IMY (Sweden) - DI-2020-11368
From GDPRhub
| IMY - DI-2020-11368 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 44 GDPR Article 46 GDPR Article 60 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 30.06.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Coop Sverige AB |
| National Case Number/Name: | DI-2020-11368 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | n/a |
The Swedish DPA held that by using Google Analytics provided by Google LLC, Coop breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.
English Summary
Facts
Coop Sverige AB (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US.
In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.
The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.
In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards.
Holding
Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.
Secondly, the DPA held that Coop decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Coop qualified as the controller.
Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.
Fourthly, considering that the SCC’s were not sufficient, the DPA assessed whether the controller and the processor implemented additional safeguards for the data transfers. It noted that technical measures were in place but that these measures did not prevent the US intelligence agency from accessing the data
In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Taking into account that the controller implemented measures to try to limit risks of breaches, the DPA decided not to impose a fine and to only order the controller to remedy the deficiency.
Comment
See press release from the IMY : https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/?_t_tags=siteid%3a18263376-b78c-4463-91f5-39de8d45752d%2clanguage%3aen&_t_hit.id=IMY_Models_Pages_NewsPage/_935d07a1-64f7-4183-9e3d-12c5f95a193e_en&_t_hit.pos=1
This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub : https://gdprhub.eu/index.php?title=IMY_(Sweden)_-_DI-2020-11397
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(24)
Coop Sweden AB
Englundavägen 4
17188 Solna
Diary number:
DI-2020-11368 Decision after supervision according to
data protection regulation – Coop
Date:
2023-06-30 Sverige AB's transfer of
personal data to third countries
Content
The Privacy Protection Authority's decision................................................... ............................2
1 Description of the supervisory matter ............................................... .....................................3
1.1 The processing................................................... ............................................3
1.2 What is stated in the complaint............................................. ..............................3
1.3 What Coop has stated............................................... ........................................4
1.3.1 Who has implemented the Tool and for what purpose, etc. ........4
1.3.2 Recipient of the data ............................................. .....................5
1.3.3 The data processed in the Tool and what constitutes it
personal data ................................................ ........................................5
1.3.4 Categories of persons affected by the processing......................5
1.3.5 When the code for the Tool is executed and Recipient access is provided .5
1.3.6 How long the processed personal data is stored ......................5
1.3.7 In which countries the personal data is processed...................................6
1.3.8 Coop's relationship with Google LCC............................................ ...............6
1.3.9 Ensuring that the processing does not take place for the Recipients' own benefit
purpose ................................................ ................................................ .6
1.3.10 Description of Coop's use of the Tool............................6
1.3.11 Own checks on transfers affected by the judgment Schrems II7
Postal address: 1.3.12 Transfer tool according to chapter V of the data protection regulation .......8
Box 8114
104 20 Stockholm 1.3.13 Control of obstacles to enforcement in legislation in third countries............8
1.3.14 Additional safeguards taken in addition to those taken by Google
Website:
www.imy.se ............................................ ................................................ ...................8
Email: 1.4 What Google LCC has stated............................................. ...............................10
imy@imy.se
2. Justification of the decision................................................ ................................................ 11
Phone:
08-657 61 00
Page 1 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 2(24)
Date: 2023-06-30
2.1 The framework for the review............................................... ................................11
2.2 This concerns the processing of personal data............................................. .11
2.2.1 Applicable regulations, etc. ................................................ ...11
2.2.2 The Privacy Protection Authority's assessment...................................13
2.3 Coop is the personal data controller for the processing...................................15
2.4 Transfer of personal data to third countries............................................. ....15
2.4.1 Applicable regulations, etc. ................................................ ...16
2.4.2 The Privacy Protection Authority's assessment...................................18
3 Choice of intervention................................................... ................................................ .......21
3.1 Legal regulation................................................ ..........................................21
3.2 Should a penalty fee be imposed?............................................ ..........................21
3.3 Other interventions................................................... ........................................22
4 Appeal reference ................................................ ..........................................23
4.1 How to appeal .............................................. ........................................23
Page 2 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 3(24)
Date: 2023-06-30
The Privacy Protection Authority's decision
The Privacy Protection Authority states that Coop Sverige Aktiebolag processes
personal data in violation of article 44 of the data protection regulation by then it
August 14, 2020 and until the day of this decision use the Google Analytics tool,
which is provided by Google LLC, on its website www.coop.se, and thereby
transfer personal data to third countries without the conditions according to chapter V of the regulation
are fulfilled.
The Privacy Protection Authority orders Coop Sverige Aktiebolag with the support of article
58.2 d of the data protection regulation to ensure that the company's processing of personal data
within the framework of Coop Sverige Aktiebolag's use of the Google Analytics tool
complies with Article 44 and other provisions of Chapter V. This shall especially
happen by Coop Sverige Aktiebolag ceasing to use that version of
the Google Analytics tool used on August 14, 2020, if not sufficient
protective measures have been taken. The measures must be completed no later than one month after
this decision gained legal force.
1 Description of the supervisory matter
1.1 The processing
The Swedish Privacy Protection Agency (IMY) has started supervision regarding Coop Sverige AB
(hereinafter "Coop" or "the company") due to a complaint. The complaint concerns a
alleged violation of the provisions of Chapter V of the Data Protection Ordinance linked
to the transfer of the complainant's personal data to third countries. The transfer is alleged to have
happened when the complainant visited the company's website, www.coop.se (hereinafter "the company's
website” or the “Website”) through the Google Analytics tool (below
“The Tool”) provided by Google LLC.
The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority
in the country where the complainant has filed his complaint (Austria) in accordance with
the regulation's provisions on cooperation in cross-border processing.
The proceedings at IMY have taken place through an exchange of letters.
1.2 What is stated in the complaint
The complaint essentially states the following.
On August 14, 2020, the complainant visited Coop's website. During the visit,
the complainant signed in to his Google account, which is linked to the complainant's email address.
The company had implemented a Javascript code for Google services on its website,
including Google Analytics. In accordance with clause 5.1.1 b of the terms of Google's
processing of personal data for Google's advertising products and also Google's terms and conditions
for processing "the New Order Data Processing Conditions for Google Advertising
Products" Google processes personal data of the data controller (i.e.
1
regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
directive 95/46/EC (General Data Protection Regulation).
Page 3 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 4(24)
Date: 2023-06-30
the company's) account. Google LLC must therefore, according to the above-mentioned conditions, be classified as
the company's personal data assistant.
During the complainant's visit to the company's website, the complainant was treated
personal data by Coop, at least the complainant's IP address and data collected
through cookies. Some of the data collected was transferred directly to Google. IN
in accordance with clause 10 of the terms on the processing of personal data for Googles
advertising products, Coop has approved that Google may process personal data about
the appellant in the United States. Such transfer of data requires legal support in accordance with
chapter V of the data protection regulation.
According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2
the company can no longer rely on a decision on an adequate level of protection for the transfer of
data to the United States according to Article 45 of the Data Protection Regulation. The company should not base
the transfer of data on standardized data protection regulations according to article
46.2 c of the data protection regulation if the recipient country does not ensure adequate protection
with regard to Union law for the personal data that is transferred.
1.3 What Coop has stated
Coop Sverige AB has essentially stated the following.
1.3.1 Who has implemented the Tool and for what purpose, etc.
Coop has made the decision to implement the Tool on the Website, which has happened
by embedding the code for the tool on the Website. The tool is still
actively. The company is not established in any other member state than Sweden and has not
made such a decision for any other European website.
The purpose of Coop's use of the Tool is to fulfill the purpose of developing and
improve Coop's operations, products and services. The tool is used, for example, for
to analyze and evaluate (i) how registered users use coop.se, (ii) Coop's customer
personalization on coop.se and (iii) Coop's advertising campaigns. Based on those insights
that the tool provides, Coop can make decisions about measures that improve and optimize
Coop's products, services (e.g. functions offered on coop.se and their
placement or personification on coop.se) and marketing or make decisions about new
products or services must be developed. For this purpose it is necessary to keep
relevant unique identifiers for the analyzes performed in order to create reliable and
verifiable results.
The tool is used to create analyzes and reports that facilitate
decision-making linked to the objectives 1) provide a personal experience in Coop's digital
channels and 2) marketing and communication in Coops and in third party digital
channels.
2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.
Page 4 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 5(24)
Date: 2023-06-30
Coop's purpose with the Tool can also be fulfilled with the implementation of a so-called
the server side container, which means that the visitor's IP address should not be sent to
The tool (see below). Coop does not need IP addresses as identifiers to comply
the purpose of the Tool. The purpose of the Tool is to create reports for
decision basis for the purpose of developing and improving Coop's operations, products
and services. Examples of information needed in these reports. Could be any
exposures that lead to a purchase in order to be able to evaluate their effectiveness, e.g.
product displays, recipe displays or campaigns. In this context, it is therefore
the measurement, not the IP address, which is decisive for whether the purpose of the Tool can
fulfilled.
Coop's customers are in the Swedish market and Coop only targets it
Swedish market. Practical reasons and the prohibition regarding discrimination of
consumers, and in some cases also traders, according to the geoblocking regulation 3
however, means that there is no restriction on who can visit Coops
website. Coop does not specifically analyze traffic to the website from which countries
comes .
1.3.2 Recipient of the data
Within the scope of Coop's use of the Tool on the Website is provided
personal data out to a number of actors, all of whom are personal data processors or
subcontractors of Coop, including Google LLC, Google Ireland Ltd and their
assistants.
1.3.3 The data processed in the Tool and what constitutes it
personal data
Within the framework of Coop's use of the Tool on the Website, the company processes
and its personal data assistants (the Recipients) the information specified below.
1. User behavior on the website based on values submitted via variables
on the website (eg filterCombination, Page title, Referrer or storeName).
2. Device information (eg flashVersion, javaEnabled, language or color choice of
screen).
3. Customer status (i.e. if the user visits Coop's website in logged in or
logged out mode or as a business customer).
4. Online identifiers (e.g. IP address, userID, transactionID, clientlD, gclid, dclid
or Device ID).
5. Transaction data based on values submitted via site variables
(such as antalKop, Transaction - dimension50 (boughtRecipe), Transaction -
dimension7 (deliveryMethod), orderlD or deliveryTime).
1.3.4 Categories of persons affected by the processing
The categories of persons affected by the processing are visitors, private customers
(non-member with an account), business customers and members of Coop Medlem.
The tool is not set up and is not used to treat particular categories of
personal data or personal data of particularly vulnerable persons.
3Regulation (EU) 2018/302 of the European Parliament and of the Council of 28 February 2018 on measures against unjustified
geoblocking and other forms of discrimination based on customers' nationality, place of residence or place of establishment
in the internal market.
Page 5 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 6(24)
Date: 2023-06-30
1.3.5 When the code for the Tool is executed and Recipient access is provided
When a user has made their consent choices, the user's personal data, i
varying extent, to be sent to the Tool. The content is integrated and run after
conditions in Coop's consent manager are met.
1.3.6 How long the personal data processed is stored
The personal data processed in the Tool is stored for a maximum of 38 months and
is subsequently deleted.
1.3.7 In which countries the personal data is processed
The personal data is processed in the United States, among other places.
1.3.8 Coop's relationship with Google LCC
Coop purchases the license for the Tool through a reseller that constitutes Coops
personal data assistant. Coop and the personal data assistant have entered into an agreement
personal data assistant agreement that regulates the set-up and administration of the Tool.
The personal data assistant in turn independently administers all operations in
relationship with Google. For example, the personal data assistant handles the whole set
of the Tool, compensation for the service and contacts with Google regarding support.
In other words, Google acts exclusively on instructions from Coops
personal data assistant.
Google further applies contractual terms between itself and the retailer that regulates
Google's processing of personal data as a personal data processor in relation to
the retailer, whereby the retailer is Coop's personal data assistant. Google will be
thereby Coop's assistant. This view of the distribution of roles is consistent with
The view of Coop's personal data officer and Google. In addition to this, the settings that
enables the use of personal data in the Tool for Google's own purposes
deactivated.
In light of (i) that Coop's personal data assistant acts in accordance with Coop's
instructions, (ii) how the contract structure looks like and how the parties involved look at it
the distribution of roles and (iii) that data sharing for Google's own purposes is disabled
Coop's assessment that Google constitutes a subsidiary of Coop is linked to
personal data processing in the Tool.
1.3.9 Ensuring that the processing does not take place for the Recipients' own purposes
Coop releases the personal data to its personal data assistants. Coop has entered
personal data processing agreement with these. The agreements contain clauses concerning Coop's right to
audit/audit through which Coop can check that the personal data assistant does not
processes personal data for its own purposes or for the purposes of third parties.
As part of its work with the data protection regulation, Coop applies a routine to
ensure regulatory compliance. The routine includes an annual cycle whose purpose is to secure good
regulatory compliance over time. The annual wheel is divided into four parts where follow-up of
assistant relations are included in the third part. Within the framework of the follow-up work according to
annual cycle, there is an opportunity to ensure that personal data assistants only process
personal data on behalf of Coop.
In connection with the work regarding the implementation of the consent manager, has in addition
additional measures have been taken to ensure that Coop does not allow Recipients
processes personal data belonging to Coop's visitors, customers and members for
Page 6 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 7(24)
Date: 2023-06-30
their own purposes. There are routines that state that each responsible employee must
ensure that no sharing of personal data takes place through solutions in the service.
1.3.10 Description of Coop's use of the Tool
Coop sends various identifiers via the measurement set up on the company's website.
Common to all identifiers is that these are unique for the interactions of the data subjects
related to the website www.coop.se. In other words, a registered person is not attributed to one
and the same identifier that applies to websites other than the Coop website.
The example below describes a report where Coop wants to understand which products are
popular to shop online and how these have been exposed to the customer at Coops
website. When the customer completes their purchase in Coop's e-commerce, the following is sent
information for the Tool (on the quote variable, description and example of value):
• Id - Product ID – 3600542020855
• Variant – Size of the packaging (eg 200 g etc.) – undefined
• Price – The price of the product – 26.5
• List – The products on the site are presented in a product list which may have different
name, e.g. product search, Site search, Search dropdown - product search
• listPosition – What position the list has among other product lists (from 0 and
upwards) – 0
• position – What place the product has in the product list (from 0 and up) – 0
• name – Product name – Balsam Goodbye Damage
• brand – Brand – Fructis
• category – Product category area – Beauty & Hygiene - Hair care - Conditioner
The identifiers transmitted are the following:
1. clientID – used to be able to determine whether a registered person is new or
recurrent. New clientIDs are generated if a registrant has cleared theirs
cookies and re-enters the website.
2. userID – generated for registered users with a login account on coop.se and
used to determine whether a data subject has a login account or
not.
3. gclid and dclid – generated for each unique ad click. The aim is to be able to
attribute a click to a specific ad in order to, for example, get
aggregated information about how many times the ad has been viewed or
how many people have interacted with it.
4. transactionID – generated in connection with a purchase on coop.se and
corresponds to an order number.
Based on the information stated above, Coop can, among other things, draw conclusions about
popular products that lead to purchase, how the customer journey started and what type of
registered person who completed the purchase (e.g. new or returning member/customer or
member/customer with login account). These conclusions are not dependent on
registrants' public IP addresses are sent to the Tool and the purpose can thus be fulfilled
regardless of whether public IP addresses are sent or not.
In light of the implementation of the server side container, Coop also wishes to
clarify that registered IP addresses are only processed through the following
treatments: 1) collection on the company's website, 2) transfer to server side
the container and 3) converting the unique IP addresses to a generic IP address for
Page 7 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 8(24)
Date: 2023-06-30
the server side container. Collection, transfer and conversion are done in real time and none
public IP addresses are stored.
1.3.11 Own checks on transfers affected by the Schrems II judgment
In light of the Schrems II judgment, Coop has carried out work to review
their third country transfers. In the autumn of 2021, Coop has also carried out an audit of
The tool where Coop has been able to establish that international data transfers are taking place
through use of the Tool. As part of this work, it has been undertaken on an ongoing basis
measures to further increase privacy protection related to the data subjects whose
personal data is affected.
1.3.12 Transfer tool according to chapter V of the data protection regulation
Transfers to third countries take place with the support of the European Commission
standard contract clauses (personal data assistants), which are incorporated into that contract
entered into between Google and Coop's personal data assistant. According to the agreement constitute
Coop's personal data assistant exporter of the personal data to the Tool.
Coop supports the data transfers to the USA on the standard contractual clauses for
transfer of personal data to personal data processors in third countries.
In this case, the standard contract clauses have been entered into between Google LLC and the company
personal data assistant. In this context, it can be mentioned that Google provides
standardized services and do not offer their customers the opportunity to negotiate
the terms of their services. Because these are terms that are not subject to
negotiation, no signed copies are available. Coop has instead attached them
data processing conditions in which the standard contractual clauses have been incorporated and which apply
in accordance with the agreement entered into by Coop's personal data assistant.
Coop takes measures to ensure that the existing standard contract clauses always
are updated according to the EU Commission's latest version of standard contract clauses.
1.3.13 Control of obstacles to enforcement in legislation in third countries
Control of obstacles in third country legislation is within the scope of Coop's work to
review your third country transfers. However, Coop has noted the criticism that the EU
the court has directed against American law and takes this into account in the choice of
supplementary protective measures.
1.3.14 Additional safeguards taken in addition to those taken by Google
Implementation of additional protective measures is within the scope of Coop's work with
to review their third country transfers. According to data from Google, provided
several security measures that Google deems to constitute such additional safeguards
which can be taken together with the standard contract clauses.
Coop has also carried out work to establish a so-called server side container, i
purpose of expanding control over how data is sent to the Tool.
Coop believes that Google's contractual and organizational measures may be considered
minimize the actual risk of disclosure of personal data to third countries i
the end takes place. From Google's Transparency Report, Global requests for users
information, however, it appears that Google regularly receives requests from Americans
authorities about what applies when accessing personal data that Google stores.
Coop's assessment is that the real risk of information being disclosed to American
intelligence is small. However, it cannot be eliminated by either measures
that Google or Coop take.
Page 8 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 9(24)
Date: 2023-06-30
Furthermore, Coop assesses that the supplementary measures taken to minimize
the monitoring possibilities also strengthen the freedoms and rights of Coop's customers by
these cannot be identified through the data that is transmitted.
In summary, through these measures, only one and the same generic IP
address transmitted to the Tool, regardless of the unique IP address of the data subject.
Coop has also activated the function in the Tool for so-called IP anonymization, but
in light of the server side container, this measure is, according to the company, redundant.
1.3.14.1 General about server side container
A server side container is generally implemented to either enhance 1)
website performance or 2) security. In terms of performance, fewer tags can
be used in relation to the measurement set up on the Website, which means
less code on the client side and, for example, that the website can load faster.
In terms of security, visitors' data can be better protected and the website owner
retains greater control over the data collected and distributed in an environment that
controlled by the website owner. When data is first sent to a cloud-based solution
this can be processed and redistributed with tags such as the website owner
controls.
1.3.14.2 Coop's implementation of the server side container
The purpose of the server side container that Coop has implemented is to improve
the security related to the data sent. More specifically, the aim is to on a good and
safely be able to protect the personal privacy of those registered. Server side
the container acts as a proxy between the registrant's browser and the Tool
where Coop has chosen to implement the server side container in a way that makes them
the registered browser's public IP address is never transmitted to the Tool.
Implementation can be described as follows. A registrant visits the website
www.coop.se in your browser. The Google Analytics script is downloaded from the server side
container instead of being downloaded directly from Google Analytics servers. This
results in the registrant's IP address as well as information about user behavior,
device information, customer status, online identifiers and transaction data (according to
points 1–5 above under section 1.3.10) are transferred to the server side container, instead
directly to Google Analytics. Once the Google Analytics script has been downloaded from the server
side container, a new call is made from the server side container to Google Analytics
servers. Since the call is made from the server side container, no transfer of
the registrant's public IP address to Google Analytics. Coop has configured the server
side container in such a way that all data as above, except it was recorded
public IP address, passes through the server side container to Google Analytics. Google
Analytics receives data sent from the server side container and that data
(information) that has been sent is popularized in reports by the measurement set
up on the website www.coop.se.
The treatments that take place through the aforementioned – i.e. to receive, convert and
forward the call - takes place in the working memory of the server side container. It means
all processing takes place in real time and that no data is permanently stored. In other words, stored
public IP addresses were not registered in the server side container and they are not exposed
rather against Google Analytics servers. All communication from the browser, via server
side container, to The tool is also encrypted.
Page 9 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 10(24)
Date: 2023-06-30
This process cannot be reversed as the information is not stored and the conversion
not based on a one-to-one relationship that enables the use of a "key"
to recreate the public IP addresses.
Coop has activated Google's function for IP anonymization. It means that the IP
address sent to the Tool is truncated. This is done by Google removing one
part of the IP address before the IP address is stored on disk. For an IPv4 address, last is replaced
the octet in the address with a zero. For an IPv6 address, the last 80 bits are replaced with
zeros. The action cannot be reversed but as this action is done by Google i
Coop has also chosen to implement the tool as a server side container.
In Coop's case, the IP anonymization feature is enabled and applied to the generic
IP address sent via the server side container. In context, however, the function is
redundant considering that the server side container prevents the public of the registered
IP addresses from being sent to the Tool. Coop's assessment is that server side
the container as a measure is a sufficient protective measure, but that it does not harm that even
have the IP anonymization function activated in the Tool.
1.4 What Google LCC has stated
IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which
Google submitted to the Austrian supervisory authority. The statement answers questions
which IMY and a number of supervisory authorities have asked Google due to in part
joint handling of similar complaints received by these authorities.
Coop has been given the opportunity to comment on Google LLC's opinion. By Google LLC's
opinion states the following about the Tool.
A JavaScript code is included on a web page. When a user visits (calls) a
web page, the code triggers a download of a JavaScript file. Then performed
the tracking operation of the Tool, which consists of collecting information related to
to the call in different ways and sends the information to the Tool's servers.
A website administrator who has integrated the Tool on his website can send
instructions to Google for processing the data collected. These
instructions are transmitted via the so-called tag manager that handles it
tracking code that the webmaster has integrated into his website and via
tag manager settings. Whoever integrated the Tool can do different things
settings, for example regarding storage time. The tool also makes it possible for it
which integrated it to monitor and maintain the stability of its website,
for example by staying informed about events such as peaks in visitor traffic
or lack of traffic. The tool also enables a website administrator to
measure and optimize the effectiveness of advertising campaigns carried out using
other tools from Google.
In this context, the Tool collects the visitor's http calls and information about
including the visitor's browser and operating system. According to Google, contains one
http calls for any page information about the browser and device making
the call, such as domain name, and information about the browser, such as type,
reference and language. The tool stores and reads cookies in the visitor's browser in order to
evaluate the visitor's session and other information about the call. Through these
cookies enable the Tool to identify unique users (UUID) over
browsing sessions, but the Tool cannot identify unique users in different browsers
or units. If a website owner's website has its own authentication system
Page 10 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 11(24)
Date: 2023-06-30
can the website owner use the ID feature, to more accurately identify one
users on all the devices and browsers they use to access
the website.
When the information is collected, it is transferred to the Tool's servers. All data that
collected via The tool is stored in the United States.
Google has introduced, among other things, the following contractual, organizational and
technical safeguards to regulate transfers of data within the framework of
The tool.
Google has taken contractual and organizational safeguards such as to
the company always conducts a thorough examination of a request for access from government
authorities on user data can be implemented. It is lawyers/specially trained
staff conducting these trials and investigating whether such a request is
compliant with applicable laws and Google's guidelines. Those registered are informed
the disclosure, unless prohibited by law or would adversely affect one
emergency. Google has also published a policy on the company's website about how a
such requests for access by governmental authorities of user data shall be implemented.
Google has taken technical protective measures such as protecting personal data from
interception when transferring data in the Tool. By default using HTTP
Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
to use an encryption protocol for all communications between end users,
websites and the Tool's servers. Such encryption prevents intruders from
passively listen to communications between websites and users.
Google also uses an encryption technology to protect personal data, so-called “data in
rest" ("data at rest") in data centers, where user data is stored on a disk or
backup media to prevent unauthorized access to the data.
In addition to the above measures, website owners can use IP anonymization through
to use the settings provided by the Tool to limit Google's
use of personal data. Such settings include above all that in the code
for the Tool enable IP anonymization, which means that IP addresses are truncated and
contributes to data minimization. If the IP anonymization service is fully used occurs
the anonymization of the IP address almost immediately after the request has been received.
Google also restricts access to the data from the Tool through authorization control
as well as by all personnel having undergone training regarding
information security.
2. Justification of the decision
2.1 The framework for the review
Based on the complaint in the case, IMY has only examined whether Coop transfers
personal data to the third country USA within the framework of the Tool and if the company has
legal support for it in Chapter V of the Data Protection Regulation. The supervision does not cover if
the company's personal data processing in general is compatible with the data protection regulation.
Page 11 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 12(24)
Date: 2023-06-30
2.2 This concerns the processing of personal data
2.2.1 Applicable regulations, etc.
In order for the data protection regulation to be applicable, it is required that personal data
treated.
According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
fundamental rights and freedoms, in particular their right to the protection of personal data.
According to Article 4.1 of the regulation, personal data is "any information relating to a
identified or identifiable natural person (hereinafter referred to as a data subject), whereby a
identifiable natural person is a person who can be directly or indirectly specifically identified
referring to an identifier such as a name, an identification number, a
location data or online identifiers or one or more factors that are
specific to the natural person's physical, physiological, genetic, psychological,
economic, cultural or social identity'. To determine whether a natural person is
identifiable, one should consider all the aids that, either of it
personal data controller or by another person, may reasonably be used
to directly or indirectly identify the natural person (reason 26 to
data protection regulation).
The term personal data can include all information, both objective and
subjective information, provided that it "refers" to a specific person, which
4
they do if, due to their content, purpose or effect, they are linked to the person.
The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary
that the information itself makes it possible to identify the registered person for that to be
a personal data. Recital 26 of the data protection regulation also states that in order to
determine whether a natural person is identifiable, all aids, such as e.g. thinning
("singling out" in the English language version), which, either of it
personal data controller or by another person, may reasonably be used
to directly or indirectly identify the natural person, is taken into account. To determine
if aids can with reasonable probability be used to identify it
the natural person should all objective factors, such as costs and time consumption for
identification, taking into account both available technology at the time of processing,
considered. It is clear from Article 4.5 of the regulation that pseudymisation is meant
processing of personal data in a way that means that the personal data does not
longer can be attributed to a specific data subject without the use of supplementary information,
provided that this additional information is kept separately and is subject
for technical and organizational measures that ensure that the personal data does not
attributed to an identified or identifiable natural person.
So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or
information stored in cookies – can be used to identify a user,
especially when combined with other similar types of information. According to recital 30 to
data protection regulation, natural persons can be linked to online identifiers provided by
their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
traces that, especially in combination with unique identifiers and other data such as
collected, can be used to create profiles of natural persons and identify them.
In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through
some information about the risk of identification in practice is negligible, which it is
4 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
5 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.
Page 12 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 13(24)
Date: 2023-06-30
identification of the relevant person is prohibited by law or impossible to carry out i
practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck
provided that dynamic IP addresses constitute personal data in relation to the person who
processes them, when he also has a legal opportunity to identify the holders of
the internet connections using the additional information provided by third parties
7
dispose of.
2.2.2 The Privacy Protection Authority's assessment
To determine whether the information processed through the Tool constitutes personal data
should IMY decide whether Google or Coop through the implementation of the Tool
can identify individuals, e.g. the complainant, when visiting the Website or about the risk of
8
it is negligible.
IMY considers the data processed to be personal data for the following reasons.
The investigation shows that Coop implemented the Tool by inserting a
JavaScript code (a tag), entered by Google in the source code of the Website. While
the page is loaded in the visitor's browser, the JavaScript code from Google LLC's is loaded
servers and run locally in the visitor's browser. A cookie is inserted at the same time
the visitor's browser and saved on the computer. The cookie contains a text file that collects
information about the visitor's operation on the Website. Among other things, a
unique identifier in the value of the cookie and this unique identifier is generated and
managed by Google.
When the complainant visited the Website, or a sub-page of the Website, was transmitted
the following information via JavaScript code from the complainant's browser to Google
LLC's servers:
1. Unique identifier(s) that identified the browser or device used
to visit the Website as well as a unique identifier that identifies Coops
(ie the company's Google Analytics account ID).
2. Web address (URL) and HTML title of the website and web page that
the appellant has visited.
3. Information about browser, operating system, screen resolution,
language setting and date and time of access to the Website.
4. The generic IP address created by Coop's implementation of a so-called
server side container.
During the appellant's visit (according to point 1 above) said identifier was put in cookies with
the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These
identifiers have been created with the aim of being able to distinguish individual visitors, such as
the appellant. The unique identifiers thus make the visitors to the Website
identifiable. Although such unique identifiers (as per 1 above) would not in themselves be considered
make individuals identifiable, however, it must be considered that these unique identifiers in it
the current case can be combined with additional elements (according to points 2-4 above)
and that it is possible to draw conclusions in relation to information (according to the points
6 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46.
7 CJEU judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and judgment Breyer, C-582/14,
EU:C:2016:779, paragraph 49.
8 See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
assessment.
Page 13 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 14(24)
Date: 2023-06-30
2–4 above) which means that information constitutes personal data, regardless of whether the IP address is not
transferred in its entirety.
If information is combined (according to points 1–4 above), it means that individual visitors on
The website becomes even more distinguishable. It is thus possible to identify
individual visitors of the Website. That in itself is enough for it to be considered
personal data. It does not require knowledge of the actual visitor's name or
physical address, because the differentiation (through the word "thinning" in recital 26 i
the data protection regulation, "singling out" in the English version) in itself is sufficient for
to make the visitor indirectly identifiable. Nor is it required that Google or Coop have
for the purpose of identifying the appellant, but the opportunity to do so is in itself sufficient for
to determine whether it is possible to identify a visitor. Objective aids such as
can reasonably be used either by the personal data controller or by someone
other, are all aids that can reasonably be used for the purpose of identifying the appellant.
Examples of objective aids that can reasonably be used are access to additional
information with a third party that would make it possible to identify the complainant with
taking into account both available technology at the time of identification as well as cost
(the time required) for the identification.
IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer judgment established that
dynamic IP addresses constitute personal data in relation to the person who processes them,
when he also has a legal opportunity to identify the holders of
the internet connections using the additional information provided by third parties
dispose of. IP addresses do not lose their character of being personal data alone
due to the fact that the means of identification are with third parties. The Breyer ruling and
The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
there is a legal possibility to gain access to supplementary information for the purpose of
identify the appellant it is objectively clear that there is a “means which reasonably can
will be used' to identify the complainant. According to IMY, the judgments should not be read
on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated
to data that can link IP addresses to natural persons so that the IP addresses will
considered to be personal data. An interpretation of the concept of personal information which means that
it must always be demonstrated a legal possibility to link such data to a physical
person would, according to IMY, mean a significant limitation of the regulation
protection area, and open up possibilities to circumvent the protection in the regulation. This one
interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i
data protection regulation. The Breyer judgment was decided under previously applicable directives
95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
knowledge of the actual visitor's name or physical address is required, because
the distinction itself is sufficient to make the visitor identifiable), was not specified in
previously applicable directives as a method for identifying personal data.
In this context, other information is also added (according to points 1–3 above) such as IP
the address can be combined with to enable identification. Coop's action regarding
the generic IP address created by Coop's implementation of a so-called server side
container prevents the transfer of IP address to third countries, however, is enabled
still identification with Coop, which in itself is sufficient for the data
together shall constitute personal data.
9 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102-104 and Breyer judgment, C-582/14
EU:C:2016:779, paragraph 49.
Page 14 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 15(24)
Date: 2023-06-30
IMY states that there may also be reasons to compare IP addresses (even generic ones)
with pseudonymised personal data. Pseudonymization of personal data
means, according to Article 4.5 of the data protection regulation, that the data – similar to
dynamic IP addresses – cannot be directly attributed to a specific data subject without
supplementary information is used. According to recital 26 of the data protection regulation should
such information is considered to be information about an identifiable natural person.
A narrower interpretation of the concept of personal data would undermine, according to IMY
the scope of the right to the protection of personal data, which is guaranteed in Article 8 i
The Charter of Fundamental Rights of the European Union, because it would
make it possible for personal data controllers to specifically single out individuals together
with personal data (eg when they visit a certain website) at the same time as individuals
are denied the right to protection against the dissemination of such information about them. Such an interpretation would
undermine the level of protection for individuals and would not be compatible with the wide
scope given by the data protection rules in the practice of the EU Court of Justice. 10
In addition, the complainant's personal data was processed on August 14, 2020, by
the complainant has been logged in to his Google account when visiting the Website,
thereby it has been possible to draw conclusions about the individual based on his
registration with Google. From Google's statement it appears that implementation of the Tool
on a website makes it possible to obtain information that a user of a Google
account (ie a registrant) has visited the website in question. Google does specify
that certain conditions must be met for Google to be able to receive such
information, e.g. that the user (complainant) has not deactivated treatment for and
display of personal advertisements. Because the appellant was logged into his Google account
when visiting the Website, Google may thus still have had the opportunity to obtain
information about the logged-in user's visit to the Website. The fact that it
does not appear from the complaint that no personal ads have been shown, does not mean that
Google cannot obtain information about the logged-in user's visit to the Website.
IMY finds against the background of the unique identifiers that can identify the browser
or the device, the ability to derive the individual through his Google account, they
the generic IP addresses as well as the possibility to combine these with additional ones
information that Coop's use of the Tool on a web page means that
personal data is processed.
2.3 Coop is the personal data controller for the processing
Personal data controller is, among other things, a legal person who alone or
together with others determines the purposes and means of the processing of
personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among
another, a legal entity that processes personal data for it
account of the personal data controller (Article 4.8 of the data protection regulation).
The responses provided by Coop show that the company has made the decision to implement
The tool on the Website. Furthermore, it appears that Coop's purpose for this was that the company
must be able to analyze how the Website is used, in particular to be able to follow
the use of the website over time.
IMY finds that Coop by deciding to implement the Tool on the website i
said purpose has established the purposes and means of the collection and it
10 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.
Page 15 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 16(24)
Date: 2023-06-30
the subsequent transfer of this personal data. Coop is therefore
personal data controller for this processing.
2.4 Transfer of personal data to third countries
The investigation shows that the data collected via the Tool is stored by Google
LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.
The question is therefore whether Coop's transfer of personal data to the USA is compatible with
Article 44 of the Data Protection Regulation and is supported by a transfer tool in Chapter V.
2.4.1 Applicable regulations, etc.
According to article 44 of the data protection regulation, which has the title "General principle for
transfer of data", includes the transfer of personal data that is under
processing or are intended to be processed after they have been transferred to a third country -
i.e. a country outside the EU/EEA - only take place under the condition that it
personal data controller and the personal data assistant, subject to others
provisions of the data protection regulation, meet the conditions in chapter V. All
provisions of said chapter shall be applied to ensure that the level of protection
of natural persons ensured by the data protection regulation is not undermined.
Chapter V of the data protection regulation contains tools that can be used for transfers
to third countries to ensure a level of protection essentially equivalent to that which
guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on
adequate level of protection (Article 45) and transfer covered by appropriate
protective measures (Article 46). There are also exceptions for special situations (Article 49).
In the judgment Schrems II, the Court of Justice of the European Union has annulled that decision on adequacy
11
level of protection that previously applied to the United States. Because a decision on adequate
level of protection since July 2020 is missing, transfers to the US may not be based on Article 45.
Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article
45.3 a personal data controller or a personal data assistant may only transfer
personal data to a third country after taking appropriate safeguards, and on
conditions that statutory rights of registered and effective remedies for
registered are available. Article 46.2 c stipulates that such suitable
safeguards may take the form of standardized data protection regulations adopted
by the Commission in accordance with the review procedure referred to in Article 93(2).
In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which
transfer tool. However, the court found that they are not binding on
the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus
there are situations where the recipient of such a transfer, depending on the legal situation and
current practice in the third country concerned, can guarantee the necessary protection of
data solely with the support of the standardized data protection regulations, exists
the other situations in which the provisions of these clauses cannot be one
sufficient means to ensure effective protection of the personal data in practice
which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things
11 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
The European Union and the United States.
Page 16 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 17(24)
Date: 2023-06-30
the case when the legislation of the third country allows the authorities of that third country to do
interference with the rights of the registered persons regarding these data.” 12
The reason why the European Court of Justice annulled the decision on adequate level of protection
with the US was because of how the US intelligence services can gain access
to personal data. According to the court, the conclusion of standard contract clauses cannot i
ensure a level of protection required according to Article 44 of the Data Protection Regulation,
as the guarantees stated therein do not apply when requested by such authorities
access. The European Court of Justice therefore stated the following:
"It thus appears that the standardized data protection regulations which
the commission adopted with the support of article 46.2 c of the same regulation only aims to
provide the personal data controllers or their personal data assistants established
in the Union contractual safeguards that are applied uniformly throughout
third countries and thus independent of the level of protection ensured in each of
these countries. Because these standardized data protection regulations, with regard
to their nature, cannot lead to protective measures that go beyond a contractual obligation
to ensure that the level of protection required under Union law is observed, it may be
necessary, depending on the situation prevailing in a particular third country, for it
personal data controller to take additional measures to ensure that the level of protection
13
observed".
In the European Data Protection Board's (EDPB) recommendations on the consequences of
the judgment clarifies that if the assessment of legislation and practice in the third country involves
that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice
the exporter must, within the framework of his transfer, as a rule either cancel
the transfer or take appropriate additional protective measures. The EDPB thereby notes
that "further measures can only be considered effective in the sense referred to in the EU
the court's judgment "Schrems II" if and to the extent that they - alone or in combination -
addresses the specific deficiencies identified during the assessment of the situation i
15
the third country in terms of its laws and practices applicable to the transfer”.
It appears from the EDPB's recommendations that such additional protective measures can
fall into three categories: contractual, organizational and technical. 16
Regarding contractual measures, the EDPB states that such measures “[...] can
supplement and reinforce the safeguards that the transfer tool and relevant
legislation in the third country provides [...]. Considering that the contractual
the measures are of such a nature that they cannot generally bind the authorities in it
the third country because they are not parties to the agreement, these measures may often be necessary
combined with other technical and organizational measures to provide it
level of data protection required [...]'. 17
Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a
or more of these measures will not necessarily and systematically
ensure that [a] transfer meets the basic equivalence standard which
12 Paragraphs 125-126.
13 Item 133, IMY's.
14EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU
level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
01/2020”).
15
16EDPB's Recommendations 01/2020, point 75. IMY's translation.
17 EDPB's Recommendations 01/2020, point 52.
EDPB's Recommendations 01/2020, point 99; IMY's translation.
Page 17 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 18(24)
Date: 2023-06-30
required by EU legislation. Depending on the particular circumstances surrounding
the transfer and the assessment made by the law of the third country is required
organizational measures to supplement contractual and/or technical measures
to ensure a level of protection for personal data that is substantially equivalent to that
which is guaranteed within the EU/EEA”. 18
Regarding technical measures, the EDPB points out that “these measures will in particular
be necessary when the legislation of that country imposes obligations on the importer which
contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and
which in particular may infringe upon the contractual guarantee of one in all essentials
equivalent protection against the authorities of the third country gaining access to these
tasks". The EDPB thereby states that "the measures specified [in the Recommendations]
are intended to ensure that access to the transmitted data for public
authorities in third countries do not interfere with the expediency of the appropriate
the safeguards in Article 46 of the Data Protection Regulation transfer tool. These
measures would be necessary to guarantee a substantially equivalent
level of protection as that guaranteed within the EU/EEA, even if the public ones
access by the authorities is consistent with the legislation of the importer's country, where such
access in practice goes beyond what is necessary and proportionate in one
democratic society. The purpose of these measures is to prevent potentially unauthorized
access by preventing the authorities from identifying the registered, drag
conclusions about them, point them out in another context or connect the transmitted ones
the data to other data sets which, among other things, may contain network identifiers such as
provided by the devices, applications, tools and protocols used by
20
registered in other contexts".
2.4.2 The Privacy Protection Authority's assessment
2.4.2.1 Applicable Transfer Tool
The investigation shows that Coop and Google have entered into standardized agreements
data protection regulations (standard contract clauses) in the sense referred to in Article
46 for the transfer of personal data to the United States. These clauses are in line with those which
published by the European Commission decision of 4 June 2021 (2021/914/EU)
and thus a transfer tool according to chapter V of the data protection regulation.
2.4.2.2. The legislation and the situation in the third country
As can be seen from the judgment Schrems II, the use of standard contract clauses may require
additional protective measures as a complement. Therefore, an analysis of
the legislation in the relevant third country is made.
However, IMY believes that the analysis that the EU Court has already made in the judgment Schrems II,
which refers to similar conditions, is relevant and up-to-date, and that it can therefore
be added as a basis for the assessment in the case without any further analysis of it
the legal situation in the United States needs to be done.
Namely, Google LLC, as the importer of the data to the United States, must be classified
as a provider of electronic communication services in the sense referred to in 50
US Code § 1881 (b)(4). Google is therefore subject to surveillance by American
intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable
to provide the US government with personal data when 702 FISA is used.
18EDPB's Recommendations 01/2020, point 128; IMY's translation.
19EDPB's Recommendations 01/2020, point 77; IMY's translation.
20EDPB's Recommendations 01/2020, point 79; IMY's translation
Page 18 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 19(24)
Date: 2023-06-30
The EU Court stated in the judgment Schrems II that the American
surveillance programs based on 702 FISA, Executive Order 12333
(hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the
American legislation does not correspond to the minimum requirements that apply in EU law
according to the principle of proportionality. This means that the monitoring programs that are established
on these provisions cannot be considered to be limited to what is strict
necessary. The court also found that the monitoring programs do not provide
the registered rights enforceable against US authorities i
court, which means that these people do not have the right to an effective remedy.
Against this background, IMY notes that the use of the EU Commission's
standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
for the transferred personal data.
2.4.2.3 Additional protective measures implemented by Google and Coop
The next question is whether Coop has taken sufficient additional protective measures.
As a personal data controller and exporter of the personal data, Coop is obliged to see
to ensure that the rules in the data protection regulation are complied with. This responsibility includes, among other things, that i
each individual case in the case of transfers of personal data to third countries assess which
additional safeguards to be used and to what extent, including that
evaluate if the actions taken by the recipient (Google) and the exporter (Coop)
taken together are sufficient to achieve an acceptable level of protection.
2.4.2.3.1 Google's additional safeguards
Google LLC, as an importer of personal data, has taken contractual,
organizational and technical measures to complement the standard contract clauses.
Google has described these measures in its statement on April 9, 2021.
The question is about the additional protective measures taken by the company and Google LLC
are effective, in other words hindering US intelligence agencies' ability to
access the transferred personal data.
With regard to the contractual and organizational measures, it can be stated that
neither information to users of the Tool (such as Coop), the publication of a
transparency report or a publicly available “Government Request Handling Policy”
impedes or reduces the ability of US intelligence agencies to obtain
access to the personal data. Furthermore, it is unclear how Google LLC's “thorough
examination of each request” on the “legality” of such requests is effective as
additional safeguard, taking into account that also legitimate legal requests from
American intelligence services, according to the European Court of Justice, are not compatible with the requirements of
EU data protection rules.
Regarding the technical measures taken, it can be stated that neither Google
The LLC or the company has clarified how the described measures – such as protection of
communication between Google services, protection of data during transfer between
data center, protection of communications between users and websites or “physical
security” – hinders or reduces the ability of US intelligence agencies to
prepare access to the data with the support of the US regulations.
2Items 184 and 192. Item 259 et seq.
2Regardless of whether such notification would even be permitted under US law.
Page 19 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 20(24)
Date: 2023-06-30
When it comes to encryption technology – e.g. for so-called "data at rest" in data centers,
which Google LLC mentions as a technical measure – has Google LLC as an importer of
personal data nevertheless an obligation to grant access to or hand over imported
personal data held by Google LLC, including any encryption keys
which is required to make the data comprehensible. Thus, such a technical measure can
is not considered effective as long as Google LLC has the ability to access
the personal data in plain text.
Regarding what Google LLC's stated that "to the extent information for measurement i
Google Analytics transmitted by website owners constitutes personal data, they receive
considered to be pseudonymized” it can be stated that universal unique identifiers
(UUID) is not covered by the concept of pseudonymisation in Article 4.5 i
data protection regulation. Pseudonymization can be a privacy-enhancing technique,
but the unique identifiers, as described above, have the specific purpose of distinguishing
user and not to act as protection. In addition, individual identifiable genomes are made
what is stated above about the possibility of combining unique identifiers and others
data (eg metadata from browsers or devices and the IP address) and
the ability to link such information to a Google account for logged-in users.
24
Regarding Google's action "anonymization of IP addresses" in the form of truncation
it is not clear from Google's response if this action takes place before the transfer, or if
the entire IP address is transferred to the USA and shortened only after the transfer to the USA. From
from a technical point of view, it has thus not been shown that there is no potential access to the whole
The IP address before the last octet is truncated.
Against this background, IMY notes that the additional protective measures taken
of Google are not effective, because they do not prevent American
intelligence services' ability to access the personal data or does so
access ineffective.
2.4.2.3.2 Coop's own additional protective measures
Coop has stated that the company has taken additional protective measures in addition to those measures
which Google (truncation of the last octet when transmitting measured data) has taken.
According to the company, these consist of a so-called server side container, set up for the purpose of
extend control over how data is sent to the Tool and means that it
is only one and the same generic IP address transmitted to the Tool, regardless
which the data subject's unique IP address is.
However, IMY finds that these measures are not sufficient for the following reasons.
IMY states that Coop also transmits a number of other unique identifiers (clientID,
userID, gclid and dclid as well as transactionID), the purpose of which is to be able to distinguish it
Complainant at Google. The so-called server side container means that IP number, after that
The IP address that has been collected by Coop (but before the transfer to Google), replaced
with a generic IP number that is the same for all visitors to Coop's website. The
23 See EDPB's Recommendations 01/2020, point 81.
24 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
25ress, a number between 0 and 255).
IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
the address can be linked with other transferred data (e.g. information about unit and time of visit) to
third country. Masking of the last octet (Google's action) is not an additional privacy-enhancing action other than server side
container, as this action only masks the last octet of an already anonymized IP address.
Page 20 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 21(24)
Date: 2023-06-30
the unique identifiers (clientID, userID, gclid and dclid and transactionID) are also transmitted
via so-called server side container (and the IP anonymization), but is transmitted unchanged
form ie in plain text, which means that these data can be separated and thus can
are connected. IMY states, because it is possible to connect the transferred ones
the data to other data that is also transferred to Google LLC, that they further
the protective measures are not sufficient.
To ensure effective safeguards, all unique identifiers should be transmitted instead
in altered form (i.e. not in plain text) which means that transmitted data cannot be accessed
connect.
Against this background, IMY notes that neither the additional measures which
taken by the company, in addition to the additional measures taken by Google, is sufficient
effective in preventing US intelligence agencies from accessing
the personal data or render such access ineffective.
2.4.2.3.3 The Privacy Protection Authority's conclusion
In light of the above, IMY finds that Coop has not demonstrated that any of the
tools listed in Chapter V of the Data Protection Regulation can be used to transfer
personal data about visitors to its website - in particular unique identifiers, IP-
addresses, browser data and metadata - to Google LLC in the USA.
With this transfer of data, Coop is therefore undermining the level of protection for
personal data of data subjects guaranteed in Article 44 of the Data Protection Regulation.
IMY therefore states that Coop Sverige AB is in breach of Article 44 i
data protection regulation.
3 Choice of intervention
3.1 Legal regulation
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers to be available according to Article 58.2 a–j of the data protection regulation, among other things
reprimand, injunction and penalty fees.
IMY shall impose penalty fees in addition to or in lieu of other corrective measures
as referred to in Article 58(2), depending on the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
In article 83.2 of the data protection regulation, the factors that must be considered in order to
decide whether an administrative penalty fee should be imposed, but also at
the determination of the amount of the penalty fee. If it is a question of a smaller one
breach will receive the IMY as set out in recital 148 instead of imposing a
penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as
the nature, severity and duration of the breach and previous breaches of
relevance.
Page 21 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 22(24)
Date: 2023-06-30
According to article 83.5 c of the data protection regulation, in the event of a violation of among article
44 in accordance with 83.2 administrative penalty fees of up to 20 million are imposed
EUR or, in the case of a company, of up to 4% of the total global
the annual turnover during the previous budget year, depending on which value is the highest.
3.2 Should a penalty fee be imposed?
IMY has found above that the transfers of personal data to the USA that take place via
The Google Analytics tool and which Coop is responsible for contravenes Article 44 i
data protection regulation. Violations of that provision may, as stated above,
incur penalty charges. In the current case, it is a question of a serious one
violation which should normally result in a penalty fee.
When assessing in this case whether a penalty fee should be imposed, it must be in the aggravating direction
it is taken into account that the infringement has occurred by Coop transferring a large amount
personal data to third countries where the data cannot be guaranteed the level of protection that
given in the EU/EEA. The treatment has taken place systematically and over a long period of time. After
The European Court of Justice, by judgment on 16 July 2020, rejected the Commission's decision on
adequate level of protection in the USA changed the conditions for transfers of
personal data to the United States. About 3 years have now passed since the judgment was announced and
In the meantime, the EDPB has made recommendations on the consequences of the judgment
for public consultation on 10 November 2020 and in final form on 18 June 2021.
In the mitigating direction, the special situation that arose after must be taken into account
the judgment and the interpretation of the EDPB's recommendations, where there was a gap after
that the transfer tool to the USA according to the Commission's previous decision was rejected by
European Court of Justice. In addition, it must be taken into account that it appears from the investigation that Coop
has made an analysis of the life cycle of personal data in the Tool. Coop has also taken
measures such as a so-called server side container, set up to extend control
over how data is sent to the Tool and which means that there is only one and
the same generic IP address that is transmitted to the Tool, regardless of which one
registrant's unique IP address is. The company has also activated Google's action
"anonymization of IP addresses" through truncation. Coop has thus taken
comprehensive technical measures to try to limit the risks for the data subjects and
to heal the defects. Coop has thereby also believed that they succeeded even though
the measures now proved not to be effective enough to prevent American
intelligence agencies' ability to access the data or to do so
access ineffective.
In a balanced assessment, IMY finds that there is reason to in this case
refrain from imposing a penalty fee on Coop for the established violation and
stop at an injunction to remedy the deficiency.
3.3 Other interventions
It appears from the investigation that the protective measures for the transfer of personal data
as invoked by Coop cannot support the transfer according to Chapter V i
data protection regulation. The transfer thus involves a violation of
the regulation. In order to ensure that the infringement ceases, Coop must be served in accordance with
article 58.2 d of the data protection regulation to ensure that the company's processing of
27 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
the states.
Page 22 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 23(24)
Date: 2023-06-30
personal data within the framework of the use of the Google Analytics tool
complies with Article 44 and other provisions of Chapter V. This shall especially
happen by Coop ceasing to use that version of the Google tool
Analytics as used on August 14, 2020, unless adequate safeguards are in place
taken. The measures must be implemented no later than one month after this decision
become final.
___________________
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has
David Törngren, unit manager Catharina Fernquist and IT- and
information security specialist Mats Juhlén participated.
Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)
Page 23 of 24The Swedish Privacy Agency Diary number: DI-2020-11368 24(24)
Date: 2023-06-30
4 Appeal reference
4.1 How to Appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time, send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
Page 24 of 24
