IMY (Sweden) - DI-2020-11368

From GDPRhub
Revision as of 14:34, 4 July 2023 by Ls (talk | contribs)
IMY - DI-2020-11368
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 44 GDPR
Article 46 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 30.06.2023
Published:
Fine: n/a
Parties: Coop Sverige AB
National Case Number/Name: DI-2020-11368
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: n/a

The Swedish DPA held that by using Google Analytics provided by Google LLC, Coop breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.

English Summary

Facts

Coop Sverige AB (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US.

In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.

The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.

In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards.

Holding

Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.

Secondly, the DPA held that Coop decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Coop qualified as the controller.

Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.

Fourthly, considering that the SCC’s were not sufficient, the DPA assessed whether the controller and the processor implemented additional safeguards for the data transfers. It noted that technical measures were in place but that these measures did not prevent the US intelligence agency from accessing the data

In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Taking into account that the controller implemented measures to try to limit risks of breaches, the DPA decided not to impose a fine and to only order the controller to remedy the deficiency.

Comment

See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/

This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub : https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2020-11397

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(24)






                                                                        Coop Sweden AB
                                                                        Englundavägen 4
                                                                        17188 Solna






Diary number:
DI-2020-11368 Decision after supervision according to

                                 data protection regulation – Coop

Date:
2023-06-30 Sverige AB's transfer of

                                 personal data to third countries





                                 Content

                                 The Privacy Protection Authority's decision................................................... ............................2

                                 1 Description of the supervisory matter ............................................... .....................................3

                                        1.1 The processing................................................... ............................................3

                                        1.2 What is stated in the complaint............................................. ..............................3
                                        1.3 What Coop has stated............................................... ........................................4

                                               1.3.1 Who has implemented the Tool and for what purpose, etc. ........4

                                               1.3.2 Recipient of the data ............................................. .....................5

                                               1.3.3 The data processed in the Tool and what constitutes it
                                               personal data ................................................ ........................................5

                                               1.3.4 Categories of persons affected by the processing......................5
                                               1.3.5 When the code for the Tool is executed and Recipient access is provided .5

                                               1.3.6 How long the processed personal data is stored ......................5

                                               1.3.7 In which countries the personal data is processed...................................6

                                               1.3.8 Coop's relationship with Google LCC............................................ ...............6
                                               1.3.9 Ensuring that the processing does not take place for the Recipients' own benefit

                                               purpose ................................................ ................................................ .6
                                               1.3.10 Description of Coop's use of the Tool............................6

                                               1.3.11 Own checks on transfers affected by the judgment Schrems II7

Postal address: 1.3.12 Transfer tool according to chapter V of the data protection regulation .......8
Box 8114
104 20 Stockholm 1.3.13 Control of obstacles to enforcement in legislation in third countries............8
                                               1.3.14 Additional safeguards taken in addition to those taken by Google
Website:
www.imy.se ............................................ ................................................ ...................8
Email: 1.4 What Google LCC has stated............................................. ...............................10
imy@imy.se
                                 2. Justification of the decision................................................ ................................................ 11
Phone:
08-657 61 00


                                                                Page 1 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 2(24)
                                       Date: 2023-06-30






                                                2.1 The framework for the review............................................... ................................11

                                                2.2 This concerns the processing of personal data............................................. .11

                                                         2.2.1 Applicable regulations, etc. ................................................ ...11

                                                         2.2.2 The Privacy Protection Authority's assessment...................................13

                                                2.3 Coop is the personal data controller for the processing...................................15

                                                2.4 Transfer of personal data to third countries............................................. ....15
                                                         2.4.1 Applicable regulations, etc. ................................................ ...16

                                                         2.4.2 The Privacy Protection Authority's assessment...................................18

                                       3 Choice of intervention................................................... ................................................ .......21

                                                3.1 Legal regulation................................................ ..........................................21

                                                3.2 Should a penalty fee be imposed?............................................ ..........................21

                                                3.3 Other interventions................................................... ........................................22

                                       4 Appeal reference ................................................ ..........................................23

                                                4.1 How to appeal .............................................. ........................................23

















































                                                                            Page 2 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 3(24)
                               Date: 2023-06-30






                               The Privacy Protection Authority's decision


                               The Privacy Protection Authority states that Coop Sverige Aktiebolag processes
                               personal data in violation of article 44 of the data protection regulation by then it

                               August 14, 2020 and until the day of this decision use the Google Analytics tool,
                               which is provided by Google LLC, on its website www.coop.se, and thereby
                               transfer personal data to third countries without the conditions according to chapter V of the regulation

                               are fulfilled.

                               The Privacy Protection Authority orders Coop Sverige Aktiebolag with the support of article

                               58.2 d of the data protection regulation to ensure that the company's processing of personal data
                               within the framework of Coop Sverige Aktiebolag's use of the Google Analytics tool
                               complies with Article 44 and other provisions of Chapter V. This shall especially

                               happen by Coop Sverige Aktiebolag ceasing to use that version of
                               the Google Analytics tool used on August 14, 2020, if not sufficient
                               protective measures have been taken. The measures must be completed no later than one month after

                               this decision gained legal force.


                               1 Description of the supervisory matter


                               1.1 The processing

                               The Swedish Privacy Protection Agency (IMY) has started supervision regarding Coop Sverige AB
                               (hereinafter "Coop" or "the company") due to a complaint. The complaint concerns a

                               alleged violation of the provisions of Chapter V of the Data Protection Ordinance linked
                               to the transfer of the complainant's personal data to third countries. The transfer is alleged to have
                               happened when the complainant visited the company's website, www.coop.se (hereinafter "the company's

                               website” or the “Website”) through the Google Analytics tool (below
                               “The Tool”) provided by Google LLC.


                               The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
                               Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority
                               in the country where the complainant has filed his complaint (Austria) in accordance with

                               the regulation's provisions on cooperation in cross-border processing.

                               The proceedings at IMY have taken place through an exchange of letters.


                               1.2 What is stated in the complaint


                               The complaint essentially states the following.

                               On August 14, 2020, the complainant visited Coop's website. During the visit,

                               the complainant signed in to his Google account, which is linked to the complainant's email address.
                               The company had implemented a Javascript code for Google services on its website,
                               including Google Analytics. In accordance with clause 5.1.1 b of the terms of Google's

                               processing of personal data for Google's advertising products and also Google's terms and conditions
                               for processing "the New Order Data Processing Conditions for Google Advertising
                               Products" Google processes personal data of the data controller (i.e.



                               1
                               regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
                               directive 95/46/EC (General Data Protection Regulation).



                                                             Page 3 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 4(24)
                               Date: 2023-06-30






                               the company's) account. Google LLC must therefore, according to the above-mentioned conditions, be classified as
                               the company's personal data assistant.


                               During the complainant's visit to the company's website, the complainant was treated

                               personal data by Coop, at least the complainant's IP address and data collected
                               through cookies. Some of the data collected was transferred directly to Google. IN
                               in accordance with clause 10 of the terms on the processing of personal data for Googles

                               advertising products, Coop has approved that Google may process personal data about
                               the appellant in the United States. Such transfer of data requires legal support in accordance with
                               chapter V of the data protection regulation.


                               According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2
                               the company can no longer rely on a decision on an adequate level of protection for the transfer of

                               data to the United States according to Article 45 of the Data Protection Regulation. The company should not base
                               the transfer of data on standardized data protection regulations according to article
                               46.2 c of the data protection regulation if the recipient country does not ensure adequate protection

                               with regard to Union law for the personal data that is transferred.


                               1.3 What Coop has stated

                               Coop Sverige AB has essentially stated the following.


                               1.3.1 Who has implemented the Tool and for what purpose, etc.
                               Coop has made the decision to implement the Tool on the Website, which has happened

                               by embedding the code for the tool on the Website. The tool is still
                               actively. The company is not established in any other member state than Sweden and has not
                               made such a decision for any other European website.


                               The purpose of Coop's use of the Tool is to fulfill the purpose of developing and
                               improve Coop's operations, products and services. The tool is used, for example, for

                               to analyze and evaluate (i) how registered users use coop.se, (ii) Coop's customer
                               personalization on coop.se and (iii) Coop's advertising campaigns. Based on those insights
                               that the tool provides, Coop can make decisions about measures that improve and optimize

                               Coop's products, services (e.g. functions offered on coop.se and their
                               placement or personification on coop.se) and marketing or make decisions about new
                               products or services must be developed. For this purpose it is necessary to keep

                               relevant unique identifiers for the analyzes performed in order to create reliable and
                               verifiable results.


                               The tool is used to create analyzes and reports that facilitate
                               decision-making linked to the objectives 1) provide a personal experience in Coop's digital

                               channels and 2) marketing and communication in Coops and in third party digital
                               channels.













                               2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.



                                                             Page 4 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 5(24)
                                Date: 2023-06-30






                                Coop's purpose with the Tool can also be fulfilled with the implementation of a so-called

                                the server side container, which means that the visitor's IP address should not be sent to
                                The tool (see below). Coop does not need IP addresses as identifiers to comply
                                the purpose of the Tool. The purpose of the Tool is to create reports for

                                decision basis for the purpose of developing and improving Coop's operations, products
                                and services. Examples of information needed in these reports. Could be any
                                exposures that lead to a purchase in order to be able to evaluate their effectiveness, e.g.

                                product displays, recipe displays or campaigns. In this context, it is therefore
                                the measurement, not the IP address, which is decisive for whether the purpose of the Tool can

                                fulfilled.

                                Coop's customers are in the Swedish market and Coop only targets it

                                Swedish market. Practical reasons and the prohibition regarding discrimination of
                                consumers, and in some cases also traders, according to the geoblocking regulation 3
                                however, means that there is no restriction on who can visit Coops

                                website. Coop does not specifically analyze traffic to the website from which countries
                                comes .


                                1.3.2 Recipient of the data
                                Within the scope of Coop's use of the Tool on the Website is provided

                                personal data out to a number of actors, all of whom are personal data processors or
                                subcontractors of Coop, including Google LLC, Google Ireland Ltd and their
                                assistants.


                                1.3.3 The data processed in the Tool and what constitutes it

                                personal data
                                Within the framework of Coop's use of the Tool on the Website, the company processes
                                and its personal data assistants (the Recipients) the information specified below.


                                    1. User behavior on the website based on values submitted via variables
                                         on the website (eg filterCombination, Page title, Referrer or storeName).

                                    2. Device information (eg flashVersion, javaEnabled, language or color choice of
                                         screen).

                                    3. Customer status (i.e. if the user visits Coop's website in logged in or
                                         logged out mode or as a business customer).
                                    4. Online identifiers (e.g. IP address, userID, transactionID, clientlD, gclid, dclid

                                         or Device ID).
                                    5. Transaction data based on values submitted via site variables
                                         (such as antalKop, Transaction - dimension50 (boughtRecipe), Transaction -

                                         dimension7 (deliveryMethod), orderlD or deliveryTime).


                                1.3.4 Categories of persons affected by the processing
                                The categories of persons affected by the processing are visitors, private customers
                                (non-member with an account), business customers and members of Coop Medlem.


                                The tool is not set up and is not used to treat particular categories of
                                personal data or personal data of particularly vulnerable persons.






                                3Regulation (EU) 2018/302 of the European Parliament and of the Council of 28 February 2018 on measures against unjustified
                                geoblocking and other forms of discrimination based on customers' nationality, place of residence or place of establishment
                                in the internal market.



                                                              Page 5 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 6(24)
                               Date: 2023-06-30






                               1.3.5 When the code for the Tool is executed and Recipient access is provided
                               When a user has made their consent choices, the user's personal data, i

                               varying extent, to be sent to the Tool. The content is integrated and run after
                               conditions in Coop's consent manager are met.


                               1.3.6 How long the personal data processed is stored
                               The personal data processed in the Tool is stored for a maximum of 38 months and
                               is subsequently deleted.


                               1.3.7 In which countries the personal data is processed
                               The personal data is processed in the United States, among other places.


                               1.3.8 Coop's relationship with Google LCC
                               Coop purchases the license for the Tool through a reseller that constitutes Coops

                               personal data assistant. Coop and the personal data assistant have entered into an agreement
                               personal data assistant agreement that regulates the set-up and administration of the Tool.
                               The personal data assistant in turn independently administers all operations in
                               relationship with Google. For example, the personal data assistant handles the whole set

                               of the Tool, compensation for the service and contacts with Google regarding support.
                               In other words, Google acts exclusively on instructions from Coops
                               personal data assistant.


                               Google further applies contractual terms between itself and the retailer that regulates
                               Google's processing of personal data as a personal data processor in relation to

                               the retailer, whereby the retailer is Coop's personal data assistant. Google will be
                               thereby Coop's assistant. This view of the distribution of roles is consistent with
                               The view of Coop's personal data officer and Google. In addition to this, the settings that

                               enables the use of personal data in the Tool for Google's own purposes
                               deactivated.


                               In light of (i) that Coop's personal data assistant acts in accordance with Coop's
                               instructions, (ii) how the contract structure looks like and how the parties involved look at it
                               the distribution of roles and (iii) that data sharing for Google's own purposes is disabled

                               Coop's assessment that Google constitutes a subsidiary of Coop is linked to
                               personal data processing in the Tool.


                               1.3.9 Ensuring that the processing does not take place for the Recipients' own purposes
                               Coop releases the personal data to its personal data assistants. Coop has entered
                               personal data processing agreement with these. The agreements contain clauses concerning Coop's right to

                               audit/audit through which Coop can check that the personal data assistant does not
                               processes personal data for its own purposes or for the purposes of third parties.


                               As part of its work with the data protection regulation, Coop applies a routine to
                               ensure regulatory compliance. The routine includes an annual cycle whose purpose is to secure good
                               regulatory compliance over time. The annual wheel is divided into four parts where follow-up of

                               assistant relations are included in the third part. Within the framework of the follow-up work according to
                               annual cycle, there is an opportunity to ensure that personal data assistants only process
                               personal data on behalf of Coop.


                               In connection with the work regarding the implementation of the consent manager, has in addition
                               additional measures have been taken to ensure that Coop does not allow Recipients
                               processes personal data belonging to Coop's visitors, customers and members for





                                                             Page 6 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 7(24)
                               Date: 2023-06-30






                               their own purposes. There are routines that state that each responsible employee must
                               ensure that no sharing of personal data takes place through solutions in the service.


                               1.3.10 Description of Coop's use of the Tool
                               Coop sends various identifiers via the measurement set up on the company's website.
                               Common to all identifiers is that these are unique for the interactions of the data subjects

                               related to the website www.coop.se. In other words, a registered person is not attributed to one
                               and the same identifier that applies to websites other than the Coop website.


                               The example below describes a report where Coop wants to understand which products are
                               popular to shop online and how these have been exposed to the customer at Coops
                               website. When the customer completes their purchase in Coop's e-commerce, the following is sent

                               information for the Tool (on the quote variable, description and example of value):

                                    • Id - Product ID – 3600542020855

                                    • Variant – Size of the packaging (eg 200 g etc.) – undefined
                                    • Price – The price of the product – 26.5
                                    • List – The products on the site are presented in a product list which may have different

                                        name, e.g. product search, Site search, Search dropdown - product search
                                    • listPosition – What position the list has among other product lists (from 0 and
                                        upwards) – 0

                                    • position – What place the product has in the product list (from 0 and up) – 0
                                    • name – Product name – Balsam Goodbye Damage
                                    • brand – Brand – Fructis

                                    • category – Product category area – Beauty & Hygiene - Hair care - Conditioner

                               The identifiers transmitted are the following:


                                        1. clientID – used to be able to determine whether a registered person is new or
                                            recurrent. New clientIDs are generated if a registrant has cleared theirs

                                            cookies and re-enters the website.
                                        2. userID – generated for registered users with a login account on coop.se and
                                            used to determine whether a data subject has a login account or
                                            not.

                                        3. gclid and dclid – generated for each unique ad click. The aim is to be able to
                                            attribute a click to a specific ad in order to, for example, get
                                            aggregated information about how many times the ad has been viewed or

                                            how many people have interacted with it.
                                        4. transactionID – generated in connection with a purchase on coop.se and
                                            corresponds to an order number.


                               Based on the information stated above, Coop can, among other things, draw conclusions about
                               popular products that lead to purchase, how the customer journey started and what type of

                               registered person who completed the purchase (e.g. new or returning member/customer or
                               member/customer with login account). These conclusions are not dependent on
                               registrants' public IP addresses are sent to the Tool and the purpose can thus be fulfilled

                               regardless of whether public IP addresses are sent or not.

                               In light of the implementation of the server side container, Coop also wishes to

                               clarify that registered IP addresses are only processed through the following
                               treatments: 1) collection on the company's website, 2) transfer to server side
                               the container and 3) converting the unique IP addresses to a generic IP address for





                                                             Page 7 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 8(24)
                               Date: 2023-06-30






                               the server side container. Collection, transfer and conversion are done in real time and none
                               public IP addresses are stored.


                               1.3.11 Own checks on transfers affected by the Schrems II judgment
                               In light of the Schrems II judgment, Coop has carried out work to review
                               their third country transfers. In the autumn of 2021, Coop has also carried out an audit of

                               The tool where Coop has been able to establish that international data transfers are taking place
                               through use of the Tool. As part of this work, it has been undertaken on an ongoing basis
                               measures to further increase privacy protection related to the data subjects whose

                               personal data is affected.

                               1.3.12 Transfer tool according to chapter V of the data protection regulation

                               Transfers to third countries take place with the support of the European Commission
                               standard contract clauses (personal data assistants), which are incorporated into that contract
                               entered into between Google and Coop's personal data assistant. According to the agreement constitute

                               Coop's personal data assistant exporter of the personal data to the Tool.

                               Coop supports the data transfers to the USA on the standard contractual clauses for

                               transfer of personal data to personal data processors in third countries.
                               In this case, the standard contract clauses have been entered into between Google LLC and the company
                               personal data assistant. In this context, it can be mentioned that Google provides

                               standardized services and do not offer their customers the opportunity to negotiate
                               the terms of their services. Because these are terms that are not subject to
                               negotiation, no signed copies are available. Coop has instead attached them

                               data processing conditions in which the standard contractual clauses have been incorporated and which apply
                               in accordance with the agreement entered into by Coop's personal data assistant.


                               Coop takes measures to ensure that the existing standard contract clauses always
                               are updated according to the EU Commission's latest version of standard contract clauses.


                               1.3.13 Control of obstacles to enforcement in legislation in third countries
                               Control of obstacles in third country legislation is within the scope of Coop's work to
                               review your third country transfers. However, Coop has noted the criticism that the EU

                               the court has directed against American law and takes this into account in the choice of
                               supplementary protective measures.


                               1.3.14 Additional safeguards taken in addition to those taken by Google
                               Implementation of additional protective measures is within the scope of Coop's work with
                               to review their third country transfers. According to data from Google, provided

                               several security measures that Google deems to constitute such additional safeguards
                               which can be taken together with the standard contract clauses.


                               Coop has also carried out work to establish a so-called server side container, i
                               purpose of expanding control over how data is sent to the Tool.

                               Coop believes that Google's contractual and organizational measures may be considered

                               minimize the actual risk of disclosure of personal data to third countries i
                               the end takes place. From Google's Transparency Report, Global requests for users
                               information, however, it appears that Google regularly receives requests from Americans

                               authorities about what applies when accessing personal data that Google stores.
                               Coop's assessment is that the real risk of information being disclosed to American
                               intelligence is small. However, it cannot be eliminated by either measures

                               that Google or Coop take.



                                                             Page 8 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 9(24)
                                Date: 2023-06-30






                                Furthermore, Coop assesses that the supplementary measures taken to minimize
                                the monitoring possibilities also strengthen the freedoms and rights of Coop's customers by
                                these cannot be identified through the data that is transmitted.


                                In summary, through these measures, only one and the same generic IP
                                address transmitted to the Tool, regardless of the unique IP address of the data subject.

                                Coop has also activated the function in the Tool for so-called IP anonymization, but
                                in light of the server side container, this measure is, according to the company, redundant.


                                1.3.14.1 General about server side container
                                A server side container is generally implemented to either enhance 1)
                                website performance or 2) security. In terms of performance, fewer tags can

                                be used in relation to the measurement set up on the Website, which means
                                less code on the client side and, for example, that the website can load faster.


                                In terms of security, visitors' data can be better protected and the website owner
                                retains greater control over the data collected and distributed in an environment that
                                controlled by the website owner. When data is first sent to a cloud-based solution

                                this can be processed and redistributed with tags such as the website owner
                                controls.


                                1.3.14.2 Coop's implementation of the server side container
                                The purpose of the server side container that Coop has implemented is to improve
                                the security related to the data sent. More specifically, the aim is to on a good and

                                safely be able to protect the personal privacy of those registered. Server side
                                the container acts as a proxy between the registrant's browser and the Tool
                                where Coop has chosen to implement the server side container in a way that makes them
                                the registered browser's public IP address is never transmitted to the Tool.


                                Implementation can be described as follows. A registrant visits the website
                                www.coop.se in your browser. The Google Analytics script is downloaded from the server side

                                container instead of being downloaded directly from Google Analytics servers. This
                                results in the registrant's IP address as well as information about user behavior,
                                device information, customer status, online identifiers and transaction data (according to

                                points 1–5 above under section 1.3.10) are transferred to the server side container, instead
                                directly to Google Analytics. Once the Google Analytics script has been downloaded from the server
                                side container, a new call is made from the server side container to Google Analytics

                                servers. Since the call is made from the server side container, no transfer of
                                the registrant's public IP address to Google Analytics. Coop has configured the server
                                side container in such a way that all data as above, except it was recorded

                                public IP address, passes through the server side container to Google Analytics. Google
                                Analytics receives data sent from the server side container and that data
                                (information) that has been sent is popularized in reports by the measurement set

                                up on the website www.coop.se.

                                The treatments that take place through the aforementioned – i.e. to receive, convert and

                                forward the call - takes place in the working memory of the server side container. It means
                                all processing takes place in real time and that no data is permanently stored. In other words, stored
                                public IP addresses were not registered in the server side container and they are not exposed

                                rather against Google Analytics servers. All communication from the browser, via server
                                side container, to The tool is also encrypted.






                                                              Page 9 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 10(24)
                               Date: 2023-06-30






                               This process cannot be reversed as the information is not stored and the conversion
                               not based on a one-to-one relationship that enables the use of a "key"
                               to recreate the public IP addresses.


                               Coop has activated Google's function for IP anonymization. It means that the IP
                               address sent to the Tool is truncated. This is done by Google removing one

                               part of the IP address before the IP address is stored on disk. For an IPv4 address, last is replaced
                               the octet in the address with a zero. For an IPv6 address, the last 80 bits are replaced with
                               zeros. The action cannot be reversed but as this action is done by Google i

                               Coop has also chosen to implement the tool as a server side container.

                               In Coop's case, the IP anonymization feature is enabled and applied to the generic

                               IP address sent via the server side container. In context, however, the function is
                               redundant considering that the server side container prevents the public of the registered
                               IP addresses from being sent to the Tool. Coop's assessment is that server side

                               the container as a measure is a sufficient protective measure, but that it does not harm that even
                               have the IP anonymization function activated in the Tool.


                               1.4 What Google LCC has stated

                               IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which

                               Google submitted to the Austrian supervisory authority. The statement answers questions
                               which IMY and a number of supervisory authorities have asked Google due to in part
                               joint handling of similar complaints received by these authorities.

                               Coop has been given the opportunity to comment on Google LLC's opinion. By Google LLC's
                               opinion states the following about the Tool.


                               A JavaScript code is included on a web page. When a user visits (calls) a
                               web page, the code triggers a download of a JavaScript file. Then performed
                               the tracking operation of the Tool, which consists of collecting information related to
                               to the call in different ways and sends the information to the Tool's servers.


                               A website administrator who has integrated the Tool on his website can send
                               instructions to Google for processing the data collected. These

                               instructions are transmitted via the so-called tag manager that handles it
                               tracking code that the webmaster has integrated into his website and via
                               tag manager settings. Whoever integrated the Tool can do different things

                               settings, for example regarding storage time. The tool also makes it possible for it
                               which integrated it to monitor and maintain the stability of its website,
                               for example by staying informed about events such as peaks in visitor traffic

                               or lack of traffic. The tool also enables a website administrator to
                               measure and optimize the effectiveness of advertising campaigns carried out using
                               other tools from Google.


                               In this context, the Tool collects the visitor's http calls and information about
                               including the visitor's browser and operating system. According to Google, contains one

                               http calls for any page information about the browser and device making
                               the call, such as domain name, and information about the browser, such as type,
                               reference and language. The tool stores and reads cookies in the visitor's browser in order to

                               evaluate the visitor's session and other information about the call. Through these
                               cookies enable the Tool to identify unique users (UUID) over
                               browsing sessions, but the Tool cannot identify unique users in different browsers

                               or units. If a website owner's website has its own authentication system



                                                             Page 10 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 11(24)
                               Date: 2023-06-30






                               can the website owner use the ID feature, to more accurately identify one
                               users on all the devices and browsers they use to access
                               the website.


                               When the information is collected, it is transferred to the Tool's servers. All data that
                               collected via The tool is stored in the United States.


                               Google has introduced, among other things, the following contractual, organizational and
                               technical safeguards to regulate transfers of data within the framework of
                               The tool.


                               Google has taken contractual and organizational safeguards such as to
                               the company always conducts a thorough examination of a request for access from government
                               authorities on user data can be implemented. It is lawyers/specially trained

                               staff conducting these trials and investigating whether such a request is
                               compliant with applicable laws and Google's guidelines. Those registered are informed
                               the disclosure, unless prohibited by law or would adversely affect one
                               emergency. Google has also published a policy on the company's website about how a

                               such requests for access by governmental authorities of user data shall be implemented.

                               Google has taken technical protective measures such as protecting personal data from

                               interception when transferring data in the Tool. By default using HTTP
                               Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
                               to use an encryption protocol for all communications between end users,

                               websites and the Tool's servers. Such encryption prevents intruders from
                               passively listen to communications between websites and users.

                               Google also uses an encryption technology to protect personal data, so-called “data in

                               rest" ("data at rest") in data centers, where user data is stored on a disk or
                               backup media to prevent unauthorized access to the data.


                               In addition to the above measures, website owners can use IP anonymization through
                               to use the settings provided by the Tool to limit Google's
                               use of personal data. Such settings include above all that in the code
                               for the Tool enable IP anonymization, which means that IP addresses are truncated and

                               contributes to data minimization. If the IP anonymization service is fully used occurs
                               the anonymization of the IP address almost immediately after the request has been received.


                               Google also restricts access to the data from the Tool through authorization control
                               as well as by all personnel having undergone training regarding
                               information security.




                               2. Justification of the decision

                               2.1 The framework for the review


                               Based on the complaint in the case, IMY has only examined whether Coop transfers
                               personal data to the third country USA within the framework of the Tool and if the company has
                               legal support for it in Chapter V of the Data Protection Regulation. The supervision does not cover if

                               the company's personal data processing in general is compatible with the data protection regulation.





                                                             Page 11 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 12(24)
                                 Date: 2023-06-30






                                 2.2 This concerns the processing of personal data


                                 2.2.1 Applicable regulations, etc.

                                 In order for the data protection regulation to be applicable, it is required that personal data
                                 treated.


                                 According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
                                 fundamental rights and freedoms, in particular their right to the protection of personal data.
                                 According to Article 4.1 of the regulation, personal data is "any information relating to a

                                 identified or identifiable natural person (hereinafter referred to as a data subject), whereby a
                                 identifiable natural person is a person who can be directly or indirectly specifically identified

                                 referring to an identifier such as a name, an identification number, a
                                 location data or online identifiers or one or more factors that are
                                 specific to the natural person's physical, physiological, genetic, psychological,

                                 economic, cultural or social identity'. To determine whether a natural person is
                                 identifiable, one should consider all the aids that, either of it
                                 personal data controller or by another person, may reasonably be used

                                 to directly or indirectly identify the natural person (reason 26 to
                                 data protection regulation).


                                 The term personal data can include all information, both objective and
                                 subjective information, provided that it "refers" to a specific person, which
                                                                                                                      4
                                 they do if, due to their content, purpose or effect, they are linked to the person.

                                 The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary

                                 that the information itself makes it possible to identify the registered person for that to be
                                 a personal data. Recital 26 of the data protection regulation also states that in order to
                                 determine whether a natural person is identifiable, all aids, such as e.g. thinning

                                 ("singling out" in the English language version), which, either of it
                                 personal data controller or by another person, may reasonably be used
                                 to directly or indirectly identify the natural person, is taken into account. To determine

                                 if aids can with reasonable probability be used to identify it
                                 the natural person should all objective factors, such as costs and time consumption for

                                 identification, taking into account both available technology at the time of processing,
                                 considered. It is clear from Article 4.5 of the regulation that pseudymisation is meant
                                 processing of personal data in a way that means that the personal data does not

                                 longer can be attributed to a specific data subject without the use of supplementary information,
                                 provided that this additional information is kept separately and is subject
                                 for technical and organizational measures that ensure that the personal data does not

                                 attributed to an identified or identifiable natural person.

                                 So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or

                                 information stored in cookies – can be used to identify a user,
                                 especially when combined with other similar types of information. According to recital 30 to

                                 data protection regulation, natural persons can be linked to online identifiers provided by
                                 their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
                                 traces that, especially in combination with unique identifiers and other data such as

                                 collected, can be used to create profiles of natural persons and identify them.

                                 In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through

                                 some information about the risk of identification in practice is negligible, which it is

                                 4 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
                                 5 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.



                                                               Page 12 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 13(24)
                                Date: 2023-06-30







                                identification of the relevant person is prohibited by law or impossible to carry out i
                                practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck

                                provided that dynamic IP addresses constitute personal data in relation to the person who
                                processes them, when he also has a legal opportunity to identify the holders of
                                the internet connections using the additional information provided by third parties
                                              7
                                dispose of.



                                2.2.2 The Privacy Protection Authority's assessment

                                To determine whether the information processed through the Tool constitutes personal data
                                should IMY decide whether Google or Coop through the implementation of the Tool
                                can identify individuals, e.g. the complainant, when visiting the Website or about the risk of
                                                  8
                                it is negligible.


                                IMY considers the data processed to be personal data for the following reasons.

                                The investigation shows that Coop implemented the Tool by inserting a

                                JavaScript code (a tag), entered by Google in the source code of the Website. While
                                the page is loaded in the visitor's browser, the JavaScript code from Google LLC's is loaded

                                servers and run locally in the visitor's browser. A cookie is inserted at the same time
                                the visitor's browser and saved on the computer. The cookie contains a text file that collects
                                information about the visitor's operation on the Website. Among other things, a

                                unique identifier in the value of the cookie and this unique identifier is generated and
                                managed by Google.


                                When the complainant visited the Website, or a sub-page of the Website, was transmitted

                                the following information via JavaScript code from the complainant's browser to Google
                                LLC's servers:


                                     1. Unique identifier(s) that identified the browser or device used
                                         to visit the Website as well as a unique identifier that identifies Coops

                                         (ie the company's Google Analytics account ID).
                                     2. Web address (URL) and HTML title of the website and web page that
                                         the appellant has visited.

                                     3. Information about browser, operating system, screen resolution,
                                         language setting and date and time of access to the Website.

                                     4. The generic IP address created by Coop's implementation of a so-called
                                         server side container.


                                During the appellant's visit (according to point 1 above) said identifier was put in cookies with
                                the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These

                                identifiers have been created with the aim of being able to distinguish individual visitors, such as
                                the appellant. The unique identifiers thus make the visitors to the Website

                                identifiable. Although such unique identifiers (as per 1 above) would not in themselves be considered
                                make individuals identifiable, however, it must be considered that these unique identifiers in it
                                the current case can be combined with additional elements (according to points 2-4 above)

                                and that it is possible to draw conclusions in relation to information (according to the points




                                6 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46.
                                7 CJEU judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and judgment Breyer, C-582/14,
                                EU:C:2016:779, paragraph 49.
                                8 See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
                                assessment.



                                                               Page 13 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 14(24)
                                 Date: 2023-06-30






                                 2–4 above) which means that information constitutes personal data, regardless of whether the IP address is not
                                 transferred in its entirety.


                                 If information is combined (according to points 1–4 above), it means that individual visitors on

                                 The website becomes even more distinguishable. It is thus possible to identify
                                 individual visitors of the Website. That in itself is enough for it to be considered
                                 personal data. It does not require knowledge of the actual visitor's name or

                                 physical address, because the differentiation (through the word "thinning" in recital 26 i
                                 the data protection regulation, "singling out" in the English version) in itself is sufficient for
                                 to make the visitor indirectly identifiable. Nor is it required that Google or Coop have

                                 for the purpose of identifying the appellant, but the opportunity to do so is in itself sufficient for
                                 to determine whether it is possible to identify a visitor. Objective aids such as
                                 can reasonably be used either by the personal data controller or by someone

                                 other, are all aids that can reasonably be used for the purpose of identifying the appellant.
                                 Examples of objective aids that can reasonably be used are access to additional
                                 information with a third party that would make it possible to identify the complainant with

                                 taking into account both available technology at the time of identification as well as cost
                                 (the time required) for the identification.


                                 IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer judgment established that
                                 dynamic IP addresses constitute personal data in relation to the person who processes them,
                                 when he also has a legal opportunity to identify the holders of

                                 the internet connections using the additional information provided by third parties
                                 dispose of. IP addresses do not lose their character of being personal data alone

                                 due to the fact that the means of identification are with third parties. The Breyer ruling and
                                 The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
                                 there is a legal possibility to gain access to supplementary information for the purpose of

                                 identify the appellant it is objectively clear that there is a “means which reasonably can
                                 will be used' to identify the complainant. According to IMY, the judgments should not be read
                                 on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated

                                 to data that can link IP addresses to natural persons so that the IP addresses will
                                 considered to be personal data. An interpretation of the concept of personal information which means that
                                 it must always be demonstrated a legal possibility to link such data to a physical

                                 person would, according to IMY, mean a significant limitation of the regulation
                                 protection area, and open up possibilities to circumvent the protection in the regulation. This one
                                 interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i

                                 data protection regulation. The Breyer judgment was decided under previously applicable directives
                                 95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
                                 knowledge of the actual visitor's name or physical address is required, because

                                 the distinction itself is sufficient to make the visitor identifiable), was not specified in
                                 previously applicable directives as a method for identifying personal data.


                                 In this context, other information is also added (according to points 1–3 above) such as IP
                                 the address can be combined with to enable identification. Coop's action regarding
                                 the generic IP address created by Coop's implementation of a so-called server side

                                 container prevents the transfer of IP address to third countries, however, is enabled
                                 still identification with Coop, which in itself is sufficient for the data
                                 together shall constitute personal data.






                                 9 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102-104 and Breyer judgment, C-582/14
                                 EU:C:2016:779, paragraph 49.



                                                                Page 14 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 15(24)
                               Date: 2023-06-30






                               IMY states that there may also be reasons to compare IP addresses (even generic ones)
                               with pseudonymised personal data. Pseudonymization of personal data

                               means, according to Article 4.5 of the data protection regulation, that the data – similar to
                               dynamic IP addresses – cannot be directly attributed to a specific data subject without

                               supplementary information is used. According to recital 26 of the data protection regulation should
                               such information is considered to be information about an identifiable natural person.


                               A narrower interpretation of the concept of personal data would undermine, according to IMY
                               the scope of the right to the protection of personal data, which is guaranteed in Article 8 i
                               The Charter of Fundamental Rights of the European Union, because it would

                               make it possible for personal data controllers to specifically single out individuals together
                               with personal data (eg when they visit a certain website) at the same time as individuals
                               are denied the right to protection against the dissemination of such information about them. Such an interpretation would

                               undermine the level of protection for individuals and would not be compatible with the wide
                               scope given by the data protection rules in the practice of the EU Court of Justice. 10


                               In addition, the complainant's personal data was processed on August 14, 2020, by
                               the complainant has been logged in to his Google account when visiting the Website,
                               thereby it has been possible to draw conclusions about the individual based on his

                               registration with Google. From Google's statement it appears that implementation of the Tool
                               on a website makes it possible to obtain information that a user of a Google
                               account (ie a registrant) has visited the website in question. Google does specify

                               that certain conditions must be met for Google to be able to receive such
                               information, e.g. that the user (complainant) has not deactivated treatment for and

                               display of personal advertisements. Because the appellant was logged into his Google account
                               when visiting the Website, Google may thus still have had the opportunity to obtain
                               information about the logged-in user's visit to the Website. The fact that it

                               does not appear from the complaint that no personal ads have been shown, does not mean that
                               Google cannot obtain information about the logged-in user's visit to the Website.


                               IMY finds against the background of the unique identifiers that can identify the browser
                               or the device, the ability to derive the individual through his Google account, they
                               the generic IP addresses as well as the possibility to combine these with additional ones

                               information that Coop's use of the Tool on a web page means that
                               personal data is processed.


                               2.3 Coop is the personal data controller for the processing

                               Personal data controller is, among other things, a legal person who alone or

                               together with others determines the purposes and means of the processing of
                               personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among

                               another, a legal entity that processes personal data for it
                               account of the personal data controller (Article 4.8 of the data protection regulation).


                               The responses provided by Coop show that the company has made the decision to implement
                               The tool on the Website. Furthermore, it appears that Coop's purpose for this was that the company
                               must be able to analyze how the Website is used, in particular to be able to follow

                               the use of the website over time.

                               IMY finds that Coop by deciding to implement the Tool on the website i

                               said purpose has established the purposes and means of the collection and it

                               10 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
                               paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.



                                                            Page 15 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 16(24)
                                Date: 2023-06-30






                                the subsequent transfer of this personal data. Coop is therefore

                                personal data controller for this processing.

                                2.4 Transfer of personal data to third countries


                                The investigation shows that the data collected via the Tool is stored by Google
                                LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.


                                The question is therefore whether Coop's transfer of personal data to the USA is compatible with

                                Article 44 of the Data Protection Regulation and is supported by a transfer tool in Chapter V.

                                2.4.1 Applicable regulations, etc.

                                According to article 44 of the data protection regulation, which has the title "General principle for
                                transfer of data", includes the transfer of personal data that is under
                                processing or are intended to be processed after they have been transferred to a third country -

                                i.e. a country outside the EU/EEA - only take place under the condition that it
                                personal data controller and the personal data assistant, subject to others

                                provisions of the data protection regulation, meet the conditions in chapter V. All
                                provisions of said chapter shall be applied to ensure that the level of protection
                                of natural persons ensured by the data protection regulation is not undermined.


                                Chapter V of the data protection regulation contains tools that can be used for transfers
                                to third countries to ensure a level of protection essentially equivalent to that which

                                guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on
                                adequate level of protection (Article 45) and transfer covered by appropriate

                                protective measures (Article 46). There are also exceptions for special situations (Article 49).

                                In the judgment Schrems II, the Court of Justice of the European Union has annulled that decision on adequacy
                                                                                 11
                                level of protection that previously applied to the United States. Because a decision on adequate
                                level of protection since July 2020 is missing, transfers to the US may not be based on Article 45.


                                Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article
                                45.3 a personal data controller or a personal data assistant may only transfer
                                personal data to a third country after taking appropriate safeguards, and on

                                conditions that statutory rights of registered and effective remedies for
                                registered are available. Article 46.2 c stipulates that such suitable

                                safeguards may take the form of standardized data protection regulations adopted
                                by the Commission in accordance with the review procedure referred to in Article 93(2).


                                In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which
                                transfer tool. However, the court found that they are not binding on
                                the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus

                                there are situations where the recipient of such a transfer, depending on the legal situation and
                                current practice in the third country concerned, can guarantee the necessary protection of
                                data solely with the support of the standardized data protection regulations, exists

                                the other situations in which the provisions of these clauses cannot be one
                                sufficient means to ensure effective protection of the personal data in practice

                                which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things




                                11 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
                                Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
                                The European Union and the United States.



                                                              Page 16 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 17(24)
                                 Date: 2023-06-30







                                 the case when the legislation of the third country allows the authorities of that third country to do
                                 interference with the rights of the registered persons regarding these data.” 12


                                 The reason why the European Court of Justice annulled the decision on adequate level of protection

                                 with the US was because of how the US intelligence services can gain access
                                 to personal data. According to the court, the conclusion of standard contract clauses cannot i

                                 ensure a level of protection required according to Article 44 of the Data Protection Regulation,
                                 as the guarantees stated therein do not apply when requested by such authorities

                                 access. The European Court of Justice therefore stated the following:


                                     "It thus appears that the standardized data protection regulations which
                                     the commission adopted with the support of article 46.2 c of the same regulation only aims to

                                     provide the personal data controllers or their personal data assistants established
                                     in the Union contractual safeguards that are applied uniformly throughout

                                     third countries and thus independent of the level of protection ensured in each of
                                     these countries. Because these standardized data protection regulations, with regard

                                     to their nature, cannot lead to protective measures that go beyond a contractual obligation
                                     to ensure that the level of protection required under Union law is observed, it may be

                                     necessary, depending on the situation prevailing in a particular third country, for it
                                     personal data controller to take additional measures to ensure that the level of protection
                                             13
                                     observed".


                                 In the European Data Protection Board's (EDPB) recommendations on the consequences of
                                 the judgment clarifies that if the assessment of legislation and practice in the third country involves

                                 that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice
                                 the exporter must, within the framework of his transfer, as a rule either cancel

                                 the transfer or take appropriate additional protective measures. The EDPB thereby notes
                                 that "further measures can only be considered effective in the sense referred to in the EU

                                 the court's judgment "Schrems II" if and to the extent that they - alone or in combination -
                                 addresses the specific deficiencies identified during the assessment of the situation i
                                                                                                                             15
                                 the third country in terms of its laws and practices applicable to the transfer”.


                                 It appears from the EDPB's recommendations that such additional protective measures can
                                 fall into three categories: contractual, organizational and technical. 16


                                 Regarding contractual measures, the EDPB states that such measures “[...] can

                                 supplement and reinforce the safeguards that the transfer tool and relevant
                                 legislation in the third country provides [...]. Considering that the contractual

                                 the measures are of such a nature that they cannot generally bind the authorities in it
                                 the third country because they are not parties to the agreement, these measures may often be necessary

                                 combined with other technical and organizational measures to provide it
                                 level of data protection required [...]'. 17


                                 Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a

                                 or more of these measures will not necessarily and systematically
                                 ensure that [a] transfer meets the basic equivalence standard which



                                 12 Paragraphs 125-126.
                                 13 Item 133, IMY's.
                                 14EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU
                                 level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
                                 01/2020”).
                                 15
                                 16EDPB's Recommendations 01/2020, point 75. IMY's translation.
                                 17 EDPB's Recommendations 01/2020, point 52.
                                   EDPB's Recommendations 01/2020, point 99; IMY's translation.


                                                                 Page 17 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 18(24)
                                Date: 2023-06-30







                                required by EU legislation. Depending on the particular circumstances surrounding
                                the transfer and the assessment made by the law of the third country is required

                                organizational measures to supplement contractual and/or technical measures
                                to ensure a level of protection for personal data that is substantially equivalent to that
                                which is guaranteed within the EU/EEA”. 18


                                Regarding technical measures, the EDPB points out that “these measures will in particular

                                be necessary when the legislation of that country imposes obligations on the importer which
                                contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and
                                which in particular may infringe upon the contractual guarantee of one in all essentials

                                equivalent protection against the authorities of the third country gaining access to these
                                tasks". The EDPB thereby states that "the measures specified [in the Recommendations]

                                are intended to ensure that access to the transmitted data for public
                                authorities in third countries do not interfere with the expediency of the appropriate
                                the safeguards in Article 46 of the Data Protection Regulation transfer tool. These

                                measures would be necessary to guarantee a substantially equivalent
                                level of protection as that guaranteed within the EU/EEA, even if the public ones

                                access by the authorities is consistent with the legislation of the importer's country, where such
                                access in practice goes beyond what is necessary and proportionate in one

                                democratic society. The purpose of these measures is to prevent potentially unauthorized
                                access by preventing the authorities from identifying the registered, drag
                                conclusions about them, point them out in another context or connect the transmitted ones

                                the data to other data sets which, among other things, may contain network identifiers such as
                                provided by the devices, applications, tools and protocols used by
                                                                     20
                                registered in other contexts".

                                2.4.2 The Privacy Protection Authority's assessment

                                2.4.2.1 Applicable Transfer Tool

                                The investigation shows that Coop and Google have entered into standardized agreements
                                data protection regulations (standard contract clauses) in the sense referred to in Article
                                46 for the transfer of personal data to the United States. These clauses are in line with those which

                                published by the European Commission decision of 4 June 2021 (2021/914/EU)
                                and thus a transfer tool according to chapter V of the data protection regulation.


                                2.4.2.2. The legislation and the situation in the third country
                                As can be seen from the judgment Schrems II, the use of standard contract clauses may require

                                additional protective measures as a complement. Therefore, an analysis of
                                the legislation in the relevant third country is made.


                                However, IMY believes that the analysis that the EU Court has already made in the judgment Schrems II,
                                which refers to similar conditions, is relevant and up-to-date, and that it can therefore

                                be added as a basis for the assessment in the case without any further analysis of it
                                the legal situation in the United States needs to be done.


                                Namely, Google LLC, as the importer of the data to the United States, must be classified

                                as a provider of electronic communication services in the sense referred to in 50
                                US Code § 1881 (b)(4). Google is therefore subject to surveillance by American
                                intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable

                                to provide the US government with personal data when 702 FISA is used.



                                18EDPB's Recommendations 01/2020, point 128; IMY's translation.
                                19EDPB's Recommendations 01/2020, point 77; IMY's translation.
                                20EDPB's Recommendations 01/2020, point 79; IMY's translation



                                                              Page 18 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 19(24)
                                Date: 2023-06-30






                                The EU Court stated in the judgment Schrems II that the American

                                surveillance programs based on 702 FISA, Executive Order 12333
                                (hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the

                                American legislation does not correspond to the minimum requirements that apply in EU law
                                according to the principle of proportionality. This means that the monitoring programs that are established
                                on these provisions cannot be considered to be limited to what is strict

                                necessary. The court also found that the monitoring programs do not provide
                                the registered rights enforceable against US authorities i
                                court, which means that these people do not have the right to an effective remedy.


                                Against this background, IMY notes that the use of the EU Commission's

                                standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
                                for the transferred personal data.


                                2.4.2.3 Additional protective measures implemented by Google and Coop
                                The next question is whether Coop has taken sufficient additional protective measures.


                                As a personal data controller and exporter of the personal data, Coop is obliged to see
                                to ensure that the rules in the data protection regulation are complied with. This responsibility includes, among other things, that i

                                each individual case in the case of transfers of personal data to third countries assess which
                                additional safeguards to be used and to what extent, including that
                                evaluate if the actions taken by the recipient (Google) and the exporter (Coop)

                                taken together are sufficient to achieve an acceptable level of protection.


                                2.4.2.3.1 Google's additional safeguards
                                Google LLC, as an importer of personal data, has taken contractual,
                                organizational and technical measures to complement the standard contract clauses.

                                Google has described these measures in its statement on April 9, 2021.

                                The question is about the additional protective measures taken by the company and Google LLC

                                are effective, in other words hindering US intelligence agencies' ability to
                                access the transferred personal data.


                                With regard to the contractual and organizational measures, it can be stated that
                                neither information to users of the Tool (such as Coop), the publication of a

                                transparency report or a publicly available “Government Request Handling Policy”
                                impedes or reduces the ability of US intelligence agencies to obtain

                                access to the personal data. Furthermore, it is unclear how Google LLC's “thorough
                                examination of each request” on the “legality” of such requests is effective as
                                additional safeguard, taking into account that also legitimate legal requests from

                                American intelligence services, according to the European Court of Justice, are not compatible with the requirements of
                                EU data protection rules.


                                Regarding the technical measures taken, it can be stated that neither Google
                                The LLC or the company has clarified how the described measures – such as protection of

                                communication between Google services, protection of data during transfer between
                                data center, protection of communications between users and websites or “physical
                                security” – hinders or reduces the ability of US intelligence agencies to

                                prepare access to the data with the support of the US regulations.




                                2Items 184 and 192. Item 259 et seq.
                                2Regardless of whether such notification would even be permitted under US law.



                                                              Page 19 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 20(24)

                                 Date: 2023-06-30






                                 When it comes to encryption technology – e.g. for so-called "data at rest" in data centers,

                                 which Google LLC mentions as a technical measure – has Google LLC as an importer of
                                 personal data nevertheless an obligation to grant access to or hand over imported

                                 personal data held by Google LLC, including any encryption keys
                                 which is required to make the data comprehensible. Thus, such a technical measure can
                                 is not considered effective as long as Google LLC has the ability to access

                                 the personal data in plain text.


                                 Regarding what Google LLC's stated that "to the extent information for measurement i
                                 Google Analytics transmitted by website owners constitutes personal data, they receive

                                 considered to be pseudonymized” it can be stated that universal unique identifiers
                                 (UUID) is not covered by the concept of pseudonymisation in Article 4.5 i

                                 data protection regulation. Pseudonymization can be a privacy-enhancing technique,
                                 but the unique identifiers, as described above, have the specific purpose of distinguishing

                                 user and not to act as protection. In addition, individual identifiable genomes are made
                                 what is stated above about the possibility of combining unique identifiers and others
                                 data (eg metadata from browsers or devices and the IP address) and

                                 the ability to link such information to a Google account for logged-in users.

                                                                                                                         24
                                 Regarding Google's action "anonymization of IP addresses" in the form of truncation
                                 it is not clear from Google's response if this action takes place before the transfer, or if

                                 the entire IP address is transferred to the USA and shortened only after the transfer to the USA. From
                                 from a technical point of view, it has thus not been shown that there is no potential access to the whole

                                 The IP address before the last octet is truncated.


                                 Against this background, IMY notes that the additional protective measures taken
                                 of Google are not effective, because they do not prevent American

                                 intelligence services' ability to access the personal data or does so
                                 access ineffective.


                                 2.4.2.3.2 Coop's own additional protective measures

                                 Coop has stated that the company has taken additional protective measures in addition to those measures
                                 which Google (truncation of the last octet when transmitting measured data) has taken.

                                 According to the company, these consist of a so-called server side container, set up for the purpose of
                                 extend control over how data is sent to the Tool and means that it

                                 is only one and the same generic IP address transmitted to the Tool, regardless
                                 which the data subject's unique IP address is.


                                 However, IMY finds that these measures are not sufficient for the following reasons.


                                 IMY states that Coop also transmits a number of other unique identifiers (clientID,
                                 userID, gclid and dclid as well as transactionID), the purpose of which is to be able to distinguish it

                                 Complainant at Google. The so-called server side container means that IP number, after that
                                 The IP address that has been collected by Coop (but before the transfer to Google), replaced

                                 with a generic IP number that is the same for all visitors to Coop's website. The

                                 23 See EDPB's Recommendations 01/2020, point 81.
                                 24 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP

                                 25ress, a number between 0 and 255).
                                   IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                 address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
                                 means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
                                 the address can be linked with other transferred data (e.g. information about unit and time of visit) to
                                 third country. Masking of the last octet (Google's action) is not an additional privacy-enhancing action other than server side
                                 container, as this action only masks the last octet of an already anonymized IP address.



                                                                Page 20 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 21(24)
                                Date: 2023-06-30





                                the unique identifiers (clientID, userID, gclid and dclid and transactionID) are also transmitted

                                via so-called server side container (and the IP anonymization), but is transmitted unchanged
                                form ie in plain text, which means that these data can be separated and thus can
                                are connected. IMY states, because it is possible to connect the transferred ones

                                the data to other data that is also transferred to Google LLC, that they further
                                the protective measures are not sufficient.

                                To ensure effective safeguards, all unique identifiers should be transmitted instead

                                in altered form (i.e. not in plain text) which means that transmitted data cannot be accessed
                                connect.


                                Against this background, IMY notes that neither the additional measures which
                                taken by the company, in addition to the additional measures taken by Google, is sufficient
                                effective in preventing US intelligence agencies from accessing

                                the personal data or render such access ineffective.

                                2.4.2.3.3 The Privacy Protection Authority's conclusion

                                In light of the above, IMY finds that Coop has not demonstrated that any of the
                                tools listed in Chapter V of the Data Protection Regulation can be used to transfer
                                personal data about visitors to its website - in particular unique identifiers, IP-
                                addresses, browser data and metadata - to Google LLC in the USA.


                                With this transfer of data, Coop is therefore undermining the level of protection for
                                personal data of data subjects guaranteed in Article 44 of the Data Protection Regulation.


                                IMY therefore states that Coop Sverige AB is in breach of Article 44 i
                                data protection regulation.


                                3 Choice of intervention


                                3.1 Legal regulation


                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers to be available according to Article 58.2 a–j of the data protection regulation, among other things
                                reprimand, injunction and penalty fees.


                                IMY shall impose penalty fees in addition to or in lieu of other corrective measures
                                as referred to in Article 58(2), depending on the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                In article 83.2 of the data protection regulation, the factors that must be considered in order to
                                decide whether an administrative penalty fee should be imposed, but also at
                                the determination of the amount of the penalty fee. If it is a question of a smaller one

                                breach will receive the IMY as set out in recital 148 instead of imposing a
                                penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
                                in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as
                                the nature, severity and duration of the breach and previous breaches of

                                relevance.





                                                              Page 21 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 22(24)
                                Date: 2023-06-30






                                According to article 83.5 c of the data protection regulation, in the event of a violation of among article
                                44 in accordance with 83.2 administrative penalty fees of up to 20 million are imposed

                                EUR or, in the case of a company, of up to 4% of the total global
                                the annual turnover during the previous budget year, depending on which value is the highest.


                                3.2 Should a penalty fee be imposed?


                                IMY has found above that the transfers of personal data to the USA that take place via
                                The Google Analytics tool and which Coop is responsible for contravenes Article 44 i
                                data protection regulation. Violations of that provision may, as stated above,

                                incur penalty charges. In the current case, it is a question of a serious one
                                violation which should normally result in a penalty fee.


                                When assessing in this case whether a penalty fee should be imposed, it must be in the aggravating direction
                                it is taken into account that the infringement has occurred by Coop transferring a large amount
                                personal data to third countries where the data cannot be guaranteed the level of protection that

                                given in the EU/EEA. The treatment has taken place systematically and over a long period of time. After
                                The European Court of Justice, by judgment on 16 July 2020, rejected the Commission's decision on
                                adequate level of protection in the USA changed the conditions for transfers of

                                personal data to the United States. About 3 years have now passed since the judgment was announced and
                                In the meantime, the EDPB has made recommendations on the consequences of the judgment

                                for public consultation on 10 November 2020 and in final form on 18 June 2021.

                                In the mitigating direction, the special situation that arose after must be taken into account
                                the judgment and the interpretation of the EDPB's recommendations, where there was a gap after

                                that the transfer tool to the USA according to the Commission's previous decision was rejected by
                                European Court of Justice. In addition, it must be taken into account that it appears from the investigation that Coop
                                has made an analysis of the life cycle of personal data in the Tool. Coop has also taken

                                measures such as a so-called server side container, set up to extend control
                                over how data is sent to the Tool and which means that there is only one and

                                the same generic IP address that is transmitted to the Tool, regardless of which one
                                registrant's unique IP address is. The company has also activated Google's action
                                "anonymization of IP addresses" through truncation. Coop has thus taken

                                comprehensive technical measures to try to limit the risks for the data subjects and
                                to heal the defects. Coop has thereby also believed that they succeeded even though
                                the measures now proved not to be effective enough to prevent American

                                intelligence agencies' ability to access the data or to do so
                                access ineffective.


                                In a balanced assessment, IMY finds that there is reason to in this case

                                refrain from imposing a penalty fee on Coop for the established violation and
                                stop at an injunction to remedy the deficiency.


                                3.3 Other interventions

                                It appears from the investigation that the protective measures for the transfer of personal data

                                as invoked by Coop cannot support the transfer according to Chapter V i
                                data protection regulation. The transfer thus involves a violation of
                                the regulation. In order to ensure that the infringement ceases, Coop must be served in accordance with

                                article 58.2 d of the data protection regulation to ensure that the company's processing of

                                27 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
                                directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
                                the states.



                                                              Page 22 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 23(24)
                               Date: 2023-06-30






                               personal data within the framework of the use of the Google Analytics tool
                               complies with Article 44 and other provisions of Chapter V. This shall especially

                               happen by Coop ceasing to use that version of the Google tool
                               Analytics as used on August 14, 2020, unless adequate safeguards are in place

                               taken. The measures must be implemented no later than one month after this decision
                               become final.


                               ___________________




                               This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                               by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has

                               David Törngren, unit manager Catharina Fernquist and IT- and
                               information security specialist Mats Juhlén participated.




                               Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)


















































                                                             Page 23 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 24(24)
                                Date: 2023-06-30






                                4 Appeal reference


                                4.1 How to Appeal

                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.




















































                                                              Page 24 of 24