IMY (Sweden) - DI-2020-11373

From GDPRhub
Revision as of 15:20, 6 December 2023 by Ar (talk | contribs) (Ar moved page IMY (Sweden) - 2020-11373 to IMY (Sweden) - DI-2020-11373)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
IMY - 2020-11373
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 44 GDPR
Article 46 GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 30.06.2023
Published:
Fine: 12,000,000 SEK
Parties: Tele2 Sverige
National Case Number/Name: 2020-11373
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (in SV)
Initial Contributor: n/a

The Swedish DPA held that by using Google Analytics provided by Google LLC, Tele2 Sverige breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.

English Summary

Facts

Tele2 Sverige Aktiebolag (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US.

In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.

The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.

In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. For example, it held that the data transferred was anonymized in such way that the users would not be identifiable.

Holding

Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.

Secondly, the DPA held that Tele2 decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Tele2 qualified as the controller.

Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.

In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Considering that the controller continued using Google Analytics despite the EU recommendations and decisions, without implementing additional safeguards, the DPA imposed a fine of SEK 12,000,000 (approx. €1,000,000).

Comment

See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/ This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: CDON, Coop and Dagens.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(23)






                                                                          Tele2 Sverige Aktiebolag
                                                                          Box 62
                                                                          16494 Coffin







Diary number: Decision after supervision according to
DI-2020-11373

                                  data protection regulation – Tele2

Date: Sverige AB's transfer of
2023-06-30
                                  personal data to third countries





                                  The Privacy Protection Authority's decision................................................... ............................2

                                  1 Description of the supervisory matter ............................................... .....................................3
                                         1.1 The processing................................................... ............................................3

                                         1.2 What is stated in the complaint............................................. ..............................3

                                         1.3 What Tele2 has stated ............................................. ......................................4

                                                 1.3.1 Who has implemented the Tool and for what purpose, etc. ........4

                                                 1.3.2 Recipient of the data ............................................. .....................4
                                                 1.3.3 The data processed in the Tool and what constitutes it

                                                 personal data ................................................ ........................................4
                                                 1.3.4 Categories of persons affected by the processing......................6

                                                 1.3.5 When the code for the Tool is executed and recipients are provided with access .6

                                                 1.3.6 How long the processed personal data is stored ......................6

                                                 1.3.7 In which countries the personal data is processed...................................6
                                                 1.3.8 Tele2's relationship with Google LCC ........................................... ..............6

                                                 1.3.9 Ensuring that the processing does not take place for the recipients' own benefit
                                                 purpose ................................................ ................................................... .6

                                                 1.3.10 Description of the company's use of the Tool........................7

                                                 1.3.11 Own checks on transfers affected by the judgment Schrems II7

                                                 1.3.12 Transfer tool according to chapter V of the data protection regulation .......7

                                                 1.3.13 Control of obstacles to enforcement in legislation in third countries............7
Postal address: 1.3.14 Additional security measures taken in addition to those taken by Google
Box 8114
104 20 Stockholm .............................................. ................................................ .................8
                                         1.4 What Google LCC has stated............................................. ............................8
Website:
www.imy.se 2 Justification of the decision............................................ ................................................ .......9
E-mail:
imy@imy.se 2.1 The framework for the review............................................ ........................................9

Telephone: 2.2 It is a matter of processing personal data................................... .....9
08-657 61 00


                                                                  Page 1 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 2(23)
                                    Date: 2023-06-30






                                                     2.2.1 Applicable regulations, etc. ................................................... .....9

                                                     2.2.2 The Privacy Protection Authority's assessment...................................10

                                            2.3 Tele2 is the personal data controller for the processing...................................13

                                            2.4 Transfer of personal data to third countries............................................. ....14

                                                     2.4.1 Applicable regulations, etc. ................................................ ...14

                                                     2.4.2 The Privacy Protection Authority's assessment...................................16
                                    3 Choice of intervention................................................... ................................................ .......19

                                            3.1 Legal regulation................................................ ..........................................19

                                            3.2 Should a penalty fee be imposed?............................................ ..........................20

                                    4 Appeal reference ................................................ ..........................................22

                                            4.1 How to appeal .............................................. ........................................22























































                                                                       Page 2 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 3(23)
                               Date: 2023-06-30






                               The Privacy Protection Authority's decision


                               The Privacy Protection Authority states that Tele2 Sverige Aktiebolag processes
                               personal data in violation of Article 44 of the Data Protection Regulation by under

                               the period August 14, 2020 through May 2023 use the Google tool
                               Analytics, provided by Google LLC, on its website www.tele2.se, and
                               thereby transferring personal data to third countries without the conditions according to chapter V i

                               regulation are met.

                               IMY decides with the support of article 58.2 and 83 of the data protection regulation that Tele2

                               Sweden Aktiebolag must pay an administrative sanction fee of 12 million (twelve
                               million) kroner for violation of Article 44 of the data protection regulation.


                               1 Description of the supervisory matter


                               1.1 The processing


                               The Swedish Privacy Protection Agency (IMY) has started supervision of Tele2 Sweden
                               Limited company (hereinafter Tele2 or the company) due to a complaint. The complaint
                               applies to an alleged violation of the provisions of Chapter V i

                               data protection regulation linked to the transfer of the complainant's personal data to
                               third country. The transfer allegedly took place when the complainant visited the company's website,
                               www.tele2.se (hereinafter "Tele2's website" or "Website") through the tool
                               Google Analytics (hereinafter the Tool) provided by Google LLC.


                               The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
                               Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority

                               in the country where the complainant has filed his complaint (Austria) in accordance with
                               the regulation's provisions on cooperation in cross-border processing.


                               The proceedings at IMY have taken place through an exchange of letters.

                               1.2 What is stated in the complaint


                               The complaint essentially states the following.

                               On August 14, 2020, the complainant visited Tele2's website. During the visit,

                               the complainant signed in to his Google account, which is linked to the complainant's email address.
                               The company had implemented a Javascript code for Google services on its website,
                               including Google Analytics. In accordance with clause 5.1.1 b of the terms of Google's

                               processing of personal data for Google's advertising products and also Google's terms and conditions
                               for processing "the New Order Data Processing Conditions for Google Advertising
                               Products" Google processes personal data of the data controller (i.e.

                               the company's) account. Google LLC must therefore, according to the above-mentioned conditions, be classified as
                               the company's personal data assistant.


                               During the complainant's visit to the company's website, the complainant was treated
                               personal data of Tele2, at least the complainant's IP address and data collected
                               through cookies. Some of the data collected was transferred directly to Google. IN


                               1
                               regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
                               directive 95/46/EC (General Data Protection Regulation).



                                                             Page 3 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 4(23)
                                Date: 2023-06-30






                                in accordance with clause 10 of the terms on the processing of personal data for Googles

                                advertising products, Tele2 has approved that Google may process personal data about
                                the appellant in the United States. Such transfer of data requires legal support in accordance with

                                chapter V of the data protection regulation.

                                According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2

                                the company can no longer rely on a decision on an adequate level of protection for the transfer of
                                data to the United States according to Article 45 of the Data Protection Regulation. The company should not base

                                the transfer of data on standardized data protection regulations according to article
                                46.2 c of the data protection regulation if the recipient country does not ensure adequate protection
                                with regard to Union law for the personal data that is transferred.



                                Google shall be classified as a provider of electronic communications services in it
                                meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance
                                by US intelligence agencies in accordance with 50 US § 1881a (section 702 i
                                                                                           3
                                Foreign Intelligence Surveillance Act, hereinafter “702 FISA”). Google provides it
                                US government with personal data in accordance with these regulations.

                                The company cannot therefore ensure adequate protection of the complainant's personal data
                                when these are transferred to Google.


                                1.3 What Tele2 has stated


                                Tele2 Sverige Aktiebolag has essentially stated the following.


                                1.3.1 Who has implemented the Tool and for what purpose, etc.
                                Tele2 has made the decision to implement Google Analytics (the "Tool") on
                                The website, which has happened by embedding the code for the Tool on

                                The website. The Company began decommissioning the version of the Tool covered by
                                IMY oversight in spring 2022 and stopped using that version in June 2023

                                but have not been able to give an exact date for this. The company is established in Sweden and
                                has not made such a decision for any other European site.


                                The purpose of using the Tool is to be able to compile and analyze
                                statistics regarding visits to the Website.


                                The statistics regarding the visits to the Website obtained via the Tool have only
                                evaluated by Tele2 in Sweden.


                                There is no option to make any choices in the Tool's settings

                                transfer of data to the United States.

                                1.3.2 Recipient of the data

                                Within the framework of Tele2's use of the Tool on the Website, information is provided
                                out to a number of actors, all of whom are personal data assistants or sub-assistants to

                                the company, including Google LLC, Google Ireland Ltd and their subsidiaries.







                                2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.
                                3See https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-subchapVI-
                                sec1881.htm and https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-
                                subchapVI-sec1881a.htm.



                                                              Page 4 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 5(23)
                               Date: 2023-06-30






                               1.3.3 The data processed in the Tool and what constitutes it
                               personal data

                               The information processed by Tele2 and Google within the framework of the Tool
                               includes (i) information about the visit to the Website, e.g. which pages are displayed or
                               which clicks are made, (ii) information about the device calling the Website and (iii)

                               information in the cookie (_ga cookie) which consists of the Client ID.

                               Tele2 uses the Verktyget service to analyze statistics regarding visits to
                               the website www.tele2.se. All statistics and reports generated via the Tool

                               is produced at an aggregate level and cannot be used to directly or indirectly
                               identify any natural person.


                               Production of statistics and reports via the Tool is made possible by cookies
                               used on the Website. If a visitor to the Website has agreed to
                               cookies are used, a cookie is placed in the visitor's browser. The information that

                               processed through use of the Tool thus consists of the following categories:
                               (i) information about the visit to the Website, e.g. which pages are displayed or which clicks
                               that is done, (ii) information about the entity visiting the Website and (iii) information

                               in the cookie (_ga cookie) which is made up of the Client ID.

                               (i) The information about the visit to the Website

                               Information regarding the visit to the Website does not in itself contain any information
                               which can be used to directly or indirectly identify any natural person, i.e. one
                               a page view or a click constitutes completely anonymous information in itself.


                               (ii) Information about the entity visiting the Website
                               Information about the device that calls and visits the Website consists of e.g. of

                               which type of browser and which IP address is used during the visit. As for the IP
                               addresses nowadays static IP addresses are used only by a few companies and
                               organizations. Otherwise, exclusively dynamic IP addresses are used for everyone

                               consumers. A dynamic IP address simply means that a device is assigned an IP
                               address at each connection to the Internet and the device is then assigned completely new IP
                               addresses on subsequent connection occasions. A device is not necessarily a computer,

                               mobile phone or a tablet but can in many cases be a router or other
                               device that then multiple computers, mobiles or tablets connect to and the IP address
                               can therefore not be derived to the computer, mobile phone or tablet but to the router.
                               To be able to indirectly identify a person using a dynamic IP address is required

                               that it is supplemented with a time when it was used and that additionally
                               information is collected about who has been assigned the IP address from the visitor
                               internet provider.


                               In the Tool, the IP address is only used for the purpose of analyzing statistics regarding
                               the visits to a website. For that purpose, a user of the Tool should not

                               possess any legal means according to Swedish law that make it possible to collect them
                               supplementary information required to be able to indirectly identify a physical
                               person.


                               The IP address collected through the Tool is also anonymized in principle
                               immediately after the collection by the numbers after the last point of the IP address

                               is replaced by 0 (eg 192.169.0.100 becomes 192.168.0.0). Such IP anonymization
                               takes place at the earliest possible stage during the collection process and the full IP
                               the address is never saved or processed on disk. For more information about anonymization





                                                             Page 5 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 6(23)
                               Date: 2023-06-30






                               of IP address in the Tool, see
                               https://support.google.com/analytics/answer/2763052?hl=en.


                               Anonymization of the IP address thus means that the user of the Tool never has
                               access to the full IP address and there are then no aids like one
                               users of the Tool can reasonably use to indirectly identify a physical

                               person (cf. consideration clause 26 in the GDPR) with the consequence that the risk of identification in practice
                               can be considered negligible.


                               (iii) Information in _ga cookie
                               The information that is processed through the use of the _ga cookie consists of a
                               Client ID. The Client ID consists of a random number with a timestamp that

                               is saved in the _ga cookie. This Client ID can be used to see about a browser
                               has previously connected to the Website. However, Tele2 cannot use Client ID
                               individually or together with an anonymized IP address to directly or indirectly

                               identify a natural person.

                               Due to the above, Tele2 believes that Tele2 can be called into question at all

                               processes and transfers personal data to third countries. Taking into account that some uncertainty
                               may be considered to exist in relation to the legal assessment of the aforementioned conditions,
                               for precautionary reasons, Tele2 has chosen to apply the rules in the data protection regulation for them

                               information processed within the framework of the Tool.

                               1.3.4 Categories of persons affected by the processing

                               The information concerns visitors to the Website. No particular categories of
                               personal data as defined in Article 9.1 of the Data Protection Regulation is processed
                               within the framework of the Tool. Tele2 cannot use the Tool to identify different categories

                               of people visiting the Website. The website is aimed neither at children, nor
                               any other special category of registrants and visitors to the Website needs
                               do not enter any age, or any other personal data that is processed in the Tool.


                               1.3.5 When the code for the Tool is executed and recipients are provided access
                               The tool is activated and cookies are placed in the user's browser after

                               the visitor has given his consent to the use of cookies. Anonymization of IP
                               address occurs at the earliest possible stage during the collection process and the complete
                               The IP address is never saved or processed on disk by Google
                               (https://support.google.com/analytics/answer/2763052?hl=en&ref_topic=2919631).


                               1.3.6 How long the personal data processed is stored

                               During the time the Tool is used, a storage period of up to 26 months can be set
                               The tool. If the agreement for the Tool ceases to apply, Google undertakes according to
                               the personal data processor agreement to delete personal data in the Tool as soon as it
                               is practically possible after the termination of the agreement, but no later than within 180 days.


                               1.3.7 In which countries the personal data is processed
                               According to the information Tele2 has received from Google, the visitor's IP

                               address of the data center closest to where the visitor connects from.
                               According to the terms of the agreement with Google, Google can process within the framework of the Tool
                               the data in i.a. USA.


                               1.3.8 Tele2's relationship with Google LCC
                               Tele2 considers Google as a personal data processor for the processing that takes place within

                               the framework of the Tool ie. Google processes the information in the Tool only for



                                                            Page 6 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 7(23)
                               Date: 2023-06-30






                               Tele2's bill. This is also supported by the agreement between Tele2 and Google regarding
                               The Tool and the personal data processor agreement that applies to the Tool.


                               1.3.9 Ensuring that the processing does not take place for the recipients' own purposes
                               Pursuant to clause 5.3 of the personal data processing agreement with Google, Google may only
                               process personal data in accordance with Tele2's instructions. Tele2's use of

                               The tool means that IP addresses are anonymized at the earliest possible stage during
                               the collection process and that the full IP address is never saved or
                               processed on disk by Google. This means that Google cannot process it

                               the full IP address for own or third party purposes.

                               1.3.10 Description of the company's use of the Tool

                               Tele2 uses the Tool to analyze statistics regarding visits to
                               The website. All statistics and reports generated via the Tool are produced on
                               aggregate level and no action is taken in relation to individual visitors on

                               The website within the framework of the Tool.

                               1.3.11 Own checks on transfers affected by the Schrems II judgment

                               After the Schrems II verdict, Tele2 initiated internal work to review all of them
                               international data transfers in Tele2's operations. This review has also covered
                               The tool.


                               Tele2 has had an ongoing dialogue with Google which has meant that since 12
                               August 2020, the transfer of data to Google in the USA has been based on

                               standard contractual clauses for data protection adopted by the Commission. Because the EU
                               the court in the judgment Schrems II held that the legislation covered by Google i
                               The US does not correspond to the level of protection found in European data protection legislation, so it is

                               supplementary protective measures necessary when using them
                               standard contractual clauses for data protection adopted by the Commission.


                               In the dialogue with Google, Tele2 has therefore discussed which additional protective measures are
                               may be taken in relation to the Tool. It has then been established that the protective measures
                               used in relation to the Tool is IP anonymisation (which has been enabled

                               by Tele2 ever since the Tool was introduced). In addition, Google has ISO270001 certification for
                               The tool and Google also use different encryption solutions in connection with
                               The Tool and the Transfer of Data to the United States.


                               1.3.12 Transfer tool according to chapter V of the data protection regulation
                               To the extent that personal data is transferred to the United States, the transfer is based on Article 46.2 c i

                               data protection regulation (standard contractual clauses for data protection adopted by
                               the Commission). Standard contractual clauses apply to the data transfer in the Tool.
                               The standard contract clauses are not signed by the parties but are included as part of

                               the personal data processor agreement with Google by reference to these
                               standard contractual clauses in clause 10.2 of the personal data processor agreement.


                               1.3.13 Control of obstacles to enforcement in legislation in third countries
                               In the EDPB's recommendation 01/2020, it is stated, among other things, that pseudonymisation and
                               anonymization are such additional safeguards that may be taken to achieve a

                               level of protection equivalent to that found in Europe and thus enable a transfer
                               of personal data to the United States based on standard data protection contractual clauses that
                               adopted by the Commission.






                                                            Page 7 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 8(23)
                               Date: 2023-06-30






                               Tele2's assessment, based on the additional protective measures used in connection
                               with the Tool, is therefore that the data is adequately protected and that
                               the level of protection then corresponds to that found in European data protection legislation.


                               Tele2 has checked that the supplementary protective measures taken can
                               implemented in practice and that there is nothing in third country legislation which

                               prevents the recipients there from implementing the measures to ensure that the level of
                               data protection for natural persons guaranteed within the EU/EEA is not undermined.


                               1.3.14 Additional safeguards taken in addition to those taken by Google
                               Tele2 has set IP anonymization for the Tool.


                               1.4 What Google LCC has stated

                               IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which

                               Google submitted to the Austrian supervisory authority. The statement answers questions
                               which IMY and a number of supervisory authorities have asked Google due to in part
                               joint handling of similar complaints received by these authorities.

                               Tele2 has been given the opportunity to comment on Google's statement. By Google's opinion
                               the following appears about the Tool.


                               A JavaScript code is included on a web page. When a user visits (calls) a
                               web page, the code triggers a download of a JavaScript file. Then performed
                               the tracking operation of the Tool, which consists of collecting information related to

                               to the call in different ways and send the information to the Tool's servers.

                               A website administrator who has integrated the Tool on his website can send

                               instructions to Google for processing the data collected. These
                               instructions are transmitted via the so-called tag manager that handles it
                               tracking code that the webmaster has integrated into his website and via

                               tag manager settings. Whoever integrated the Tool can do different things
                               settings, for example regarding storage time. The tool also makes it possible for it
                               which integrated it to monitor and maintain the stability of its website,
                               for example by staying informed about events such as peaks in visitor traffic

                               or lack of traffic. The tool also enables a website administrator to
                               measure and optimize the effectiveness of advertising campaigns carried out using
                               other tools from Google.


                               In this context, the Tool collects the visitor's http calls and information about
                               including the visitor's browser and operating system. According to Google, contains one

                               http calls for any page information about the browser and device making
                               the call, such as domain name, and information about the browser, such as type,
                               reference and language. The tool stores and reads cookies in the visitor's browser in order to

                               evaluate the visitor's session and other information about the call. Through these
                               cookies enable the Tool to identify unique users (UUID) over
                               browsing sessions, but the Tool cannot identify unique users in different browsers

                               or units. If a website owner's website has its own authentication system
                               can the website owner use the ID feature, to more accurately identify one
                               users on all the devices and browsers they use to access

                               the website.

                               When the information is collected, it is transferred to the Tool's servers. All data that

                               collected via The tool is stored in the United States.



                                                             Page 8 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 9(23)
                               Date: 2023-06-30






                               Google has introduced, among other things, the following contractual, organizational and
                               technical safeguards to regulate transfers of data within the framework of
                               The tool.


                               Google has taken contractual and organizational safeguards such as to
                               the company always conducts a thorough examination of a request for access from government
                               authorities on user data can be implemented. It is lawyers/specially trained

                               staff conducting these trials and investigating whether such a request is
                               compliant with applicable laws and Google's guidelines. Those registered are informed
                               the disclosure, unless prohibited by law or would adversely affect one
                               emergency. Google has also published a policy on the company's website about how a

                               such requests for access by governmental authorities of user data shall be implemented.

                               Google has taken technical protective measures such as protecting personal data from

                               interception when transferring data in the Tool. By default using HTTP
                               Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
                               to use an encryption protocol for all communications between end users,
                               websites and the Tool's servers. Such encryption prevents intruders from

                               passively listen to communications between websites and users.

                               Google also uses an encryption technology to protect personal data, so-called “data in

                               rest" ("data at rest") in data centers, where user data is stored on a disk or
                               backup media to prevent unauthorized access to the data.


                               In addition to the above measures, website owners can use IP anonymization through
                               to use the settings provided by the Tool to limit Google's
                               use of personal data. Such settings include above all that in the code
                               for the Tool enable IP anonymization, which means that IP addresses are truncated and

                               contributes to data minimization. If the IP anonymization service is fully used occurs
                               the anonymization of the IP address almost immediately after the request has been received.


                               Google also restricts access to the data from the Tool through authorization control
                               as well as by all personnel having undergone training regarding
                               information security.


                               2 Justification of the decision


                               2.1 The framework for the review


                               Based on the complaint in the case, IMY has only examined whether Tele2 transmits
                               personal data to the third country USA within the framework of Tele2's use of the Tool
                               and if Tele2s has legal support for it in chapter V of the data protection regulation. Supervision
                               does not include whether Tele2's personal data processing is otherwise compatible with

                               data protection regulation.

                               2.2 This concerns the processing of personal data


                               2.2.1 Applicable regulations, etc.
                               In order for the data protection regulation to be applicable, it is required that personal data

                               treated.

                               According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
                               fundamental rights and freedoms, in particular their right to the protection of personal data.



                                                             Page 9 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 10(23)
                                 Date: 2023-06-30







                                 According to Article 4.1 of the regulation, personal data is "any information relating to a
                                 identified or identifiable natural person (hereinafter referred to as a data subject), whereby a

                                 identifiable natural person is a person who can be directly or indirectly specifically identified
                                 referring to an identifier such as a name, an identification number, a
                                 location data or online identifiers or one or more factors that are

                                 specific to the natural person's physical, physiological, genetic, psychological,
                                 economic, cultural or social identity'. To determine whether a natural person is

                                 identifiable, one should consider all the aids that, either of it
                                 personal data controller or by another person, may reasonably be used
                                 to directly or indirectly identify the natural person (reason 26 to

                                 data protection regulation).


                                 The term personal data can include all information, both objective and
                                 subjective information, provided that it "refers" to a specific person, which
                                 they do if, due to their content, purpose or effect, they are linked to the person.  4


                                 The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary

                                 that the information itself makes it possible to identify the registered person for that to be
                                 a personal data. Recital 26 of the data protection regulation also states that in order to

                                 determine whether a natural person is identifiable, all aids, such as e.g. thinning
                                 ("singling out" in the English language version), which, either of it
                                 personal data controller or by another person, may reasonably be used

                                 to directly or indirectly identify the natural person, is taken into account. To determine
                                 if aids can with reasonable probability be used to identify it

                                 the natural person should all objective factors, such as costs and time consumption for
                                 identification, taking into account both available technology at the time of processing,
                                 considered. It is clear from Article 4.5 of the regulation that pseudymisation is meant

                                 processing of personal data in a way that means that the personal data does not
                                 longer can be attributed to a specific data subject without the use of supplementary information,

                                 provided that this additional information is kept separately and is subject
                                 for technical and organizational measures that ensure that the personal data does not
                                 attributed to an identified or identifiable natural person.


                                 So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or

                                 information stored in cookies – can be used to identify a user,
                                 especially when combined with other similar types of information. According to recital 30 to

                                 data protection regulation, natural persons can be linked to online identifiers provided by
                                 their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
                                 traces that, especially in combination with unique identifiers and other data such as

                                 collected, can be used to create profiles of natural persons and identify them.


                                 In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through
                                 some information about the risk of identification in practice is negligible, which it is
                                 identification of the relevant person is prohibited by law or impossible to carry out i
                                           6
                                 practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck
                                 provided that dynamic IP addresses constitute personal data in relation to the person who

                                 processes them, when he also has a legal opportunity to identify the holders of






                                 4 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
                                 5 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.
                                 6 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46.



                                                               Page 10 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 11(23)
                                Date: 2023-06-30







                                the internet connections using the additional information provided by third parties
                                dispose of.7


                                2.2.2 The Privacy Protection Authority's assessment
                                To determine whether the information processed through the Tool constitutes personal data

                                shall IMY take a decision on whether Google or Tele2 through the implementation of the Tool
                                can identify individuals, e.g. the complainant, when visiting the Website or about the risk of
                                it is negligible. 8


                                IMY considers the data processed to be personal data for the following reasons.


                                The investigation shows that Tele2 implemented the Tool by inserting a
                                JavaScript code (a tag), entered by Google in the source code of the Website. While

                                the page is loaded in the visitor's browser, the JavaScript code from Google LLC's is loaded
                                servers and run locally in the visitor's browser. A cookie is inserted at the same time

                                the visitor's browser and saved on the computer. The cookie contains a text file that collects
                                information about the visitor's operation on the Website. Among other things, a
                                unique identifier in the value of the cookie and this unique identifier is generated and

                                managed by Google.


                                When the complainant visited the Website, or a sub-page of the Website, was transmitted
                                the following information via JavaScript code from the complainant's browser to Google
                                LLC's servers:


                                    1. Unique identifier(s) that identified the browser or device used

                                         to visit the Website as well as a unique identifier that identifies Tele2
                                         (ie Tele2's account ID for Google Analytics).
                                    2. Web address (URL) and HTML title of the website and web page that

                                         the appellant has visited.
                                    3. Information about browser, operating system, screen resolution,

                                         language setting and date and time of access to the Website.
                                    4. Complainant's IP address.


                                During the appellant's visit (according to point 1 above) said identifier was put in cookies with
                                the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These
                                identifiers have been created with the aim of being able to distinguish individual visitors, such as

                                the appellant. The unique identifiers thus make the visitors to the Website
                                identifiable. Although such unique identifiers (as per 1 above) would not in themselves be considered

                                make individuals identifiable, however, it must be considered that these unique identifiers in it
                                the current case can be combined with additional elements (according to points 2-4 above)
                                and that it is possible to draw conclusions in relation to information (according to the points

                                2–4 above) which means that information constitutes personal data, regardless of whether the IP address is not
                                transferred in its entirety.


                                If information is combined (according to points 1–4 above), it means that individual visitors on
                                The site becomes even more distinguishable. It is thus possible to identify

                                individual visitors of the Website. That in itself is enough for it to be considered
                                personal data. It does not require knowledge of the actual visitor's name or

                                physical address, because the differentiation (through the word "thinning" in recital 26 i


                                7 CJEU judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and judgment Breyer, C-582/14,
                                EU:C:2016:779, paragraph 49.
                                8 See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
                                assessment.



                                                              Page 11 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 12(23)
                                 Date: 2023-06-30







                                 the data protection regulation, "singling out" in the English version) in itself is sufficient for
                                 to make the visitor indirectly identifiable. It is also not required that Google or Tele2 have

                                 for the purpose of identifying the appellant, but the opportunity to do so is in itself sufficient for
                                 to determine whether it is possible to identify a visitor. Objective aids such as
                                 can reasonably be used either by the personal data controller or by someone

                                 other, are all aids that can reasonably be used for the purpose of identifying the appellant.
                                 Examples of objective aids that can reasonably be used are access to additional

                                 information with a third party that would make it possible to identify the complainant with
                                 taking into account both available technology at the time of identification as well as cost
                                 (the time required) for the identification.


                                 IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer ruling stated that

                                 dynamic IP addresses constitute personal data in relation to the person who processes them,
                                 when he also has a legal opportunity to identify the holders of
                                 the internet connections using the additional information provided by third parties

                                 dispose of. IP addresses do not lose their character of being personal data alone
                                 due to the fact that the means of identification are with third parties. The Breyer ruling and

                                 The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
                                 there is a legal possibility to gain access to supplementary information for the purpose of

                                 identify the appellant it is objectively clear that there is a “means which reasonably can
                                 will be used' to identify the complainant. According to IMY, the judgments should not be read
                                 on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated

                                 to data that can link IP addresses to natural persons so that the IP addresses will
                                 considered to be personal data. An interpretation of the concept of personal information which means that

                                 it must always be demonstrated a legal possibility to link such data to a physical
                                 person would, according to IMY, mean a significant limitation of the regulation
                                 protection area, and open up possibilities to circumvent the protection in the regulation. This one

                                 interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i
                                 data protection regulation. The Breyer judgment was decided under previously applicable directives

                                 95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
                                 knowledge of the actual visitor's name or physical address is required, because
                                 the distinction itself is sufficient to make the visitor identifiable), was not specified in

                                 previously applicable directives as a method for identifying personal data.


                                 In this context, other information is also added (according to points 1–3 above) such as IP
                                 the address can be combined with to enable identification. Google action
                                 regarding truncation of an IP address means that it is still possible to distinguish IP-

                                 the address, as it can be combined with other data transferred to
                                 third country (to the USA). This enables identification, which in itself is sufficient to

                                 the data together shall constitute personal data.


                                 In addition, several other supervisory authorities within the EU/ESS have decided that the transfer of
                                 personal data to third countries has occurred when using the Tool because it

                                 it has been possible to combine IP addresses with other data (according to points 1–3
                                 above), and thereby enabled differentiation of data and identification of IP address,





                                 9 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102-104 and Breyer judgment, C-582/14
                                 EU:C:2016:779, paragraph 49.
                                 10 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                 address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
                                 means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
                                 the address can be linked with other transferred data (e.g. information about unit and time of visit) to
                                 third country.



                                                                Page 12 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 13(23)
                               Date: 2023-06-30







                               which in itself is sufficient to determine that it is a matter of treatment of
                               personal data. 11


                               IMY notes that there may also be reasons to compare IP addresses with
                               pseudonymised personal data. Pseudonymization of personal data means

                               according to article 4.5 of the data protection regulation that the data - similar to dynamic IP
                               addresses - cannot be directly attributed to a specific data subject without supplementary
                               data is used. According to recital 26 of the data protection regulation, such data should

                               considered to be information about an identifiable natural person.


                               A narrower interpretation of the concept of personal data would undermine, according to IMY
                               the scope of the right to the protection of personal data, which is guaranteed in Article 8 i
                               The Charter of Fundamental Rights of the European Union, because it would

                               make it possible for personal data controllers to specifically single out individuals together
                               with personal data (eg when they visit a certain website) at the same time as individuals

                               are denied the right to protection against the dissemination of such information about them. Such an interpretation would
                               undermine the level of protection for individuals and would not be compatible with the wide
                               scope given by the data protection rules in the practice of the EU Court of Justice. 12


                               Tele2 has also, by the fact that the complainant was logged in to his Google account at

                               the visit to the Website, processed information where conclusions could be drawn about it
                               individual based on their registration with Google. It appears from Google's statement that
                               implementation of the Tool on a website makes it possible to obtain information about

                               a user of a Google account (ie a registrant) has visited the website in
                               question. Google does state that certain conditions must be met for Google to
                               be able to receive such information, e.g. that the user (complainant) has not deactivated

                               processing and display of personal advertisements. Because the appellant was logged in
                               in their Google account when visiting the Website, Google can therefore still have

                               had the opportunity to receive information about the logged-in user's visits to
                               The website. The fact that it does not appear from the complaint that no personal
                               ads have been shown, does not mean that Google cannot obtain information about the logged in person

                               the user's visit to the Website.


                               IMY finds against the background of the unique identifiers that can identify the browser
                               or the device, the ability to derive the individual through his Google account, they
                               the dynamic IP addresses as well as the possibility to combine these with additional ones

                               information that Tele2's use of the Tool on a web page involves processing of
                               personal data.


                               2.3 Tele2 is the personal data controller for the processing


                               Personal data controller is, among other things, a legal person who alone or
                               together with others determines the purposes and means of the processing of

                               personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among
                               another, a legal entity that processes personal data for it
                               account of the personal data controller (Article 4.8 of the data protection regulation).





                               11Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaint Google
                               Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                               of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                               regarding complaint Google Analytics represented by NOYB, local case number 9782890.
                               12 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
                               paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.



                                                             Page 13 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 14(23)
                                Date: 2023-06-30






                                The answers that Tele2 gives show that the company has made the decision to implement

                                The tool on the Website. Furthermore, it appears that Tele2's purpose for this was that the company
                                must be able to analyze how the Website is used, in particular to be able to follow
                                the use of the website over time.


                                IMY finds that Tele2 by deciding to implement the Tool on the Website i
                                said purpose has established the purposes and means of the collection and it

                                the subsequent transfer of this personal data. Tele2 is therefore
                                personal data controller for this processing.


                                2.4 Transfer of personal data to third countries


                                The investigation shows that the data collected via the Tool is stored by Google
                                LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.


                                The question is therefore whether Tele2's transfer of personal data to the USA is compatible with
                                Article 44 of the Data Protection Regulation and has legal support for it in Chapter V.


                                2.4.1 Applicable regulations, etc.
                                According to article 44 of the data protection regulation, which has the title "General principle for

                                transfer of data", includes the transfer of personal data that is under
                                processing or are intended to be processed after they have been transferred to a third country –
                                i.e. a country outside the EU/EEA - only take place under the condition that it

                                personal data controller and the personal data assistant, subject to others
                                provisions of the data protection regulation, meet the conditions in chapter V. All

                                provisions of said chapter shall be applied to ensure that the level of protection
                                of natural persons ensured by the data protection regulation is not undermined.


                                Chapter V of the data protection regulation contains tools that can be used for transfers
                                to third countries to ensure a level of protection essentially equivalent to that which
                                guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on

                                adequate level of protection (Article 45) and transfer covered by appropriate
                                protective measures (Article 46). There are also exceptions for special situations (Article 49).


                                In the judgment Schrems II, the Court of Justice of the European Union has annulled that decision on adequacy
                                level of protection that previously applied to the United States. Because a decision on adequate

                                level of protection since July 2020 is missing, transfers to the US may not be based on Article 45.

                                Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article

                                45.3 a personal data controller or a personal data assistant may only transfer
                                personal data to a third country after taking appropriate safeguards, and on
                                conditions that statutory rights of registered and effective remedies for

                                registered are available. Article 46.2 c stipulates that such suitable
                                safeguards may take the form of standardized data protection regulations adopted
                                by the Commission in accordance with the review procedure referred to in Article 93(2).


                                In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which

                                transfer tool. However, the court found that they are not binding on
                                the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus


                                13 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
                                Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
                                The European Union and the United States and the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), C-
                                311/18, EU:C:2020:559.



                                                              Page 14 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 15(23)
                                 Date: 2023-06-30







                                 there are situations where the recipient of such a transfer, depending on the legal situation and
                                 current practice in the third country concerned, can guarantee the necessary protection of
                                 data solely with the support of the standardized data protection regulations, exists

                                 the other situations in which the provisions of these clauses cannot be one
                                 sufficient means to ensure effective protection of the personal data in practice

                                 which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things
                                 the case when the legislation of the third country allows the authorities of that third country to do

                                 interference with the rights of the registered persons regarding these data.” 14


                                 The reason why the European Court of Justice annulled the decision on adequate level of protection
                                 with the US was how the US intelligence agencies can access

                                 personal data. According to the court, the conclusion of standard contract clauses cannot in itself
                                 ensure a level of protection required by Article 44 of the Data Protection Regulation,

                                 as the guarantees stated therein do not apply when requested by such authorities
                                 access. The European Court of Justice therefore stated the following:


                                     "It thus appears that the standardized data protection regulations which

                                     the commission adopted with the support of article 46.2 c of the same regulation only aims to
                                     provide the personal data controllers or their personal data assistants established

                                     in the Union contractual safeguards that are applied uniformly throughout
                                     third countries and thus independent of the level of protection ensured in each of

                                     these countries. Because these standardized data protection regulations, with regard
                                     to their nature, cannot lead to protective measures that go beyond a contractual obligation

                                     to ensure that the level of protection required under Union law is observed, it may be
                                     necessary, depending on the situation prevailing in a particular third country, for it

                                     personal data controller to take additional measures to ensure that the level of protection
                                     observed.15


                                 In the European Data Protection Board's (EDPB) recommendations on the consequences of
                                         16
                                 the judgment clarifies that if the assessment of legislation and practice in the third country involves
                                 that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice

                                 the exporter must, within the framework of his transfer, as a rule either cancel
                                 the transfer or take appropriate additional protective measures. The EDPB thereby notes

                                 that "further measures can only be considered effective in the sense referred to in the EU
                                 the court's judgment "Schrems II" if and to the extent that they - alone or in combination -
                                 addresses the specific deficiencies identified during the assessment of the situation i

                                 the third country in terms of its laws and practices applicable to the transfer”. 17


                                 It appears from the EDPB's recommendations that such additional protective measures can
                                 fall into three categories: contractual, organizational and technical. 18


                                 Regarding contractual measures, the EDPB states that such measures “[...] can

                                 supplement and reinforce the safeguards that the transfer tool and relevant
                                 legislation in the third country provides [...]. Considering that the contractual

                                 the measures are of such a nature that they cannot generally bind the authorities in it
                                 the third country because they are not parties to the agreement, these measures may often be necessary




                                 14 Paragraphs 125-126.
                                 15 Item 133.
                                 16EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU

                                 level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
                                 17/2020”).
                                 18EDPB's Recommendations 01/2020, point 75; IMY's translation.
                                   EDPB's Recommendations 01/2020, point 52.


                                                                 Page 15 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 16(23)

                                Date: 2023-06-30






                                combined with other technical and organizational measures to provide it
                                level of data protection required [...]'. 19


                                Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a

                                or more of these measures will not necessarily and systematically
                                ensure that [a] transfer meets the basic equivalence standard which

                                required by EU legislation. Depending on the particular circumstances surrounding
                                the transfer and the assessment made by the law of the third country is required

                                organizational measures to supplement contractual and/or technical measures
                                to ensure a level of protection for personal data that is substantially equivalent to that
                                which is guaranteed within the EU/EEA”. 20


                                Regarding technical measures, the EDPB points out that “these measures will in particular

                                be necessary when the legislation of that country imposes obligations on the importer which
                                contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and

                                which in particular may infringe upon the contractual guarantee of one in all essentials
                                equivalent protection against the authorities of the third country gaining access to these
                                           21
                                tasks". The EDPB thereby states that "the measures specified [in the Recommendations]
                                are intended to ensure that access to the transmitted data for public
                                authorities in third countries do not interfere with the expediency of the appropriate

                                the safeguards in Article 46 of the Data Protection Regulation transfer tools. These
                                measures would be necessary to guarantee a substantially equivalent

                                level of protection as that guaranteed within the EU/EEA, even if the public ones
                                access by the authorities is consistent with the legislation of the importer's country, where such

                                access in practice goes beyond what is necessary and proportionate in one
                                democratic society. The purpose of these measures is to prevent potentially unauthorized

                                access by preventing the authorities from identifying the registered, drag
                                conclusions about them, point them out in another context or connect the transmitted ones
                                the data to other data sets which, among other things, may contain network identifiers such as

                                provided by the devices, applications, tools and protocols used by
                                registered in other contexts". 22


                                2.4.2 The Privacy Protection Authority's assessment


                                2.4.2.1 Applicable Transfer Tool

                                The investigation shows that Tele2 and Google have entered into standardized agreements
                                data protection regulations (standard contract clauses) in the sense referred to in Article

                                46 for the transfer of personal data to the United States. These clauses are in line with those which
                                published by the European Commission in decision 2021/914 of June 4, 2021 and

                                thus a transfer tool according to chapter V of the data protection regulation.

                                2.4.2.2 The legislation and the situation in the third country

                                As can be seen from the judgment Schrems II, the use of standard contract clauses may require
                                additional protective measures as a complement. Therefore, an analysis of

                                the legislation in the relevant third country is made.


                                IMY believes that the analysis that the EU Court has already done in the judgment Schrems II, which
                                relates to similar conditions, is relevant and current, and that it can therefore be added




                                19EDPB's Recommendations 01/2020, point 99; IMY's translation.
                                20EDPB's Recommendations 01/2020, point 128; IMY's translation.
                                21 EDPB's Recommendations 01/2020, point 77; IMY's translation.
                                22EDPB's Recommendations 01/2020, point 79; IMY's translation.


                                                               Page 16 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 17(23)
                                Date: 2023-06-30






                                basis for the assessment in the case without any further analysis of the legal

                                the situation in the United States needs to be done.


                                Google LLC, as the importer of the data to the United States, shall be classified as
                                provider of electronic communications services within the meaning of 50 US
                                Code § 1881 (b)(4). Google is therefore subject to surveillance by American

                                intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable
                                to provide the US government with personal data when 702 FISA is used.


                                The European Court of Justice found in the judgment Schrems II that the American
                                surveillance programs based on 702 FISA, Executive Order 12333

                                (hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the
                                American legislation does not correspond to the minimum requirements that apply in EU law
                                according to the principle of proportionality. This means that the monitoring programs that are established

                                on these provisions cannot be considered to be limited to what is strict
                                necessary. The court also found that the monitoring programs do not provide

                                the registered rights enforceable against US authorities i
                                court, which means that these people do not have the right to an effective remedy.


                                Against this background, IMY notes that the use of the EU Commission's
                                standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
                                for the transferred personal data.


                                2.4.2.3 Additional safeguards implemented by Google and Tele2

                                The next question is whether Tele2 has taken sufficient additional protective measures.

                                As the personal data controller and exporter of the personal data, Tele2 is obliged to

                                ensure that the rules of the data protection regulation are complied with. This responsibility includes, among other things
                                to assess in each individual case when transferring personal data to third countries which
                                additional safeguards to be used and to what extent, including that

                                evaluate if the actions taken by the recipient (Google) and the exporter (Tele2)
                                taken together are sufficient to achieve an acceptable level of protection.


                                2.4.2.3.1 Google's additional safeguards
                                Google LLC, as an importer of personal data, has taken contractual,

                                organizational and technical measures to complement the standard contract clauses.
                                In a statement on April 9, 2021, Google described that the company has taken measures.


                                The question is whether the additional protective measures taken by Tele2 and Google LLC are
                                effective, in other words, hindering US intelligence services' ability to obtain

                                access to the transferred personal data.

                                As regards the legal and organizational measures, it can be stated that neither
                                                                                        24
                                information to users of the Tool (such as Tele2), the publication of a
                                transparency report or a publicly available “Government Request Handling Policy”

                                impedes or reduces the ability of US intelligence agencies to obtain
                                access to the personal data. Furthermore, it is not described what it means to
                                Google LLC's makes a "careful review of each request" for the "legality" of

                                US intelligence services. IMY notes that this does not affect the legality of




                                2Items 184 and 192. Item 259 et seq.
                                2Regardless of whether such notification would even be permitted under US law.



                                                              Page 17 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 18(23)

                                Date: 2023-06-30






                                such requests because, according to the European Court of Justice, they are not compatible with the requirements of
                                EU data protection rules.


                                As regards the technical measures taken, it can be stated that neither

                                Google LLC or Tele2 has clarified how the described measures – such as protection of
                                communication between Google services, protection of data during transfer between
                                data center, protection of communications between users and websites or “physical

                                security” – hinders or reduces the ability of US intelligence agencies to
                                prepare access to the data with the support of the American regulatory framework.


                                Regarding the encryption technology used – for example for so-called "data at rest"

                                ("data at rest") in data centers, which Google LLC mentions as a technical measure - has Google
                                LLC as an importer of personal data nevertheless an obligation to grant access to or
                                hand over imported personal data at the disposal of Google LLC, including

                                any encryption keys required to make the data intelligible. Thus
                                such a technical measure cannot be considered effective as long as Google LLC has

                                possibility to access the personal data in plain text.


                                Regarding what Google LLC's stated that "to the extent information for measurement i
                                Google Analytics transmitted by website owners constitutes personal data, they receive
                                considered to be pseudonymized” it can be stated that universal unique identifiers

                                (UUID) is not covered by the concept of pseudonymisation in Article 4.5 i
                                data protection regulation. Pseudonymization can be a privacy-enhancing technique,

                                but the unique identifiers, as described above, have the specific purpose of distinguishing
                                user and not to act as protection. In addition, individual identifiable genomes are made

                                what is stated above about the possibility of combining unique identifiers and others
                                data (eg metadata from browsers or devices and the IP address) and
                                the ability to link such information to a Google account for logged-in users.


                                Regarding Google's measure "anonymization of IP addresses" in the form of truncation 26
                                it is not clear from Google's response if this action takes place before the transfer, or if

                                the entire IP address is transferred to the USA and shortened only after the transfer to the USA. From
                                from a technical point of view, it has thus not been shown that there is no potential access to the whole

                                The IP address before the last octet is truncated.


                                Against this background, IMY notes that the additional protective measures taken
                                of Google are not effective, because they do not prevent American

                                intelligence services' ability to access the personal data or does so
                                access ineffective.


                                2.4.2.3.2 Tele2's own additional protective measures

                                Tele2 has stated that the company has taken additional protective measures in addition to those measures
                                which Google has taken. According to Tele2, these consist of activating the function for
                                truncation27 of the last octet of the IP address before the data is transmitted to Google, which

                                means that the last octet is masked.


                                As stated above regarding Google's measures, it is not clear from Google's response whether

                                this action occurs before the transfer or if the entire IP address is transferred to the United States and


                                25 See EDPB's Recommendations 01/2020, point 81.
                                26 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).
                                27 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).


                                                              Page 18 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 19(23)
                                Date: 2023-06-30






                                truncated only after the transfer to the United States. From a technical point of view, it has thus not
                                shown that after the transfer there is no potential access to the entire IP address before
                                the last octet is truncated.


                                Even if the truncation were to take place before the transfer takes place, it is not a sufficient one
                                action, as the truncated IP address can be interconnected with others
                                data, as IMY stated above in section 2.2.2. A truncation of an IP address

                                means that only the last octet is masked, which itself can only be any of 256
                                option (ie in the range 0-255) and due to the truncated IP address going
                                to distinguish from other IP addresses, this information can be combined with others
                                information (as above in section 2.2.2) and enable identification, which in itself is

                                sufficient to determine whether the data together constitute personal data. Although
                                the masking of the last octet constitutes an integrity-enhancing measure, as it limits
                                the extent of the data that authorities can access (in third countries)

                                IMY notes that it is still possible to link the transferred data to other data
                                which is also transferred to Google LLC (in third countries).

                                Against this background, IMY notes that neither the additional measures which

                                taken by Tele2 in addition to the additional measures taken by Google is sufficient
                                effective in preventing US intelligence agencies from accessing
                                the personal data or render such access ineffective.


                                2.4.2.3.3 The Privacy Protection Authority's conclusion
                                IMY finds that Tele2's and Google's actions are neither individually nor collectively

                                effective enough to prevent US intelligence agencies from obtaining
                                access to the personal data or render such access ineffective.

                                Against this background, IMY finds that neither standard contract clauses nor the others

                                measures invoked by Tele2 may provide such support for the transfer as specified in Chapter
                                V in the data protection regulation.


                                With this transfer of data, Tele2 therefore undermines the level of protection for
                                personal data of data subjects guaranteed in Article 44 of the Data Protection Regulation.

                                IMY therefore notes that Tele2 Sverige AB violated Article 44 i

                                the data protection regulation in any case during the period from 14 August 2020 to and including May
                                2023.


                                3 Choice of intervention


                                3.1 Legal regulation

                                In the event of violations of the data protection regulation, IMY has a number of corrective measures

                                powers to be available according to Article 58.2 a–j of the data protection regulation, among other things
                                reprimand, injunction and penalty fees.


                                IMY shall impose penalty fees in addition to or in lieu of other corrective measures
                                as referred to in Article 58(2), depending on the circumstances of each individual case.

                                Each supervisory authority must ensure that the imposition of administrative

                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.




                                                               Page 19 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 20(23)
                                Date: 2023-06-30






                                In article 83.2 of the data protection regulation, the factors that must be considered in order to

                                decide whether an administrative penalty fee should be imposed, but also at
                                the determination of the amount of the penalty fee. If it is a question of a smaller one

                                breach will receive the IMY as set out in recital 148 instead of imposing a
                                penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
                                in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as

                                the nature, severity and duration of the breach and previous breaches of
                                relevance.


                                The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
                                the data protection regulation which aims to create a harmonized method and principles
                                                                    28
                                for calculation of penalty fees.

                                3.2 Should a penalty fee be imposed?


                                IMY has found above that the transfers of personal data to the USA that take place via
                                The Google Analytics tool and for which Tele2 is responsible for violations of Article 44 i

                                data protection regulation. Violations of that provision can according to Article 83
                                incur penalty charges.


                                In light of, among other things, the fact that Tele2 transferred a large amount of personal data, that
                                the processing has been going on for a long time and that the transfer meant that

                                the personal data could not be guaranteed the level of protection given in the EU/EEA is
                                don't ask about a minor infraction. Tele2 must therefore be charged a penalty fee for

                                the established violation.

                                3.2.1 At what amount should the penalty fee be determined?

                                When determining the maximum amount of a penalty charge to be imposed on a company
                                shall the definition of the concept of company be used as used by the EU Court of Justice

                                application of Articles 101 and 102 of the TFEU (see recital 150 i
                                data protection regulation). It appears from the court's practice that this includes every entity
                                that carries out economic activities, regardless of the legal form of the entity and the way of doing so

                                financing as well as even if the unit in the legal sense consists of several physical or
                                legal entities.29


                                According to Article 83.5 c of the data protection regulation, in the event of a violation of, among other things,
                                article 44 in accordance with 83.2 administrative penalty fees of up to 20 are imposed
                                million EUR or, in the case of a company, of up to 4% of the total global

                                the annual turnover during the previous budget year, depending on which value is the highest.


                                IMY assesses that the company's turnover to be used as a basis for calculation of
                                the administrative sanction fee is Tele2 Sverige AB's annual report for the year 2022.
                                The company had a turnover of approximately SEK 28,102,000,000 during that budget year. The highest

                                penalty amount that can be determined in the case is four percent of this amount, that is
                                say approximately SEK 1,124,080,000.


                                When determining the size of the penalty fee, IMY shall take into account the violation
                                seriousness and taking into account both aggravating and mitigating circumstances





                                28EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
                                public consultation on 12 May 2022).
                                29 See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48



                                                              Page 20 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 21(23)

                                 Date: 2023-06-30






                                 determine an administrative sanction amount that is effective in the individual case,

                                 proportionate and dissuasive.


                                 IMY assesses that the following factors are important for the assessment of the infringement
                                 seriousness.


                                 As regards the assessment of the seriousness of the infringement, there is initially
                                 factors which mean that there are reasons to view the violation more seriously. Tele2 has

                                 transferred a large amount of personal data to third countries. The transfer has meant that
                                 the personal data has not been able to guarantee the level of protection given in the EU/EES which

                                 itself is a serious violation. In addition, it is difficult that the transfer of
                                 personal data has been going on for a long time, i.e. as of August 14, 2020

                                 and are still ongoing, and that they have occurred systematically. IMY also considers that now
                                 approximately 3 years have passed since the European Court of Justice rejected the
                                                                                          30
                                 the commission's decision on an adequate level of protection in the USA whereby the conditions for
                                 transfers of personal data to the United States changed.


                                 In the meantime, the EDPB has made recommendations on the consequences of the judgment
                                 which was out for public consultation on 10 November 2020 and adopted in final form

                                 on 18 June 2021. In addition, several other supervisory authorities within the EU/EEA have
                                 issued orders to cease use of the Tool until

                                 sufficiently effective safety protection measures have been taken by them
                                 personal data controller. The decisions have included cases where the personal data controller

                                 has also taken measures such as "anonymization of IP addresses" in the form of
                                 truncation.31


                                 Although these recommendations and decisions clearly point to the risks of and
                                 the difficulties in ensuring a sufficient level of protection for data transfers to companies

                                 in the USA, Tele2 has continued to use the Tool during the period of August 14
                                 2020 up to and including at least May 2023 without taking your own additional protective measures.

                                 Google's action regarding IP address truncation means that it is still possible
                                 distinguish the IP address, as it can be linked with others transmitted

                                 data to third countries (to the USA). This enables identification, which means that
                                 the data together constitute personal data.


                                 Tele2 is one of the major players in the telecom industry in Sweden. It's about

                                 data on a large number of data subjects who can be identified indirectly and whose data
                                 can be combined with other information about them. As far as the data is concerned

                                 nature already follows from Tele2's own purpose for the processing – i.e. to among
                                 otherwise be able to draw conclusions about how the data subjects navigate and find their way around
                                 The website, that the data aggregated – makes it possible to draw relatively

                                 precise conclusions about the privacy of the data subjects and map them, such as
                                 regarding what they buy and what services they are interested in over time and holding

                                 at the company. Tele2's processing of personal data entails risks of serious infringement

                                 30 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
                                 directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
                                 the states.
                                 31 Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google

                                 Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                                 of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                                 32seeing complaint Google Analytics represented by NOYB, local case number 9782890.
                                   Truncation of IP address "anonymization of IP address" means that asterisk or zeros replace other digits at the end
                                 octets (the last digits of an IP address, a number between 0 and 255), which itself can only be one of 256 options.
                                 The effect of this action is that it is still possible to distinguish the IP address from the other IP addresses (255
                                 option), as the IP address can be combined with other transmitted data (e.g. device information and
                                 time of the visit) to third countries (to the USA).


                                                                Page 21 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 22(23)
                                Date: 2023-06-30







                                of the freedoms and rights of individuals, which gives Tele2s a special responsibility that entails high
                                requirements for transfers to third countries, where IMY overall assesses that Tele2 does not have
                                demonstrated that the company has carried out a sufficient analysis and mapping and has also not taken

                                necessary security measures to limit the risks for the data subjects.


                                IMY notes at the same time that there are factors that speak in the opposite direction. IMY takes into account
                                the particular situation that arose after the judgment and the interpretation of the EDPB's
                                recommendations, where there was a gap after the transfer tool to the United States

                                according to the Commission's previous decision rejected by the European Court of Justice. IMY also considers
                                that Tele2 has taken certain, albeit insufficient, measures to limit them

                                personal data transmitted by activating "anonymization of IP addresses"
                                by truncation. Tele2 has done an analysis and mapping of the life cycle for
                                personal data in the Tool. This relationship is also taken into account in the assessment of

                                the seriousness of the violations.

                                Overall, IMY assesses, against the background of the reported circumstances, that they

                                the violations in question are of low seriousness. The starting point for the calculation
                                of the penalty fee should therefore be set low in relation to the current maximum amount.


                                In addition to assessing the seriousness of the violation, IMY must assess whether it exists

                                any aggravating or mitigating circumstances that become relevant
                                the amount of the penalty fee. IMY assesses that there is no further aggravating factor or
                                mitigating circumstances, in addition to those considered in the assessment of

                                the degree of seriousness, which affects the size of the penalty fee.


                                Based on an overall assessment of the aforementioned circumstances, the high turnover in
                                relation to the violations found and in light of the fact that the
                                the administrative penalty fee must be effective, proportionate and dissuasive

                                IMY assesses that the sanction fee can stay at SEK 12,000,000 (twelve million).

                                ___________________





                                This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                                by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has

                                David Törngren, unit manager Catharina Fernquist and IT- and
                                information security specialist Mats Juhlén participated.


                                Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)



                                Appendix

                                Appendix 1 – Information on payment of penalty fee









                                3Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google
                                Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                                of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                                regarding complaint Google Analytics represented by NOYB, local case number 9782890.



                                                              Page 22 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 23(23)
                                Date: 2023-06-30






                                4 Appeal reference


                                4.1 How to Appeal

                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.




















































                                                              Page 23 of 23