.

                                Recital 26 of the data protection regulation states, among other things, the following:


                                "To determine whether a natural person is identifiable, one should take into account all the aids,

                                like for example. thinning out, such as, either by the data controller or by another
                                person, can reasonably be used to directly or indirectly identify him
                                physical person. To determine whether aids are reasonably likely to arrive

                                to identify the natural person, one should take into account all objective factors, such as
                                costs and time required for identification, taking into account available technology at

                                the timing of the treatment as the technological development.”

                                                                                8
                                The Article 29 working group has in its guidance on the concept of personal data
                                further specified how the assessment should proceed:


                                Recital 26 of Directive 95/46 (repealed) pays particular attention to the term
                                "identifiable" when it says that "to determine whether a person is identifiable should consider

                                taken to any means that can reasonably be used either by the personal data controller
                                or by any other person to identify the person”. This means that a clean

                                hypothetical possibility of pointing out the individual is not sufficient to consider the person
                                as "identifiable". If this possibility, taking into account “all means that reasonably
                                may be used by the person in charge of personal data or any other person",

                                does not exist or is negligible, the person should not be considered "identifiable", and
                                the information would not be considered "personal data". The criterion "all means which



                                7EDPB's Recommendations 01/2020 on measures to complement transfer tools to ensure
                                compliance with the EU level for the protection of personal data Version 2.0 Adopted on 18 June 2021
                                8WP 136. Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007
                                9 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with
                                regarding the processing of personal data and the free flow of such data.


                                                               Page 11 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 12(27)
                                Date: 2023-06-30






                                may reasonably be used either by the personal data controller or by

                                any other person' should take particular account of all the factors at stake.
                                The cost of conducting identification is a factor, but not the only one[a]. [If

                                the data is intended to be stored for one month, identification cannot be expected
                                possible during the "lifetime" of the information and they should not be considered as personal data." 10


                                Furthermore, the guidance states the following:

                                "A relevant factor, as mentioned earlier, in assessing "all means that reasonably can

                                will be used' to identify the persons will in fact be
                                purposes that the data controller pursues when processing data." 11


                                1.3.15.2 The company's conclusion regarding whether the data can be considered identifiable
                                Dagens Industri has concluded that for it to be a question of personal data

                                according to the Data Protection Regulation, the assessment of whether individuals are identifiable must
                                based on all the relevant circumstances and assess the reasonable probability of

                                identification, of which the purpose of the treatment is a circumstance. Because the purpose of
                                The treatment is not to identify individuals, technical protection measures constitute an extra
                                important factor in the assessment of whether individuals can be identified.


                                Dagens Industri comes to the conclusion against this background that it is not obvious that a
                                assessment in accordance with the Article 29 Group's guidance leads to the data

                                in question – IP address, certain system information and web address visited – constitutes
                                personal data.


                                The assessment that individuals are not identifiable has been made with consideration of them
                                circumstances that appear from i.e. (i) the cost of identification, (ii) the purpose of

                                the treatment, (iii) how the treatment is structured, (iv) the benefits that it
                                the personal data controller expects with the processing, (v) which interests stand
                                at stake for the natural person, as well as (vi) the duration of the treatment. the purpose with

                                the processing is not to identify individuals, but constitutes technical protection measures. It is
                                according to Dagens Industri, it is not at all obvious that an assessment in accordance with the guidance

                                leads to the data in question – IP address, certain system information and visited
                                web address – constitutes personal data.


                                1.4 What Google LLC has stated


                                IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which
                                Google submitted to the Austrian supervisory authority. The statement answers questions
                                which the IMY and a number of supervisory authorities have asked Google due to in part

                                joint handling of similar complaints received by these authorities.
                                Dagens Industri has been given the opportunity to comment on Google LLC's statement. Of
                                Google LLC's opinion states the following about the Tool.


                                A JavaScript code is included on a web page. When a user visits (calls) a

                                web page, the code triggers a download of a JavaScript file. Then performed
                                the tracking operation of the Tool, which consists of collecting information related to
                                to the call in different ways and sends the information to the Tool's servers.





                                10WP 136. Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, page 15.
                                11WP 136. Article 29 Working Party Opinion 4/2007 on the concept of personal data, adopted on 20 June 2007, page 16
                                and 17.



                                                               Page 12 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 13(27)
                               Date: 2023-06-30






                               A website administrator who has integrated the Tool on his website can send
                               instructions to Google for processing the data collected. These
                               instructions are transmitted via the so-called tag manager that handles it

                               tracking code that the webmaster has integrated into his website and via
                               tag manager settings. Whoever integrated the Tool can do different things
                               settings, for example regarding storage time. The tool also makes it possible for it

                               which integrated it to monitor and maintain the stability of its website,
                               for example by staying informed about events such as peaks in visitor traffic
                               or lack of traffic. The tool also enables a website administrator to

                               measure and optimize the effectiveness of advertising campaigns carried out using
                               other tools from Google.


                               In this context, the Tool collects the visitor's http calls and information about
                               including the visitor's browser and operating system. According to Google, contains one
                               http calls for any page information about the browser and device making

                               the call, such as domain name, and information about the browser, such as type,
                               reference and language. The tool stores and reads cookies in the visitor's browser in order to
                               evaluate the visitor's session and other information about the call. Through these

                               cookies enable the Tool to identify unique users (UUID) over
                               browsing sessions, but the Tool cannot identify unique users in different browsers
                               or units. If a website owner's website has its own authentication system

                               can the website owner use the ID feature, to more accurately identify one
                               users on all the devices and browsers they use to access
                               the website.

                               When the information is collected, it is transferred to the Tool's servers. All data that
                               collected via The tool is stored in the United States.

                               Google has introduced, among other things, the following legal, organizational and technical

                               protective measures to regulate data transfers within the framework of the Tool.

                               Google has taken legal and organizational protective measures such that the company

                               always carry out a thorough examination of a request for access from government
                               authorities on user data can be implemented. It is lawyers/specially trained
                               staff conducting these trials and investigating whether such a request is

                               compliant with applicable laws and Google's guidelines. Those registered are informed
                               the disclosure, unless prohibited by law or would adversely affect one
                               emergency. Google has also published a policy on the company's website about how a

                               such requests for access by governmental authorities of user data shall be implemented.

                               Google has taken technical protective measures such as protecting personal data from

                               interception when transferring data in the Tool. By default using HTTP
                               Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
                               to use an encryption protocol for all communications between end users,

                               websites and the Tool's servers. Such encryption prevents intruders from
                               passively listen to communications between websites and users.


                               Google also uses an encryption technology to protect personal data, so-called “data in
                               rest" ("data at rest") in data centers, where user data is stored on a disk or
                               backup media to prevent unauthorized access to the data.


                               In addition to the above measures, website owners can use IP anonymization through
                               to use the settings provided by the Tool to limit Google's

                               use of personal data. Such settings include above all that in the code



                                                             Page 13 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 14(27)
                                Date: 2023-06-30






                                for the Tool enable IP anonymization, which means that IP addresses are truncated and
                                contributes to data minimization. If the IP anonymization service is fully used occurs

                                the anonymization of the IP address almost immediately after the request has been received.


                                Google also restricts access to the data from the Tool through authorization control
                                as well as by all personnel having undergone training regarding
                                information security.





                                2 Justification of the decision


                                2.1 The framework for the review


                                Based on the complaint in the case, IMY has only reviewed Dagens Industri
                                transfer personal data to the third country USA within the framework of the Tool and about the company

                                has legal support for it in chapter V of the data protection regulation. The supervision does not cover if
                                the company's personal data processing in general is compatible with the data protection regulation.


                                2.2 This concerns the processing of personal data

                                2.2.1 Applicable regulations, etc.

                                In order for the data protection regulation to be applicable, it is required that personal data
                                treated.


                                According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
                                fundamental rights and freedoms, in particular their right to the protection of personal data.

                                According to Article 4.1 of the Data Protection Regulation, personal data is "any information which
                                refers to an identified or identifiable natural person (hereinafter referred to as a data subject),
                                whereby an identifiable natural person is a person who directly or indirectly can

                                identified in particular by reference to an identifier such as a name, an identification
                                number, a location data or online identifiers or one or more factors
                                which are specific to the natural person's physical, physiological, genetic, psychological,

                                economic, cultural or social identity'. To determine whether a natural person is
                                identifiable, one should consider all the aids that, either of it
                                personal data controller or by another person, may reasonably be used

                                to directly or indirectly identify the natural person (reason 26 to
                                data protection regulation).


                                The term personal data can include all information, both objective and
                                subjective information, provided that it "refers" to a specific person, which
                                                                                                                    12
                                they do if, due to their content, purpose or effect, they are linked to the person.

                                The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary

                                that the information itself makes it possible to identify the registered person for that to be
                                a personal data. Recital 26 of the data protection regulation also states that in order to
                                able to determine whether a natural person is identifiable, all aids, such as e.g.

                                singling out), which, either by the personal data controller
                                or by another person, may reasonably be used to directly or indirectly
                                identify the natural person, is taken into account. To determine whether aids with reasonable


                                12 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
                                13 ECJ judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.



                                                               Page 14 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 15(27)
                                Date: 2023-06-30






                                probability may be used to identify the natural person should

                                all objective factors, such as costs and time required for identification, with
                                consideration of available technology at the time of the treatment is taken into account. Of

                                article 4.5 of the regulation states that pseudymisation refers to the processing of
                                personal data in a way that means that the personal data can no longer be attributed

                                a specific registered without the use of supplementary data, provided
                                that these supplementary data are stored separately and are subject to technical and

                                organizational measures that ensure that the personal data is not attributed to a
                                identified or identifiable natural person.


                                So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or
                                information stored in cookies – can be used to identify a user,

                                especially when combined with other similar types of information. According to recital 30 to
                                data protection regulation, natural persons can be linked to online identifiers provided by

                                their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
                                traces that, especially in combination with unique identifiers and other data such as

                                collected, can be used to create profiles of natural persons and identify them.


                                In the opinion from 2007, the Article 29 working group has clarified what they mean by aids
                                which can reasonably be used for identification regarding, among other things, IP
                                          14
                                addresses. The opinion states that all means that can reasonably be used to
                                to identify the person concerned is, among other things, the cost of carrying out the identification,

                                the intended purpose, how the processing is structured and technical errors. On the other hand
                                consideration should be given to the state of the art at the time of treatment and

                                the development opportunities during the period when the data will be processed,
                                the factors are thus dynamic and may change over time.


                                The wording of recital 26 of Directive 95/46 implies, by the reference to all aids

                                which may reasonably be used by the personal data controller or another
                                person, that it is not required that a single person possesses all the information that is necessary
                                                                    15
                                to identify the data subject.

                                In the Article 29 Group opinion from 2007, example number 15 states the following about

                                dynamic IP addresses on a computer located at an Internet cafe where no one
                                identification is required to use the internet. [M]one can argue that the data which

                                collected regarding the use of computer X during a certain time does not make it possible to
                                identify the user by reasonable means and that it is therefore not personal data[s]. 16


                                In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through

                                some information about the risk of identification in practice is negligible, which it is
                                identification of the relevant person is prohibited by law or impossible to carry out i
                                           17
                                practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck
                                provided that dynamic IP addresses constitute personal data in relation to the person who

                                processes them, when he also has a legal opportunity to identify the holders of
                                the internet connections using the additional information provided by third parties
                                               18
                                dispose of.




                                14 Opinion 4/2007 on the concept of personal data, 01248/07/SV WP 136, page 16.
                                15
                                16 ECJ judgment Breyer, C-582/14, EU:C:2016:779, paragraph 43.
                                17 Opinion 4/2007 on the concept of personal data, 01248/07/SV WP 136, page 17 and 18.
                                18 ECJ judgment Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46.
                                  The judgment of the European Court of Justice M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and the judgment Breyer, C-582/14,
                                EU:C:2016:779, paragraph 49.


                                                               Page 15 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 16(27)
                                Date: 2023-06-30






                                2.2.2 The Privacy Protection Authority's assessment

                                To determine whether the information processed through the Tool constitutes personal data
                                shall IMY take a position on Google or Dagens Industri through the implementation of
                                The tool can identify individuals, e.g. the complainant, when visiting the Website or if
                                                            19
                                the risk of that is negligible.

                                IMY considers the data processed to be personal data for the following reasons.


                                The investigation shows that Dagens Industri implemented the Tool by inserting
                                a JavaScript code (a tag), entered by Google, in the source code of the Website.

                                While the page loads in the visitor's browser, the JavaScript code from Google is loaded
                                LLC's servers are hosted and run locally in the visitor's browser. A cookie is placed
                                at the same time in the visitor's browser and saved on the computer. The cookie contains a text file

                                which collects information about the visitor's operation on the Website. Including
                                a unique identifier is determined in the value of the cookie and this unique identifier
                                generated and managed by Google.


                                When the complainant visited the Website, or a sub-page of the Website, was transmitted
                                the following information via JavaScript code from the complainant's browser to Google

                                LLC's servers:


                                    1. Unique identifier(s) that identified the browser or device used
                                         to visit the Website and a unique identifier that identifies the company
                                         (ie the company's Google Analytics account ID).

                                    2. Web address (URL) and HTML title of the website and web page that
                                         the appellant has visited.
                                    3. Information about browser, operating system, screen resolution,

                                         language setting and date and time of access to the Website.
                                    4. Complainant's IP address.


                                During the appellant's visit (according to point 1 above) said identifier was put in cookies with
                                the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These
                                identifiers have been created with the aim of being able to distinguish individual visitors, such as

                                the appellant. The unique identifiers thus make the visitors to the Website
                                identifiable. Although such unique identifiers (as per clause 1 above) would not in themselves
                                considered to make individuals identifiable, it must however be considered that these unique

                                identifiers in the current case can be combined with additional elements (according to
                                points 2–4 above) and that it is possible to draw conclusions in relation to

                                information (according to points 2–4 above) which means that data constitutes
                                personal data, regardless of whether the IP address has not been transferred in its entirety.


                                If information is combined (according to points 1–4 above), it means that individual visitors on
                                The website becomes even more distinguishable. It is thus possible to identify
                                individual visitors of the Website. That in itself is enough for it to be considered

                                personal data. It does not require knowledge of the actual visitor's name or
                                physical address, because the differentiation (through the word "thinning" in recital 26 i
                                the data protection regulation, "singling out" in the English version) in itself is sufficient for

                                to make the visitor indirectly identifiable. Nor is it required to Google or Dagens
                                Industry intends to identify the complainant, but the ability to do so is inherent
                                sufficient to determine whether it is possible to identify a visitor. Objective

                                aids that can reasonably be used either by the personal data controller or

                                1See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
                                assessment.



                                                              Page 16 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 17(27)
                                 Date: 2023-06-30







                                 by someone else, are all aids that can reasonably be used for the purpose of identification
                                 the appellant. Examples of objective aids that can reasonably be used are access to

                                 additional information with a third party that would make it possible to identify
                                 appellant taking into account both available technology at the time of identification
                                 as well as the cost (time required) for the identification.


                                 IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer judgment established that
                                 dynamic IP addresses constitute personal data in relation to the person who processes them,

                                 when he also has a legal opportunity to identify the holders of
                                 the internet connections using the additional information provided by third parties
                                               20
                                 dispose of. IP addresses do not lose their character of being personal data alone
                                 due to the fact that the means of identification are with third parties. The Breyer ruling and

                                 The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
                                 there is a legal possibility to gain access to supplementary information for the purpose of
                                 identify the appellant it is objectively clear that there is a “means which reasonably can

                                 will be used' to identify the complainant. According to IMY, the judgments should not be read
                                 on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated

                                 to data that can link IP addresses to natural persons so that the IP addresses will
                                 considered to be personal data. An interpretation of the concept of personal information which means that
                                 it must always be demonstrated a legal possibility to link such data to a physical

                                 person would, according to IMY, mean a significant limitation of the regulation
                                 protection area, and open up possibilities to circumvent the protection in the regulation. This one

                                 interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i
                                 data protection regulation. The Breyer judgment was decided under previously applicable directives

                                 95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
                                 knowledge of the actual visitor's name or physical address is required, because
                                 the distinction itself is sufficient to make the visitor identifiable), was not specified in

                                 previously applicable directives as a method for identifying personal data.


                                 In this context, other information is also added (according to points 1–3 above) such as IP
                                 the address can be combined with to enable identification. Although the truncation 21
                                 of the last octet and "hashing" of the cookie value constitute privacy-enhancing measures, then

                                 they limit the scope of the data that authorities can access (i
                                 third country) IMY states that it is still possible to connect the transferred data to

                                 other data that is also transferred to Google LLC (to the USA). This makes it possible
                                 identification, which in itself is sufficient for the data together to constitute

                                 personal data.


                                 IMY notes that there may also be reasons to compare IP addresses with
                                 pseudonymised personal data. Pseudonymization of personal data means

                                 according to article 4.5 of the data protection regulation that the data - similar to dynamic IP
                                 addresses - cannot be directly attributed to a specific data subject without supplementary
                                 data is used. According to recital 26 of the data protection regulation, such data should

                                 considered to be information about an identifiable natural person.


                                 A narrower interpretation of the concept of personal data would undermine, according to IMY
                                 the scope of the right to the protection of personal data, which is guaranteed in Article 8 i


                                 20 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and Breyer judgment, C-582/14
                                 EU:C:2016:779, paragraph 49.
                                 2 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                 address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
                                 means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
                                 the address can be linked with other transferred data (e.g. information about unit and time of visit) to
                                 third country.



                                                               Page 17 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 18(27)
                               Date: 2023-06-30






                               The Charter of Fundamental Rights of the European Union, because it would
                               make it possible for personal data controllers to specifically single out individuals together

                               with personal data (eg when they visit a certain website) at the same time as individuals
                               are denied the right to protection against the dissemination of such information about them. Such an interpretation would

                               undermine the level of protection for individuals and would not be compatible with the wide
                               scope given by the data protection rules in the practice of the EU Court of Justice. 22


                               Dagens Industri has also, by the appellant being logged in to his Google
                               account during the visit to the Website, processed data where conclusions could be drawn
                               about the individual based on his registration with Google. By Google's opinion

                               appears that implementing the Tool on a website makes it possible to get
                               information that a user of a Google account (ie a registrant) has visited
                               the website in question. Google does state that certain conditions must be met for

                               that Google should be able to receive such information, e.g. that the user (complainant) does not
                               have disabled the processing and display of personal ads. Since
                               the complainant was logged into his Google account when visiting the Website, Google can

                               still thus have had the opportunity to obtain information about the logged-in user
                               visit to the Website. The fact that it does not appear from the complaint that no
                               personalized ads have been shown, does not mean that Google cannot obtain information about it

                               logged the user's visit to the Website.

                               IMY finds against the background of the unique identifiers that can identify the browser

                               or the device, the ability to derive the individual through his Google account, they
                               the dynamic IP addresses as well as the possibility to combine these with additional ones

                               information that Dagens Industri's use of the Tool on a web page entails
                               Processing of personal data.


                               2.3 Dagens Industri is responsible for personal data
                               the treatment


                               Personal data controller is, among other things, a legal person who alone or
                               together with others determines the purposes and means of the processing of

                               personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among
                               another, a legal entity that processes personal data for the personal data-
                               controller's account (Article 4.8 of the data protection regulation).


                               The answers that Dagens Industri has provided show that it has made the decision to implement
                               The tool on the Website. Furthermore, it appears that Dagens Industri's purpose with

                               the implementation of the tool has been for the company to be able to analyze how
                               The Website is used, and in particular to be able to follow the use of the Website
                               over time.


                               IMY finds that Dagens Industri by deciding to implement the Tool on
                               The website for the said purpose, has determined the purposes and means of the collection

                               and the subsequent processing of this personal data. Today's industry is
                               therefore personal data controller for this treatment.








                               22 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
                               paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.



                                                            Page 18 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 19(27)
                                Date: 2023-06-30






                                2.4 Transfer of personal data to third countries


                                The investigation shows that the data collected via the Tool is stored by Google
                                LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.


                                The question is therefore whether Dagens Industri's transfer of personal data to the USA is
                                complies with Article 44 of the Data Protection Regulation and has legal support for it in Chapter

                                V.


                                2.4.1 Applicable regulations, etc.
                                According to article 44 of the data protection regulation, which has the title "General principle for
                                transfer of data", includes the transfer of personal data that is under

                                processing or are intended to be processed after they have been transferred to a third country -
                                i.e. a country outside the EU/EEA - only take place under the condition that the personal data
                                responsible and the personal data assistant, subject to other provisions in

                                the data protection regulation, fulfills the conditions in chapter V. All provisions in said
                                chapter shall be applied to ensure that the level of protection guaranteed by

                                the data protection regulation is not undermined.

                                Chapter V of the data protection regulation contains tools that can be used for transfers

                                to third countries to ensure a level of protection essentially equivalent to that which
                                guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on
                                adequate level of protection (Article 45) and transfer covered by appropriate

                                protective measures (Article 46). There are also exceptions for special situations (Article 49).


                                In the judgment Schrems II, the Court of Justice of the European Union has annulled the decision on adequate protection
                                level that previously applied to the transfer of personal data to the United States. Because a decision
                                if an adequate level of protection since July 2020 is missing, transfers to the USA may not be established

                                on Article 45.

                                Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article

                                45.3 a personal data controller or a personal data assistant may only transfer
                                personal data to a third country after taking appropriate safeguards, and on
                                conditions that statutory rights of registered and effective remedies for

                                registered are available. Article 46.2 c stipulates that such suitable
                                safeguards may take the form of standardized data protection regulations adopted

                                by the Commission in accordance with the review procedure referred to in Article 93(2).

                                In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which

                                transfer tool. However, the court found that they are not binding on
                                the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus
                                there are situations where the recipient of such a transfer, depending on the legal situation and

                                current practice in the third country concerned, can guarantee the necessary protection of
                                data solely with the support of the standardized data protection regulations, exists
                                the other situations in which the provisions of these clauses cannot be one

                                sufficient means to ensure effective protection of the personal data in practice
                                which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things





                                23 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
                                Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
                                The European Union and the United States and the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), C-
                                311/18, EU:C:2020:559.



                                                              Page 19 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 20(27)
                                 Date: 2023-06-30







                                 the case when the legislation of the third country allows the authorities of that third country to do
                                 interference with the rights of the registered persons regarding these data.” 24


                                 The reason why the European Court of Justice annulled the decision on adequate level of protection

                                 with the US was because of how the US intelligence services can gain access
                                 to personal data. According to the court, the conclusion of standard contract clauses cannot i

                                 ensure a level of protection required according to Article 44 of the Data Protection Regulation,
                                 as the guarantees stated therein do not apply when requested by such authorities

                                 access. The European Court of Justice therefore stated the following:


                                     "It thus appears that the standardized data protection regulations which
                                     the commission adopted with the support of article 46.2 c of the same regulation only aims to

                                     provide the personal data controllers or their personal data assistants established
                                     in the Union contractual safeguards that are applied uniformly throughout

                                     third countries and thus independent of the level of protection ensured in each of
                                     these countries. Because these standardized data protection regulations, with regard

                                     to their nature, cannot lead to protective measures that go beyond a contractual obligation
                                     to ensure that the level of protection required under Union law is observed, it may be

                                     necessary, depending on the situation prevailing in a particular third country, for it
                                     personal data controller to take additional measures to ensure that the level of protection
                                             25
                                     observed".


                                 In the European Data Protection Board's (EDPB) recommendations on the consequences of
                                 the judgment clarifies that if the assessment of legislation and practice in the third country involves

                                 that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice
                                 the exporter must, within the framework of his transfer, as a rule either cancel

                                 the transfer or take appropriate additional protective measures. The EDPB thereby notes
                                 that "further measures can only be considered effective in the sense referred to in the EU

                                 the court's judgment "Schrems II" if and to the extent that they - alone or in combination -
                                 addresses the specific deficiencies identified during the assessment of the situation i
                                                                                                                             27
                                 the third country in terms of its laws and practices applicable to the transfer”.


                                 It appears from the EDPB's recommendations that such additional protective measures can
                                 fall into three categories: contractual, organizational and technical. 28


                                 Regarding contractual measures, the EDPB states that such measures “[...] can

                                 supplement and reinforce the safeguards that the transfer tool and relevant
                                 legislation in the third country provides [...]. Considering that the contractual

                                 the measures are of such a nature that they cannot generally bind the authorities in it
                                 the third country because they are not parties to the agreement, these measures may often be necessary

                                 combined with other technical and organizational measures to provide it
                                 level of data protection required [...]'. 29


                                 Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a

                                 or more of these measures will not necessarily and systematically
                                 ensure that [a] transfer meets the basic equivalence standard which



                                 24 Paragraphs 125-126.
                                 25 Item 133.
                                 26EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU
                                 level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
                                 01/2020”).
                                 27
                                 28EDPB's Recommendations 01/2020, point 75: IMY's translation.
                                 29 EDPB's Recommendations 01/2020, point 52.
                                   EDPB's Recommendations 01/2020, point 99; IMY's translation.


                                                                 Page 20 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 21(27)
                                Date: 2023-06-30







                                required by EU legislation. Depending on the particular circumstances surrounding
                                the transfer and the assessment made by the law of the third country is required

                                organizational measures to supplement contractual and/or technical measures
                                to ensure a level of protection for personal data that is substantially equivalent to that
                                which is guaranteed within the EU/EEA”. 30


                                Regarding technical measures, the EDPB points out that “these measures will in particular

                                be necessary when the legislation of that country imposes obligations on the importer which
                                contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and
                                which in particular may infringe upon the contractual guarantee of one in all essentials

                                equivalent protection against the authorities of the third country gaining access to these
                                tasks". The EDPB thereby states that "the measures specified [in the Recommendations]

                                are intended to ensure that access to the transmitted data for public
                                authorities in third countries do not interfere with the expediency of the appropriate
                                the safeguards in Article 46 of the Data Protection Regulation transfer tools. These

                                measures would be necessary to guarantee a substantially equivalent
                                level of protection as that guaranteed within the EU/EEA, even if the public ones

                                access by the authorities is consistent with the legislation of the importer's country, where such
                                access in practice goes beyond what is necessary and proportionate in one

                                democratic society. The purpose of these measures is to prevent potentially unauthorized
                                access by preventing the authorities from identifying the registered, drag
                                conclusions about them, point them out in another context or connect the transmitted ones

                                the data to other data sets which, among other things, may contain network identifiers such as
                                provided by the devices, applications, tools and protocols used by
                                                                     32
                                registered in other contexts".

                                2.4.2 The Privacy Protection Authority's assessment

                                2.4.2.1 Applicable Transfer Tool

                                The investigation shows that Dagens Industri and Google have entered into standardized agreements
                                data protection provisions (standard contract clauses) in the sense referred to in Article
                                46 for the transfer of personal data to the United States. These clauses are in line with those which

                                published by the European Commission in decision 2010/87/EU and therefore one
                                transfer tools according to chapter V of the data protection regulation.


                                2.4.2.2 The legislation and the situation in the third country
                                As can be seen from the judgment Schrems II, the use of standard contract clauses may require

                                additional protective measures as a complement. Therefore, an analysis of
                                the legislation in the relevant third country is made.


                                IMY believes that the analysis that the EU Court has already done in the judgment Schrems II, which
                                relates to similar conditions, is relevant and current, and that it can therefore be added

                                basis for the assessment in the case without any further analysis of the legal
                                the situation in the United States needs to be done.


                                Google LLC, as the importer of the data into the United States, shall be classified as

                                provider of electronic communications services within the meaning of 50 US
                                Code § 1881 (b)(4). Google is therefore subject to surveillance by American
                                intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable

                                to provide the US government with personal data when 702 FISA is used.



                                30EDPB's Recommendations 01/2020, point 128; IMY's translation.
                                31 EDPB's Recommendations 01/2020, point 77; IMY's translation.
                                32EDPB's Recommendations 01/2020, point 79; IMY's translation.



                                                              Page 21 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 22(27)
                               Date: 2023-06-30






                               The European Court of Justice found in the judgment Schrems II that the American

                               surveillance programs based on 702 FISA, Executive Order 12333
                               (hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the

                               American legislation does not correspond to the minimum requirements that apply in EU law
                               according to the principle of proportionality. This means that the monitoring programs that are established
                               on these provisions cannot be considered to be limited to what is strict

                               necessary. The court also found that the monitoring programs do not provide
                               the registered rights enforceable against US authorities i
                               court, which means that these people do not have the right to an effective remedy.


                               Against this background, IMY notes that the use of the EU Commission's

                               standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
                               for the transferred personal data.


                               2.4.2.3 Additional protective measures implemented by Google and Dagens Industri
                               The next question is whether Dagens Industri has taken sufficient additional protective measures.


                               Dagens Industri is the personal data controller and exporter of the personal data
                               obliged to ensure that the rules in the data protection regulation are complied with. This responsibility includes

                               among other things that in each individual case when transferring personal data to third countries
                               assess which additional protective measures should be used and to what extent,
                               including evaluating if the actions taken by the receiver (Google) and the exporter

                               (Dagens Industri) taken together are sufficient to achieve an acceptable
                               protection level.


                               2.4.2.3.1 Google's additional safeguards
                               Google LLC, as an importer of personal data, has taken contractual,

                               organizational and technical measures to complement the standard contract clauses.
                               In a statement on April 9, 2021, Google described that the company has taken measures.


                               The question is about the additional protective measures taken by Dagens Industri and
                               Google LLC is effective, in other words hindering US intelligence services

                               possibilities to gain access to the transferred personal data.

                               As regards the legal and organizational measures, it can be stated that neither
                                                                                                  34
                               information to users of the Tool (such as Dagens Industri), the publication of
                               an transparency report or a publicly available “policy for the handling of

                               government requests” hinder or reduce the U.S. intelligence agencies'
                               opportunities to gain access to the personal data. Furthermore, it is not described what it is
                               means that Google LLC's makes a "careful examination of each request" about

                               the "legality" of American intelligence services. IMY notes that this does not
                               affect the legality of such requests because, according to the European Court of Justice, they are not
                               compatible with the requirements of the EU data protection regulations.


                               As regards the technical measures taken, it can be stated that neither

                               Google LLC or Dagens Industri have clarified how the described measures - such as
                               protection of communication between Google services, protection of data when transferred between
                               data center, protection of communications between users and websites or “physical

                               security” – hinders or reduces the ability of US intelligence agencies to
                               prepare access to the data with the support of the US regulations.



                               33Items 184 and 192. Item 259 et seq.
                               34Regardless of whether such a notification would even be permissible under US law.



                                                             Page 22 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 23(27)
                                Date: 2023-06-30







                                Regarding the encryption technology used – for example. for so-called "data at rest"
                                ("data at rest") in data centers, which Google LLC mentions as a technical measure - has Google

                                LLC as an importer of personal data nevertheless an obligation to grant access to or
                                hand over imported personal data at the disposal of Google LLC, including
                                any encryption keys required to make the data intelligible. Thus

                                such a technical measure cannot be considered effective as long as Google LLC has
                                possibility to access the personal data in plain text.


                                Regarding what Google LLC's stated that "to the extent information for measurement i
                                Google Analytics transmitted by website owners constitutes personal data, they receive

                                considered to be pseudonymized” it can be stated that universal unique identifiers
                                (UUID) is not covered by the concept of pseudonymisation in Article 4.5 of the data protection

                                the regulation. Pseudonymization can be a privacy-enhancing technique, but the unique ones
                                the identifiers have, as described above, the specific purpose of distinguishing users and
                                not to act as protection. In addition, individuals are made identifiable through the above

                                stated about the possibility of combining unique identifiers and other data (e.g.
                                metadata from browsers or devices and the IP address) and the ability to link

                                such information to a Google account for logged-in users.


                                Regarding Google's measure regarding the anonymization of IP addresses in the form of
                                truncation, it is not clear from Google's response if this action takes place before the transfer,
                                or if the entire IP address is transferred to the United States and shortened only after the transfer to

                                USA. From a technical point of view, it has thus not been shown that there is no potential
                                access to the entire IP address before the last octet is truncated.


                                Regarding the fact that Google LLC has configured the solution so that the JavaScript file
                                cached in the receiving terminal's application cache for two hours (which can

                                entail a delay between the first and second call of up to two hours) so
                                this means that the calls can have different timestamps, which in itself could mean one

                                complicating the identification of which visitor has issued the unique
                                the call. IMY notes, however, that Dagens Industri cannot ensure that a
                                delay of the calls actually takes place, partly because technically it cannot be ensured

                                when (or if) a delay between the first and second call occurs, and then the control
                                (the activation) of the caching is outside the company's control.


                                Against this background, IMY notes that the additional protective measures taken

                                by Google are not effective, as they do not prevent US intelligence
                                services' ability to access the personal data or make such access
                                ineffective.


                                2.4.2.3.2 Dagens Industri's own additional protective measures

                                Dagens Industri has stated that the company has taken additional protective measures in addition
                                the actions taken by Google. According to Dagens Industri, these consist of
                                the company has carried out extensive mapping of the life cycle of personal data which

                                processed in the Tool and that the company on its own data servers (the transfer through
                                the proxy server) masks the last octet of the IP address and hashes the value in the cookies
                                                                        37
                                before the data is transferred to Google.





                                35 See EDPB's Recommendations 01/2020, point 81.
                                36 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).
                                37 See above in the section on what the company has stated, under the heading "Additional protective measures taken".



                                                               Page 23 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 24(27)

                                Date: 2023-06-30






                                However, IMY finds that these measures are not sufficient for the following reasons.


                                It appears from the company's own data that two separate transfers were made by the individual
                                IP address goes to Google LLC - partly through a call from the measurement tool "analytics.js"
                                                                                          38
                                with the entire IP address exposed, partly with truncation of the last octet when measured
                                data is transferred (and hashing of the cookie value). 39


                                Dagens Industri claims that what can be deduced from the first transfer (there
                                the entire IP address is exposed) is only which web page the IP address has visited

                                and that it is not possible to connect the IP address with the page view data etc. which
                                at a later time measured on the Website. IMY notes, however, that the transfer in

                                itself involves a transfer of personal data (the IP address), despite measures taken
                                protective measures.


                                As for the second transmission, it also contains additional information about
                                the visit to Dagens Industri's website (such as the visitor's device and time of

                                the visit) and the connection should therefore be possible with the IP address then
                                the only difference after truncation is that the last octet is masked, which for IP

                                addresses means only 256 options (ie a number between 0-255). Although
                                the masking of the last octet and "hashing" of the cookie value constitutes privacy enhancement
                                measures, as they limit the scope of the information that authorities can obtain

                                access to (in a third country), IMY notes that it is still possible to connect the transferred
                                the data to other data that is also transferred to Google LLC.


                                Against this background, IMY notes that neither the additional measures which

                                taken by the company, in addition to the additional measures taken by Google, is sufficient
                                effective in preventing US intelligence agencies from accessing
                                the personal data or render such access ineffective.


                                2.4.2.3.3 The Privacy Protection Authority's conclusion

                                IMY finds that Dagens Industri's and Google's actions were neither isolated nor
                                taken together are effective enough to thwart US intelligence

                                possibility of gaining access to the personal data or making such access ineffective.

                                Against this background, IMY finds that neither standard contract clauses nor the others

                                measures invoked by Dagens Industri can provide such support for the transfer as
                                stated in chapter V of the data protection regulation.


                                With this transfer of data, Dagens Industri is therefore undermining it

                                level of protection of personal data of data subjects guaranteed in Article 44 i
                                data protection regulation.


                                IMY therefore states that Dagens Industri Aktiebolag violates Article 44 i

                                data protection regulation.







                                38 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
                                means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
                                the address can be linked with other transferred data (e.g. information about unit and time of visit) to
                                third country.
                                39 See above in section 1.3.17.1, illustration of data flows (p. 8 of the company's statement).


                                                               Page 24 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 25(27)
                                Date: 2023-06-30






                                3 Choice of intervention


                                3.1 Legal regulation


                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers to be available according to Article 58.2 a–j of the data protection regulation, among other things

                                reprimand, injunction and penalty fees.

                                IMY shall impose penalty fees in addition to or in lieu of other corrective measures

                                as referred to in Article 58(2), depending on the circumstances of each individual case.

                                Each supervisory authority must ensure that the imposition of administrative

                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                In article 83.2 of the data protection regulation, the factors that must be considered in order to
                                decide whether an administrative penalty fee should be imposed, but also at
                                the determination of the amount of the penalty fee. If it is a question of a smaller one

                                breach will receive the IMY as set out in recital 148 instead of imposing a
                                penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
                                in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as

                                the nature, severity and duration of the breach and previous breaches of
                                relevance.


                                According to article 83.5 c of the data protection regulation, in the event of a violation of among article
                                44 in accordance with 83.2 administrative penalty fees of up to 20 million are imposed
                                EUR or, in the case of a company, of up to 4% of the total global

                                the annual turnover during the previous budget year, depending on which value is the highest.

                                3.2 Should a penalty fee be imposed?


                                IMY has found above that the transfers of personal data to the USA that take place via
                                The Google Analytics tool and which Dagens Industri is responsible for conflicts with article

                                44 of the data protection regulation. Violations of that provision can, as shown
                                above, incur penalty charges. In the current case, it is a question of a serious one
                                violation which should normally result in a penalty fee.


                                When assessing in this case whether a penalty fee should be imposed, it must be in the aggravating direction
                                taken into account that the violation has occurred through Dagens Industri having transferred a large

                                amount of personal data to third countries where the data cannot be guaranteed
                                level of protection provided in the EU/EEA. The treatment has taken place systematically and during a
                                longer time. After the European Court of Justice, by judgment on 16 July 2020, refused
                                                                                        40
                                the commission's decision on an adequate level of protection in the USA changed the conditions
                                for transfers of personal data to the United States. About 3 years have now passed since the verdict
                                was announced and the EDPB has during that time made recommendations on

                                the consequences of the judgment for public consultation on 10 November 2020 and finally
                                form on 18 June 2021.





                                40 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
                                directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
                                the states.



                                                               Page 25 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 26(27)
                               Date: 2023-06-30






                               In the mitigating direction, the special situation that arose after must be taken into account
                               the judgment and the interpretation of the EDPB's recommendations, where there was a gap after
                               that the transfer tool to the USA according to the Commission's previous decision was rejected by

                               European Court of Justice. In addition, it must be taken into account that it appears from the investigation that
                               Dagens Industri has made a serious analysis and mapping of the life cycle of personal
                               data in the Tool. Dagens Industri has also taken measures such as that the company on

                               own data servers (the transmission through the proxy server) mask the last octet of the IP
                               the address (truncation) and hashes the value in the cookies before the data is transferred to
                               Google. The company has also activated Google's "anonymization of IP addresses" measure

                               by truncation. Dagens Industri has thus taken relatively extensive measures
                               measures to try to limit the risks for the data subjects and to cure the deficiencies.
                               Dagens Industri has thereby also believed that they succeeded even if the measures in

                               the practice now proved not to be effective.


                               In a balanced assessment, IMY finds that there is reason to in this case
                               refrain from imposing a penalty fee on Dagens Industri for the found
                               the breach and stop at an injunction to remedy the deficiency.


                               3.3 Other interventions


                               It appears from the investigation that the safeguards for transfer invoked by
                               Dagens Industri cannot provide support for the transfer according to chapter V i
                               data protection regulation. The transfer thus involves a violation of

                               the regulation. To ensure that the infringement ceases, Dagens Industri shall
                               ordered according to article 58.2 d of the data protection regulation to ensure that the company's
                               processing of personal data within the framework of the use of the Google tool

                               Analytics complies with Article 44 and other provisions of Chapter V. This
                               shall in particular be done by Dagens Industri ceasing to use that version of
                               the Google Analytics tool used on August 14, 2020, if not sufficient

                               protective measures have been taken. The measures must be completed no later than one month after
                               this decision gained legal force.


                               ___________________




                               This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                               by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has
                               David Törngren, unit manager Catharina Fernquist and IT- and

                               information security specialist Mats Juhlén participated.




                               Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)















                                                             Page 26 of 27The Swedish Privacy Agency Diary number: DI-2020-11370 27(27)
                                Date: 2023-06-30






                                4 Appeal reference


                                4.1 How to Appeal

                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.




















































                                                              Page 27 of 27