IMY (Sweden) - DI-2020-11373
|IMY - 2020-11373
|Article 44 GDPR
Article 46 GDPR
Article 60 GDPR
|National Case Number/Name:
|European Case Law Identifier:
|IMY (in SV)
The Swedish DPA held that by using Google Analytics provided by Google LLC, Tele2 Sverige breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Tele2 Sverige Aktiebolag (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US.
In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.
The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.
In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. For example, it held that the data transferred was anonymized in such way that the users would not be identifiable.
Holding[edit | edit source]
Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.
Secondly, the DPA held that Tele2 decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Tele2 qualified as the controller.
Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.
In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Considering that the controller continued using Google Analytics despite the EU recommendations and decisions, without implementing additional safeguards, the DPA imposed a fine of SEK 12,000,000 (approx. €1,000,000).
Comment[edit | edit source]
See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/ This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: CDON, Coop and Dagens.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.