IMY (Sweden) - DI-2020-11373
From GDPRhub
| IMY - 2020-11373 | |
|---|---|
 | |
| Authority: | IMY (Sweden) |
| Jurisdiction: | Sweden |
| Relevant Law: | Article 44 GDPR Article 46 GDPR Article 60 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 30.06.2023 |
| Published: | |
| Fine: | 12,000,000 SEK |
| Parties: | Tele2 Sverige |
| National Case Number/Name: | 2020-11373 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Swedish |
| Original Source: | IMY (in SV) |
| Initial Contributor: | n/a |
The Swedish DPA held that by using Google Analytics provided by Google LLC, Tele2 Sverige breached Article 44 GDPR. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.
English Summary
Facts
Tele2 Sverige Aktiebolag (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US.
In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR.
The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics.
In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. For example, it held that the data transferred was anonymized in such way that the users would not be identifiable.
Holding
Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors.
Secondly, the DPA held that Tele2 decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Tele2 qualified as the controller.
Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law, Google LLC, as a provider of electronic communication services is subject to surveillance by the intelligence agencies and is thus obliged to provide the US government with personal data. According to the Schrems judgment, that the DPA considered up-to-date, this legislation doesn’t meet the requirements of EU law.
In conclusion, the DPA found that the transfer of data could not rely on any of the Chapter V tools and that the controller undermined the level of protection of the data subjects’ data, in breach of Article 44 GDPR. Considering that the controller continued using Google Analytics despite the EU recommendations and decisions, without implementing additional safeguards, the DPA imposed a fine of SEK 12,000,000 (approx. €1,000,000).
Comment
See press release from the IMY: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/ This complaint is part of noyb's 101 complaints project. This decision was published along with three other decisions. Summaries are available on the hub: CDON, Coop and Dagens.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.
1(23)
Tele2 Sverige Aktiebolag
Box 62
16494 Coffin
Diary number: Decision after supervision according to
DI-2020-11373
data protection regulation – Tele2
Date: Sverige AB's transfer of
2023-06-30
personal data to third countries
The Privacy Protection Authority's decision................................................... ............................2
1 Description of the supervisory matter ............................................... .....................................3
1.1 The processing................................................... ............................................3
1.2 What is stated in the complaint............................................. ..............................3
1.3 What Tele2 has stated ............................................. ......................................4
1.3.1 Who has implemented the Tool and for what purpose, etc. ........4
1.3.2 Recipient of the data ............................................. .....................4
1.3.3 The data processed in the Tool and what constitutes it
personal data ................................................ ........................................4
1.3.4 Categories of persons affected by the processing......................6
1.3.5 When the code for the Tool is executed and recipients are provided with access .6
1.3.6 How long the processed personal data is stored ......................6
1.3.7 In which countries the personal data is processed...................................6
1.3.8 Tele2's relationship with Google LCC ........................................... ..............6
1.3.9 Ensuring that the processing does not take place for the recipients' own benefit
purpose ................................................ ................................................... .6
1.3.10 Description of the company's use of the Tool........................7
1.3.11 Own checks on transfers affected by the judgment Schrems II7
1.3.12 Transfer tool according to chapter V of the data protection regulation .......7
1.3.13 Control of obstacles to enforcement in legislation in third countries............7
Postal address: 1.3.14 Additional security measures taken in addition to those taken by Google
Box 8114
104 20 Stockholm .............................................. ................................................ .................8
1.4 What Google LCC has stated............................................. ............................8
Website:
www.imy.se 2 Justification of the decision............................................ ................................................ .......9
E-mail:
imy@imy.se 2.1 The framework for the review............................................ ........................................9
Telephone: 2.2 It is a matter of processing personal data................................... .....9
08-657 61 00
Page 1 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 2(23)
Date: 2023-06-30
2.2.1 Applicable regulations, etc. ................................................... .....9
2.2.2 The Privacy Protection Authority's assessment...................................10
2.3 Tele2 is the personal data controller for the processing...................................13
2.4 Transfer of personal data to third countries............................................. ....14
2.4.1 Applicable regulations, etc. ................................................ ...14
2.4.2 The Privacy Protection Authority's assessment...................................16
3 Choice of intervention................................................... ................................................ .......19
3.1 Legal regulation................................................ ..........................................19
3.2 Should a penalty fee be imposed?............................................ ..........................20
4 Appeal reference ................................................ ..........................................22
4.1 How to appeal .............................................. ........................................22
Page 2 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 3(23)
Date: 2023-06-30
The Privacy Protection Authority's decision
The Privacy Protection Authority states that Tele2 Sverige Aktiebolag processes
personal data in violation of Article 44 of the Data Protection Regulation by under
the period August 14, 2020 through May 2023 use the Google tool
Analytics, provided by Google LLC, on its website www.tele2.se, and
thereby transferring personal data to third countries without the conditions according to chapter V i
regulation are met.
IMY decides with the support of article 58.2 and 83 of the data protection regulation that Tele2
Sweden Aktiebolag must pay an administrative sanction fee of 12 million (twelve
million) kroner for violation of Article 44 of the data protection regulation.
1 Description of the supervisory matter
1.1 The processing
The Swedish Privacy Protection Agency (IMY) has started supervision of Tele2 Sweden
Limited company (hereinafter Tele2 or the company) due to a complaint. The complaint
applies to an alleged violation of the provisions of Chapter V i
data protection regulation linked to the transfer of the complainant's personal data to
third country. The transfer allegedly took place when the complainant visited the company's website,
www.tele2.se (hereinafter "Tele2's website" or "Website") through the tool
Google Analytics (hereinafter the Tool) provided by Google LLC.
The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority
in the country where the complainant has filed his complaint (Austria) in accordance with
the regulation's provisions on cooperation in cross-border processing.
The proceedings at IMY have taken place through an exchange of letters.
1.2 What is stated in the complaint
The complaint essentially states the following.
On August 14, 2020, the complainant visited Tele2's website. During the visit,
the complainant signed in to his Google account, which is linked to the complainant's email address.
The company had implemented a Javascript code for Google services on its website,
including Google Analytics. In accordance with clause 5.1.1 b of the terms of Google's
processing of personal data for Google's advertising products and also Google's terms and conditions
for processing "the New Order Data Processing Conditions for Google Advertising
Products" Google processes personal data of the data controller (i.e.
the company's) account. Google LLC must therefore, according to the above-mentioned conditions, be classified as
the company's personal data assistant.
During the complainant's visit to the company's website, the complainant was treated
personal data of Tele2, at least the complainant's IP address and data collected
through cookies. Some of the data collected was transferred directly to Google. IN
1
regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
directive 95/46/EC (General Data Protection Regulation).
Page 3 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 4(23)
Date: 2023-06-30
in accordance with clause 10 of the terms on the processing of personal data for Googles
advertising products, Tele2 has approved that Google may process personal data about
the appellant in the United States. Such transfer of data requires legal support in accordance with
chapter V of the data protection regulation.
According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2
the company can no longer rely on a decision on an adequate level of protection for the transfer of
data to the United States according to Article 45 of the Data Protection Regulation. The company should not base
the transfer of data on standardized data protection regulations according to article
46.2 c of the data protection regulation if the recipient country does not ensure adequate protection
with regard to Union law for the personal data that is transferred.
Google shall be classified as a provider of electronic communications services in it
meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance
by US intelligence agencies in accordance with 50 US § 1881a (section 702 i
3
Foreign Intelligence Surveillance Act, hereinafter “702 FISA”). Google provides it
US government with personal data in accordance with these regulations.
The company cannot therefore ensure adequate protection of the complainant's personal data
when these are transferred to Google.
1.3 What Tele2 has stated
Tele2 Sverige Aktiebolag has essentially stated the following.
1.3.1 Who has implemented the Tool and for what purpose, etc.
Tele2 has made the decision to implement Google Analytics (the "Tool") on
The website, which has happened by embedding the code for the Tool on
The website. The Company began decommissioning the version of the Tool covered by
IMY oversight in spring 2022 and stopped using that version in June 2023
but have not been able to give an exact date for this. The company is established in Sweden and
has not made such a decision for any other European site.
The purpose of using the Tool is to be able to compile and analyze
statistics regarding visits to the Website.
The statistics regarding the visits to the Website obtained via the Tool have only
evaluated by Tele2 in Sweden.
There is no option to make any choices in the Tool's settings
transfer of data to the United States.
1.3.2 Recipient of the data
Within the framework of Tele2's use of the Tool on the Website, information is provided
out to a number of actors, all of whom are personal data assistants or sub-assistants to
the company, including Google LLC, Google Ireland Ltd and their subsidiaries.
2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.
3See https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-subchapVI-
sec1881.htm and https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-
subchapVI-sec1881a.htm.
Page 4 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 5(23)
Date: 2023-06-30
1.3.3 The data processed in the Tool and what constitutes it
personal data
The information processed by Tele2 and Google within the framework of the Tool
includes (i) information about the visit to the Website, e.g. which pages are displayed or
which clicks are made, (ii) information about the device calling the Website and (iii)
information in the cookie (_ga cookie) which consists of the Client ID.
Tele2 uses the Verktyget service to analyze statistics regarding visits to
the website www.tele2.se. All statistics and reports generated via the Tool
is produced at an aggregate level and cannot be used to directly or indirectly
identify any natural person.
Production of statistics and reports via the Tool is made possible by cookies
used on the Website. If a visitor to the Website has agreed to
cookies are used, a cookie is placed in the visitor's browser. The information that
processed through use of the Tool thus consists of the following categories:
(i) information about the visit to the Website, e.g. which pages are displayed or which clicks
that is done, (ii) information about the entity visiting the Website and (iii) information
in the cookie (_ga cookie) which is made up of the Client ID.
(i) The information about the visit to the Website
Information regarding the visit to the Website does not in itself contain any information
which can be used to directly or indirectly identify any natural person, i.e. one
a page view or a click constitutes completely anonymous information in itself.
(ii) Information about the entity visiting the Website
Information about the device that calls and visits the Website consists of e.g. of
which type of browser and which IP address is used during the visit. As for the IP
addresses nowadays static IP addresses are used only by a few companies and
organizations. Otherwise, exclusively dynamic IP addresses are used for everyone
consumers. A dynamic IP address simply means that a device is assigned an IP
address at each connection to the Internet and the device is then assigned completely new IP
addresses on subsequent connection occasions. A device is not necessarily a computer,
mobile phone or a tablet but can in many cases be a router or other
device that then multiple computers, mobiles or tablets connect to and the IP address
can therefore not be derived to the computer, mobile phone or tablet but to the router.
To be able to indirectly identify a person using a dynamic IP address is required
that it is supplemented with a time when it was used and that additionally
information is collected about who has been assigned the IP address from the visitor
internet provider.
In the Tool, the IP address is only used for the purpose of analyzing statistics regarding
the visits to a website. For that purpose, a user of the Tool should not
possess any legal means according to Swedish law that make it possible to collect them
supplementary information required to be able to indirectly identify a physical
person.
The IP address collected through the Tool is also anonymized in principle
immediately after the collection by the numbers after the last point of the IP address
is replaced by 0 (eg 192.169.0.100 becomes 192.168.0.0). Such IP anonymization
takes place at the earliest possible stage during the collection process and the full IP
the address is never saved or processed on disk. For more information about anonymization
Page 5 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 6(23)
Date: 2023-06-30
of IP address in the Tool, see
https://support.google.com/analytics/answer/2763052?hl=en.
Anonymization of the IP address thus means that the user of the Tool never has
access to the full IP address and there are then no aids like one
users of the Tool can reasonably use to indirectly identify a physical
person (cf. consideration clause 26 in the GDPR) with the consequence that the risk of identification in practice
can be considered negligible.
(iii) Information in _ga cookie
The information that is processed through the use of the _ga cookie consists of a
Client ID. The Client ID consists of a random number with a timestamp that
is saved in the _ga cookie. This Client ID can be used to see about a browser
has previously connected to the Website. However, Tele2 cannot use Client ID
individually or together with an anonymized IP address to directly or indirectly
identify a natural person.
Due to the above, Tele2 believes that Tele2 can be called into question at all
processes and transfers personal data to third countries. Taking into account that some uncertainty
may be considered to exist in relation to the legal assessment of the aforementioned conditions,
for precautionary reasons, Tele2 has chosen to apply the rules in the data protection regulation for them
information processed within the framework of the Tool.
1.3.4 Categories of persons affected by the processing
The information concerns visitors to the Website. No particular categories of
personal data as defined in Article 9.1 of the Data Protection Regulation is processed
within the framework of the Tool. Tele2 cannot use the Tool to identify different categories
of people visiting the Website. The website is aimed neither at children, nor
any other special category of registrants and visitors to the Website needs
do not enter any age, or any other personal data that is processed in the Tool.
1.3.5 When the code for the Tool is executed and recipients are provided access
The tool is activated and cookies are placed in the user's browser after
the visitor has given his consent to the use of cookies. Anonymization of IP
address occurs at the earliest possible stage during the collection process and the complete
The IP address is never saved or processed on disk by Google
(https://support.google.com/analytics/answer/2763052?hl=en&ref_topic=2919631).
1.3.6 How long the personal data processed is stored
During the time the Tool is used, a storage period of up to 26 months can be set
The tool. If the agreement for the Tool ceases to apply, Google undertakes according to
the personal data processor agreement to delete personal data in the Tool as soon as it
is practically possible after the termination of the agreement, but no later than within 180 days.
1.3.7 In which countries the personal data is processed
According to the information Tele2 has received from Google, the visitor's IP
address of the data center closest to where the visitor connects from.
According to the terms of the agreement with Google, Google can process within the framework of the Tool
the data in i.a. USA.
1.3.8 Tele2's relationship with Google LCC
Tele2 considers Google as a personal data processor for the processing that takes place within
the framework of the Tool ie. Google processes the information in the Tool only for
Page 6 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 7(23)
Date: 2023-06-30
Tele2's bill. This is also supported by the agreement between Tele2 and Google regarding
The Tool and the personal data processor agreement that applies to the Tool.
1.3.9 Ensuring that the processing does not take place for the recipients' own purposes
Pursuant to clause 5.3 of the personal data processing agreement with Google, Google may only
process personal data in accordance with Tele2's instructions. Tele2's use of
The tool means that IP addresses are anonymized at the earliest possible stage during
the collection process and that the full IP address is never saved or
processed on disk by Google. This means that Google cannot process it
the full IP address for own or third party purposes.
1.3.10 Description of the company's use of the Tool
Tele2 uses the Tool to analyze statistics regarding visits to
The website. All statistics and reports generated via the Tool are produced on
aggregate level and no action is taken in relation to individual visitors on
The website within the framework of the Tool.
1.3.11 Own checks on transfers affected by the Schrems II judgment
After the Schrems II verdict, Tele2 initiated internal work to review all of them
international data transfers in Tele2's operations. This review has also covered
The tool.
Tele2 has had an ongoing dialogue with Google which has meant that since 12
August 2020, the transfer of data to Google in the USA has been based on
standard contractual clauses for data protection adopted by the Commission. Because the EU
the court in the judgment Schrems II held that the legislation covered by Google i
The US does not correspond to the level of protection found in European data protection legislation, so it is
supplementary protective measures necessary when using them
standard contractual clauses for data protection adopted by the Commission.
In the dialogue with Google, Tele2 has therefore discussed which additional protective measures are
may be taken in relation to the Tool. It has then been established that the protective measures
used in relation to the Tool is IP anonymisation (which has been enabled
by Tele2 ever since the Tool was introduced). In addition, Google has ISO270001 certification for
The tool and Google also use different encryption solutions in connection with
The Tool and the Transfer of Data to the United States.
1.3.12 Transfer tool according to chapter V of the data protection regulation
To the extent that personal data is transferred to the United States, the transfer is based on Article 46.2 c i
data protection regulation (standard contractual clauses for data protection adopted by
the Commission). Standard contractual clauses apply to the data transfer in the Tool.
The standard contract clauses are not signed by the parties but are included as part of
the personal data processor agreement with Google by reference to these
standard contractual clauses in clause 10.2 of the personal data processor agreement.
1.3.13 Control of obstacles to enforcement in legislation in third countries
In the EDPB's recommendation 01/2020, it is stated, among other things, that pseudonymisation and
anonymization are such additional safeguards that may be taken to achieve a
level of protection equivalent to that found in Europe and thus enable a transfer
of personal data to the United States based on standard data protection contractual clauses that
adopted by the Commission.
Page 7 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 8(23)
Date: 2023-06-30
Tele2's assessment, based on the additional protective measures used in connection
with the Tool, is therefore that the data is adequately protected and that
the level of protection then corresponds to that found in European data protection legislation.
Tele2 has checked that the supplementary protective measures taken can
implemented in practice and that there is nothing in third country legislation which
prevents the recipients there from implementing the measures to ensure that the level of
data protection for natural persons guaranteed within the EU/EEA is not undermined.
1.3.14 Additional safeguards taken in addition to those taken by Google
Tele2 has set IP anonymization for the Tool.
1.4 What Google LCC has stated
IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which
Google submitted to the Austrian supervisory authority. The statement answers questions
which IMY and a number of supervisory authorities have asked Google due to in part
joint handling of similar complaints received by these authorities.
Tele2 has been given the opportunity to comment on Google's statement. By Google's opinion
the following appears about the Tool.
A JavaScript code is included on a web page. When a user visits (calls) a
web page, the code triggers a download of a JavaScript file. Then performed
the tracking operation of the Tool, which consists of collecting information related to
to the call in different ways and send the information to the Tool's servers.
A website administrator who has integrated the Tool on his website can send
instructions to Google for processing the data collected. These
instructions are transmitted via the so-called tag manager that handles it
tracking code that the webmaster has integrated into his website and via
tag manager settings. Whoever integrated the Tool can do different things
settings, for example regarding storage time. The tool also makes it possible for it
which integrated it to monitor and maintain the stability of its website,
for example by staying informed about events such as peaks in visitor traffic
or lack of traffic. The tool also enables a website administrator to
measure and optimize the effectiveness of advertising campaigns carried out using
other tools from Google.
In this context, the Tool collects the visitor's http calls and information about
including the visitor's browser and operating system. According to Google, contains one
http calls for any page information about the browser and device making
the call, such as domain name, and information about the browser, such as type,
reference and language. The tool stores and reads cookies in the visitor's browser in order to
evaluate the visitor's session and other information about the call. Through these
cookies enable the Tool to identify unique users (UUID) over
browsing sessions, but the Tool cannot identify unique users in different browsers
or units. If a website owner's website has its own authentication system
can the website owner use the ID feature, to more accurately identify one
users on all the devices and browsers they use to access
the website.
When the information is collected, it is transferred to the Tool's servers. All data that
collected via The tool is stored in the United States.
Page 8 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 9(23)
Date: 2023-06-30
Google has introduced, among other things, the following contractual, organizational and
technical safeguards to regulate transfers of data within the framework of
The tool.
Google has taken contractual and organizational safeguards such as to
the company always conducts a thorough examination of a request for access from government
authorities on user data can be implemented. It is lawyers/specially trained
staff conducting these trials and investigating whether such a request is
compliant with applicable laws and Google's guidelines. Those registered are informed
the disclosure, unless prohibited by law or would adversely affect one
emergency. Google has also published a policy on the company's website about how a
such requests for access by governmental authorities of user data shall be implemented.
Google has taken technical protective measures such as protecting personal data from
interception when transferring data in the Tool. By default using HTTP
Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
to use an encryption protocol for all communications between end users,
websites and the Tool's servers. Such encryption prevents intruders from
passively listen to communications between websites and users.
Google also uses an encryption technology to protect personal data, so-called “data in
rest" ("data at rest") in data centers, where user data is stored on a disk or
backup media to prevent unauthorized access to the data.
In addition to the above measures, website owners can use IP anonymization through
to use the settings provided by the Tool to limit Google's
use of personal data. Such settings include above all that in the code
for the Tool enable IP anonymization, which means that IP addresses are truncated and
contributes to data minimization. If the IP anonymization service is fully used occurs
the anonymization of the IP address almost immediately after the request has been received.
Google also restricts access to the data from the Tool through authorization control
as well as by all personnel having undergone training regarding
information security.
2 Justification of the decision
2.1 The framework for the review
Based on the complaint in the case, IMY has only examined whether Tele2 transmits
personal data to the third country USA within the framework of Tele2's use of the Tool
and if Tele2s has legal support for it in chapter V of the data protection regulation. Supervision
does not include whether Tele2's personal data processing is otherwise compatible with
data protection regulation.
2.2 This concerns the processing of personal data
2.2.1 Applicable regulations, etc.
In order for the data protection regulation to be applicable, it is required that personal data
treated.
According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
fundamental rights and freedoms, in particular their right to the protection of personal data.
Page 9 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 10(23)
Date: 2023-06-30
According to Article 4.1 of the regulation, personal data is "any information relating to a
identified or identifiable natural person (hereinafter referred to as a data subject), whereby a
identifiable natural person is a person who can be directly or indirectly specifically identified
referring to an identifier such as a name, an identification number, a
location data or online identifiers or one or more factors that are
specific to the natural person's physical, physiological, genetic, psychological,
economic, cultural or social identity'. To determine whether a natural person is
identifiable, one should consider all the aids that, either of it
personal data controller or by another person, may reasonably be used
to directly or indirectly identify the natural person (reason 26 to
data protection regulation).
The term personal data can include all information, both objective and
subjective information, provided that it "refers" to a specific person, which
they do if, due to their content, purpose or effect, they are linked to the person. 4
The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary
that the information itself makes it possible to identify the registered person for that to be
a personal data. Recital 26 of the data protection regulation also states that in order to
determine whether a natural person is identifiable, all aids, such as e.g. thinning
("singling out" in the English language version), which, either of it
personal data controller or by another person, may reasonably be used
to directly or indirectly identify the natural person, is taken into account. To determine
if aids can with reasonable probability be used to identify it
the natural person should all objective factors, such as costs and time consumption for
identification, taking into account both available technology at the time of processing,
considered. It is clear from Article 4.5 of the regulation that pseudymisation is meant
processing of personal data in a way that means that the personal data does not
longer can be attributed to a specific data subject without the use of supplementary information,
provided that this additional information is kept separately and is subject
for technical and organizational measures that ensure that the personal data does not
attributed to an identified or identifiable natural person.
So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or
information stored in cookies – can be used to identify a user,
especially when combined with other similar types of information. According to recital 30 to
data protection regulation, natural persons can be linked to online identifiers provided by
their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
traces that, especially in combination with unique identifiers and other data such as
collected, can be used to create profiles of natural persons and identify them.
In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through
some information about the risk of identification in practice is negligible, which it is
identification of the relevant person is prohibited by law or impossible to carry out i
6
practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck
provided that dynamic IP addresses constitute personal data in relation to the person who
processes them, when he also has a legal opportunity to identify the holders of
4 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
5 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.
6 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraphs 45–46.
Page 10 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 11(23)
Date: 2023-06-30
the internet connections using the additional information provided by third parties
dispose of.7
2.2.2 The Privacy Protection Authority's assessment
To determine whether the information processed through the Tool constitutes personal data
shall IMY take a decision on whether Google or Tele2 through the implementation of the Tool
can identify individuals, e.g. the complainant, when visiting the Website or about the risk of
it is negligible. 8
IMY considers the data processed to be personal data for the following reasons.
The investigation shows that Tele2 implemented the Tool by inserting a
JavaScript code (a tag), entered by Google in the source code of the Website. While
the page is loaded in the visitor's browser, the JavaScript code from Google LLC's is loaded
servers and run locally in the visitor's browser. A cookie is inserted at the same time
the visitor's browser and saved on the computer. The cookie contains a text file that collects
information about the visitor's operation on the Website. Among other things, a
unique identifier in the value of the cookie and this unique identifier is generated and
managed by Google.
When the complainant visited the Website, or a sub-page of the Website, was transmitted
the following information via JavaScript code from the complainant's browser to Google
LLC's servers:
1. Unique identifier(s) that identified the browser or device used
to visit the Website as well as a unique identifier that identifies Tele2
(ie Tele2's account ID for Google Analytics).
2. Web address (URL) and HTML title of the website and web page that
the appellant has visited.
3. Information about browser, operating system, screen resolution,
language setting and date and time of access to the Website.
4. Complainant's IP address.
During the appellant's visit (according to point 1 above) said identifier was put in cookies with
the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These
identifiers have been created with the aim of being able to distinguish individual visitors, such as
the appellant. The unique identifiers thus make the visitors to the Website
identifiable. Although such unique identifiers (as per 1 above) would not in themselves be considered
make individuals identifiable, however, it must be considered that these unique identifiers in it
the current case can be combined with additional elements (according to points 2-4 above)
and that it is possible to draw conclusions in relation to information (according to the points
2–4 above) which means that information constitutes personal data, regardless of whether the IP address is not
transferred in its entirety.
If information is combined (according to points 1–4 above), it means that individual visitors on
The site becomes even more distinguishable. It is thus possible to identify
individual visitors of the Website. That in itself is enough for it to be considered
personal data. It does not require knowledge of the actual visitor's name or
physical address, because the differentiation (through the word "thinning" in recital 26 i
7 CJEU judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and judgment Breyer, C-582/14,
EU:C:2016:779, paragraph 49.
8 See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
assessment.
Page 11 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 12(23)
Date: 2023-06-30
the data protection regulation, "singling out" in the English version) in itself is sufficient for
to make the visitor indirectly identifiable. It is also not required that Google or Tele2 have
for the purpose of identifying the appellant, but the opportunity to do so is in itself sufficient for
to determine whether it is possible to identify a visitor. Objective aids such as
can reasonably be used either by the personal data controller or by someone
other, are all aids that can reasonably be used for the purpose of identifying the appellant.
Examples of objective aids that can reasonably be used are access to additional
information with a third party that would make it possible to identify the complainant with
taking into account both available technology at the time of identification as well as cost
(the time required) for the identification.
IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer ruling stated that
dynamic IP addresses constitute personal data in relation to the person who processes them,
when he also has a legal opportunity to identify the holders of
the internet connections using the additional information provided by third parties
dispose of. IP addresses do not lose their character of being personal data alone
due to the fact that the means of identification are with third parties. The Breyer ruling and
The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
there is a legal possibility to gain access to supplementary information for the purpose of
identify the appellant it is objectively clear that there is a “means which reasonably can
will be used' to identify the complainant. According to IMY, the judgments should not be read
on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated
to data that can link IP addresses to natural persons so that the IP addresses will
considered to be personal data. An interpretation of the concept of personal information which means that
it must always be demonstrated a legal possibility to link such data to a physical
person would, according to IMY, mean a significant limitation of the regulation
protection area, and open up possibilities to circumvent the protection in the regulation. This one
interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i
data protection regulation. The Breyer judgment was decided under previously applicable directives
95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
knowledge of the actual visitor's name or physical address is required, because
the distinction itself is sufficient to make the visitor identifiable), was not specified in
previously applicable directives as a method for identifying personal data.
In this context, other information is also added (according to points 1–3 above) such as IP
the address can be combined with to enable identification. Google action
regarding truncation of an IP address means that it is still possible to distinguish IP-
the address, as it can be combined with other data transferred to
third country (to the USA). This enables identification, which in itself is sufficient to
the data together shall constitute personal data.
In addition, several other supervisory authorities within the EU/ESS have decided that the transfer of
personal data to third countries has occurred when using the Tool because it
it has been possible to combine IP addresses with other data (according to points 1–3
above), and thereby enabled differentiation of data and identification of IP address,
9 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102-104 and Breyer judgment, C-582/14
EU:C:2016:779, paragraph 49.
10 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
the address can be linked with other transferred data (e.g. information about unit and time of visit) to
third country.
Page 12 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 13(23)
Date: 2023-06-30
which in itself is sufficient to determine that it is a matter of treatment of
personal data. 11
IMY notes that there may also be reasons to compare IP addresses with
pseudonymised personal data. Pseudonymization of personal data means
according to article 4.5 of the data protection regulation that the data - similar to dynamic IP
addresses - cannot be directly attributed to a specific data subject without supplementary
data is used. According to recital 26 of the data protection regulation, such data should
considered to be information about an identifiable natural person.
A narrower interpretation of the concept of personal data would undermine, according to IMY
the scope of the right to the protection of personal data, which is guaranteed in Article 8 i
The Charter of Fundamental Rights of the European Union, because it would
make it possible for personal data controllers to specifically single out individuals together
with personal data (eg when they visit a certain website) at the same time as individuals
are denied the right to protection against the dissemination of such information about them. Such an interpretation would
undermine the level of protection for individuals and would not be compatible with the wide
scope given by the data protection rules in the practice of the EU Court of Justice. 12
Tele2 has also, by the fact that the complainant was logged in to his Google account at
the visit to the Website, processed information where conclusions could be drawn about it
individual based on their registration with Google. It appears from Google's statement that
implementation of the Tool on a website makes it possible to obtain information about
a user of a Google account (ie a registrant) has visited the website in
question. Google does state that certain conditions must be met for Google to
be able to receive such information, e.g. that the user (complainant) has not deactivated
processing and display of personal advertisements. Because the appellant was logged in
in their Google account when visiting the Website, Google can therefore still have
had the opportunity to receive information about the logged-in user's visits to
The website. The fact that it does not appear from the complaint that no personal
ads have been shown, does not mean that Google cannot obtain information about the logged in person
the user's visit to the Website.
IMY finds against the background of the unique identifiers that can identify the browser
or the device, the ability to derive the individual through his Google account, they
the dynamic IP addresses as well as the possibility to combine these with additional ones
information that Tele2's use of the Tool on a web page involves processing of
personal data.
2.3 Tele2 is the personal data controller for the processing
Personal data controller is, among other things, a legal person who alone or
together with others determines the purposes and means of the processing of
personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among
another, a legal entity that processes personal data for it
account of the personal data controller (Article 4.8 of the data protection regulation).
11Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaint Google
Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
regarding complaint Google Analytics represented by NOYB, local case number 9782890.
12 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.
Page 13 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 14(23)
Date: 2023-06-30
The answers that Tele2 gives show that the company has made the decision to implement
The tool on the Website. Furthermore, it appears that Tele2's purpose for this was that the company
must be able to analyze how the Website is used, in particular to be able to follow
the use of the website over time.
IMY finds that Tele2 by deciding to implement the Tool on the Website i
said purpose has established the purposes and means of the collection and it
the subsequent transfer of this personal data. Tele2 is therefore
personal data controller for this processing.
2.4 Transfer of personal data to third countries
The investigation shows that the data collected via the Tool is stored by Google
LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.
The question is therefore whether Tele2's transfer of personal data to the USA is compatible with
Article 44 of the Data Protection Regulation and has legal support for it in Chapter V.
2.4.1 Applicable regulations, etc.
According to article 44 of the data protection regulation, which has the title "General principle for
transfer of data", includes the transfer of personal data that is under
processing or are intended to be processed after they have been transferred to a third country –
i.e. a country outside the EU/EEA - only take place under the condition that it
personal data controller and the personal data assistant, subject to others
provisions of the data protection regulation, meet the conditions in chapter V. All
provisions of said chapter shall be applied to ensure that the level of protection
of natural persons ensured by the data protection regulation is not undermined.
Chapter V of the data protection regulation contains tools that can be used for transfers
to third countries to ensure a level of protection essentially equivalent to that which
guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on
adequate level of protection (Article 45) and transfer covered by appropriate
protective measures (Article 46). There are also exceptions for special situations (Article 49).
In the judgment Schrems II, the Court of Justice of the European Union has annulled that decision on adequacy
level of protection that previously applied to the United States. Because a decision on adequate
level of protection since July 2020 is missing, transfers to the US may not be based on Article 45.
Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article
45.3 a personal data controller or a personal data assistant may only transfer
personal data to a third country after taking appropriate safeguards, and on
conditions that statutory rights of registered and effective remedies for
registered are available. Article 46.2 c stipulates that such suitable
safeguards may take the form of standardized data protection regulations adopted
by the Commission in accordance with the review procedure referred to in Article 93(2).
In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which
transfer tool. However, the court found that they are not binding on
the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus
13 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
The European Union and the United States and the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), C-
311/18, EU:C:2020:559.
Page 14 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 15(23)
Date: 2023-06-30
there are situations where the recipient of such a transfer, depending on the legal situation and
current practice in the third country concerned, can guarantee the necessary protection of
data solely with the support of the standardized data protection regulations, exists
the other situations in which the provisions of these clauses cannot be one
sufficient means to ensure effective protection of the personal data in practice
which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things
the case when the legislation of the third country allows the authorities of that third country to do
interference with the rights of the registered persons regarding these data.” 14
The reason why the European Court of Justice annulled the decision on adequate level of protection
with the US was how the US intelligence agencies can access
personal data. According to the court, the conclusion of standard contract clauses cannot in itself
ensure a level of protection required by Article 44 of the Data Protection Regulation,
as the guarantees stated therein do not apply when requested by such authorities
access. The European Court of Justice therefore stated the following:
"It thus appears that the standardized data protection regulations which
the commission adopted with the support of article 46.2 c of the same regulation only aims to
provide the personal data controllers or their personal data assistants established
in the Union contractual safeguards that are applied uniformly throughout
third countries and thus independent of the level of protection ensured in each of
these countries. Because these standardized data protection regulations, with regard
to their nature, cannot lead to protective measures that go beyond a contractual obligation
to ensure that the level of protection required under Union law is observed, it may be
necessary, depending on the situation prevailing in a particular third country, for it
personal data controller to take additional measures to ensure that the level of protection
observed.15
In the European Data Protection Board's (EDPB) recommendations on the consequences of
16
the judgment clarifies that if the assessment of legislation and practice in the third country involves
that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice
the exporter must, within the framework of his transfer, as a rule either cancel
the transfer or take appropriate additional protective measures. The EDPB thereby notes
that "further measures can only be considered effective in the sense referred to in the EU
the court's judgment "Schrems II" if and to the extent that they - alone or in combination -
addresses the specific deficiencies identified during the assessment of the situation i
the third country in terms of its laws and practices applicable to the transfer”. 17
It appears from the EDPB's recommendations that such additional protective measures can
fall into three categories: contractual, organizational and technical. 18
Regarding contractual measures, the EDPB states that such measures “[...] can
supplement and reinforce the safeguards that the transfer tool and relevant
legislation in the third country provides [...]. Considering that the contractual
the measures are of such a nature that they cannot generally bind the authorities in it
the third country because they are not parties to the agreement, these measures may often be necessary
14 Paragraphs 125-126.
15 Item 133.
16EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU
level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
17/2020”).
18EDPB's Recommendations 01/2020, point 75; IMY's translation.
EDPB's Recommendations 01/2020, point 52.
Page 15 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 16(23)
Date: 2023-06-30
combined with other technical and organizational measures to provide it
level of data protection required [...]'. 19
Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a
or more of these measures will not necessarily and systematically
ensure that [a] transfer meets the basic equivalence standard which
required by EU legislation. Depending on the particular circumstances surrounding
the transfer and the assessment made by the law of the third country is required
organizational measures to supplement contractual and/or technical measures
to ensure a level of protection for personal data that is substantially equivalent to that
which is guaranteed within the EU/EEA”. 20
Regarding technical measures, the EDPB points out that “these measures will in particular
be necessary when the legislation of that country imposes obligations on the importer which
contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and
which in particular may infringe upon the contractual guarantee of one in all essentials
equivalent protection against the authorities of the third country gaining access to these
21
tasks". The EDPB thereby states that "the measures specified [in the Recommendations]
are intended to ensure that access to the transmitted data for public
authorities in third countries do not interfere with the expediency of the appropriate
the safeguards in Article 46 of the Data Protection Regulation transfer tools. These
measures would be necessary to guarantee a substantially equivalent
level of protection as that guaranteed within the EU/EEA, even if the public ones
access by the authorities is consistent with the legislation of the importer's country, where such
access in practice goes beyond what is necessary and proportionate in one
democratic society. The purpose of these measures is to prevent potentially unauthorized
access by preventing the authorities from identifying the registered, drag
conclusions about them, point them out in another context or connect the transmitted ones
the data to other data sets which, among other things, may contain network identifiers such as
provided by the devices, applications, tools and protocols used by
registered in other contexts". 22
2.4.2 The Privacy Protection Authority's assessment
2.4.2.1 Applicable Transfer Tool
The investigation shows that Tele2 and Google have entered into standardized agreements
data protection regulations (standard contract clauses) in the sense referred to in Article
46 for the transfer of personal data to the United States. These clauses are in line with those which
published by the European Commission in decision 2021/914 of June 4, 2021 and
thus a transfer tool according to chapter V of the data protection regulation.
2.4.2.2 The legislation and the situation in the third country
As can be seen from the judgment Schrems II, the use of standard contract clauses may require
additional protective measures as a complement. Therefore, an analysis of
the legislation in the relevant third country is made.
IMY believes that the analysis that the EU Court has already done in the judgment Schrems II, which
relates to similar conditions, is relevant and current, and that it can therefore be added
19EDPB's Recommendations 01/2020, point 99; IMY's translation.
20EDPB's Recommendations 01/2020, point 128; IMY's translation.
21 EDPB's Recommendations 01/2020, point 77; IMY's translation.
22EDPB's Recommendations 01/2020, point 79; IMY's translation.
Page 16 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 17(23)
Date: 2023-06-30
basis for the assessment in the case without any further analysis of the legal
the situation in the United States needs to be done.
Google LLC, as the importer of the data to the United States, shall be classified as
provider of electronic communications services within the meaning of 50 US
Code § 1881 (b)(4). Google is therefore subject to surveillance by American
intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable
to provide the US government with personal data when 702 FISA is used.
The European Court of Justice found in the judgment Schrems II that the American
surveillance programs based on 702 FISA, Executive Order 12333
(hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the
American legislation does not correspond to the minimum requirements that apply in EU law
according to the principle of proportionality. This means that the monitoring programs that are established
on these provisions cannot be considered to be limited to what is strict
necessary. The court also found that the monitoring programs do not provide
the registered rights enforceable against US authorities i
court, which means that these people do not have the right to an effective remedy.
Against this background, IMY notes that the use of the EU Commission's
standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
for the transferred personal data.
2.4.2.3 Additional safeguards implemented by Google and Tele2
The next question is whether Tele2 has taken sufficient additional protective measures.
As the personal data controller and exporter of the personal data, Tele2 is obliged to
ensure that the rules of the data protection regulation are complied with. This responsibility includes, among other things
to assess in each individual case when transferring personal data to third countries which
additional safeguards to be used and to what extent, including that
evaluate if the actions taken by the recipient (Google) and the exporter (Tele2)
taken together are sufficient to achieve an acceptable level of protection.
2.4.2.3.1 Google's additional safeguards
Google LLC, as an importer of personal data, has taken contractual,
organizational and technical measures to complement the standard contract clauses.
In a statement on April 9, 2021, Google described that the company has taken measures.
The question is whether the additional protective measures taken by Tele2 and Google LLC are
effective, in other words, hindering US intelligence services' ability to obtain
access to the transferred personal data.
As regards the legal and organizational measures, it can be stated that neither
24
information to users of the Tool (such as Tele2), the publication of a
transparency report or a publicly available “Government Request Handling Policy”
impedes or reduces the ability of US intelligence agencies to obtain
access to the personal data. Furthermore, it is not described what it means to
Google LLC's makes a "careful review of each request" for the "legality" of
US intelligence services. IMY notes that this does not affect the legality of
2Items 184 and 192. Item 259 et seq.
2Regardless of whether such notification would even be permitted under US law.
Page 17 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 18(23)
Date: 2023-06-30
such requests because, according to the European Court of Justice, they are not compatible with the requirements of
EU data protection rules.
As regards the technical measures taken, it can be stated that neither
Google LLC or Tele2 has clarified how the described measures – such as protection of
communication between Google services, protection of data during transfer between
data center, protection of communications between users and websites or “physical
security” – hinders or reduces the ability of US intelligence agencies to
prepare access to the data with the support of the American regulatory framework.
Regarding the encryption technology used – for example for so-called "data at rest"
("data at rest") in data centers, which Google LLC mentions as a technical measure - has Google
LLC as an importer of personal data nevertheless an obligation to grant access to or
hand over imported personal data at the disposal of Google LLC, including
any encryption keys required to make the data intelligible. Thus
such a technical measure cannot be considered effective as long as Google LLC has
possibility to access the personal data in plain text.
Regarding what Google LLC's stated that "to the extent information for measurement i
Google Analytics transmitted by website owners constitutes personal data, they receive
considered to be pseudonymized” it can be stated that universal unique identifiers
(UUID) is not covered by the concept of pseudonymisation in Article 4.5 i
data protection regulation. Pseudonymization can be a privacy-enhancing technique,
but the unique identifiers, as described above, have the specific purpose of distinguishing
user and not to act as protection. In addition, individual identifiable genomes are made
what is stated above about the possibility of combining unique identifiers and others
data (eg metadata from browsers or devices and the IP address) and
the ability to link such information to a Google account for logged-in users.
Regarding Google's measure "anonymization of IP addresses" in the form of truncation 26
it is not clear from Google's response if this action takes place before the transfer, or if
the entire IP address is transferred to the USA and shortened only after the transfer to the USA. From
from a technical point of view, it has thus not been shown that there is no potential access to the whole
The IP address before the last octet is truncated.
Against this background, IMY notes that the additional protective measures taken
of Google are not effective, because they do not prevent American
intelligence services' ability to access the personal data or does so
access ineffective.
2.4.2.3.2 Tele2's own additional protective measures
Tele2 has stated that the company has taken additional protective measures in addition to those measures
which Google has taken. According to Tele2, these consist of activating the function for
truncation27 of the last octet of the IP address before the data is transmitted to Google, which
means that the last octet is masked.
As stated above regarding Google's measures, it is not clear from Google's response whether
this action occurs before the transfer or if the entire IP address is transferred to the United States and
25 See EDPB's Recommendations 01/2020, point 81.
26 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
address, a number between 0 and 255).
27 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
address, a number between 0 and 255).
Page 18 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 19(23)
Date: 2023-06-30
truncated only after the transfer to the United States. From a technical point of view, it has thus not
shown that after the transfer there is no potential access to the entire IP address before
the last octet is truncated.
Even if the truncation were to take place before the transfer takes place, it is not a sufficient one
action, as the truncated IP address can be interconnected with others
data, as IMY stated above in section 2.2.2. A truncation of an IP address
means that only the last octet is masked, which itself can only be any of 256
option (ie in the range 0-255) and due to the truncated IP address going
to distinguish from other IP addresses, this information can be combined with others
information (as above in section 2.2.2) and enable identification, which in itself is
sufficient to determine whether the data together constitute personal data. Although
the masking of the last octet constitutes an integrity-enhancing measure, as it limits
the extent of the data that authorities can access (in third countries)
IMY notes that it is still possible to link the transferred data to other data
which is also transferred to Google LLC (in third countries).
Against this background, IMY notes that neither the additional measures which
taken by Tele2 in addition to the additional measures taken by Google is sufficient
effective in preventing US intelligence agencies from accessing
the personal data or render such access ineffective.
2.4.2.3.3 The Privacy Protection Authority's conclusion
IMY finds that Tele2's and Google's actions are neither individually nor collectively
effective enough to prevent US intelligence agencies from obtaining
access to the personal data or render such access ineffective.
Against this background, IMY finds that neither standard contract clauses nor the others
measures invoked by Tele2 may provide such support for the transfer as specified in Chapter
V in the data protection regulation.
With this transfer of data, Tele2 therefore undermines the level of protection for
personal data of data subjects guaranteed in Article 44 of the Data Protection Regulation.
IMY therefore notes that Tele2 Sverige AB violated Article 44 i
the data protection regulation in any case during the period from 14 August 2020 to and including May
2023.
3 Choice of intervention
3.1 Legal regulation
In the event of violations of the data protection regulation, IMY has a number of corrective measures
powers to be available according to Article 58.2 a–j of the data protection regulation, among other things
reprimand, injunction and penalty fees.
IMY shall impose penalty fees in addition to or in lieu of other corrective measures
as referred to in Article 58(2), depending on the circumstances of each individual case.
Each supervisory authority must ensure that the imposition of administrative
penalty charges in each individual case are effective, proportionate and dissuasive. The
stated in Article 83.1 of the Data Protection Regulation.
Page 19 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 20(23)
Date: 2023-06-30
In article 83.2 of the data protection regulation, the factors that must be considered in order to
decide whether an administrative penalty fee should be imposed, but also at
the determination of the amount of the penalty fee. If it is a question of a smaller one
breach will receive the IMY as set out in recital 148 instead of imposing a
penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as
the nature, severity and duration of the breach and previous breaches of
relevance.
The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
the data protection regulation which aims to create a harmonized method and principles
28
for calculation of penalty fees.
3.2 Should a penalty fee be imposed?
IMY has found above that the transfers of personal data to the USA that take place via
The Google Analytics tool and for which Tele2 is responsible for violations of Article 44 i
data protection regulation. Violations of that provision can according to Article 83
incur penalty charges.
In light of, among other things, the fact that Tele2 transferred a large amount of personal data, that
the processing has been going on for a long time and that the transfer meant that
the personal data could not be guaranteed the level of protection given in the EU/EEA is
don't ask about a minor infraction. Tele2 must therefore be charged a penalty fee for
the established violation.
3.2.1 At what amount should the penalty fee be determined?
When determining the maximum amount of a penalty charge to be imposed on a company
shall the definition of the concept of company be used as used by the EU Court of Justice
application of Articles 101 and 102 of the TFEU (see recital 150 i
data protection regulation). It appears from the court's practice that this includes every entity
that carries out economic activities, regardless of the legal form of the entity and the way of doing so
financing as well as even if the unit in the legal sense consists of several physical or
legal entities.29
According to Article 83.5 c of the data protection regulation, in the event of a violation of, among other things,
article 44 in accordance with 83.2 administrative penalty fees of up to 20 are imposed
million EUR or, in the case of a company, of up to 4% of the total global
the annual turnover during the previous budget year, depending on which value is the highest.
IMY assesses that the company's turnover to be used as a basis for calculation of
the administrative sanction fee is Tele2 Sverige AB's annual report for the year 2022.
The company had a turnover of approximately SEK 28,102,000,000 during that budget year. The highest
penalty amount that can be determined in the case is four percent of this amount, that is
say approximately SEK 1,124,080,000.
When determining the size of the penalty fee, IMY shall take into account the violation
seriousness and taking into account both aggravating and mitigating circumstances
28EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
public consultation on 12 May 2022).
29 See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, paragraph. 48
Page 20 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 21(23)
Date: 2023-06-30
determine an administrative sanction amount that is effective in the individual case,
proportionate and dissuasive.
IMY assesses that the following factors are important for the assessment of the infringement
seriousness.
As regards the assessment of the seriousness of the infringement, there is initially
factors which mean that there are reasons to view the violation more seriously. Tele2 has
transferred a large amount of personal data to third countries. The transfer has meant that
the personal data has not been able to guarantee the level of protection given in the EU/EES which
itself is a serious violation. In addition, it is difficult that the transfer of
personal data has been going on for a long time, i.e. as of August 14, 2020
and are still ongoing, and that they have occurred systematically. IMY also considers that now
approximately 3 years have passed since the European Court of Justice rejected the
30
the commission's decision on an adequate level of protection in the USA whereby the conditions for
transfers of personal data to the United States changed.
In the meantime, the EDPB has made recommendations on the consequences of the judgment
which was out for public consultation on 10 November 2020 and adopted in final form
on 18 June 2021. In addition, several other supervisory authorities within the EU/EEA have
issued orders to cease use of the Tool until
sufficiently effective safety protection measures have been taken by them
personal data controller. The decisions have included cases where the personal data controller
has also taken measures such as "anonymization of IP addresses" in the form of
truncation.31
Although these recommendations and decisions clearly point to the risks of and
the difficulties in ensuring a sufficient level of protection for data transfers to companies
in the USA, Tele2 has continued to use the Tool during the period of August 14
2020 up to and including at least May 2023 without taking your own additional protective measures.
Google's action regarding IP address truncation means that it is still possible
distinguish the IP address, as it can be linked with others transmitted
data to third countries (to the USA). This enables identification, which means that
the data together constitute personal data.
Tele2 is one of the major players in the telecom industry in Sweden. It's about
data on a large number of data subjects who can be identified indirectly and whose data
can be combined with other information about them. As far as the data is concerned
nature already follows from Tele2's own purpose for the processing – i.e. to among
otherwise be able to draw conclusions about how the data subjects navigate and find their way around
The website, that the data aggregated – makes it possible to draw relatively
precise conclusions about the privacy of the data subjects and map them, such as
regarding what they buy and what services they are interested in over time and holding
at the company. Tele2's processing of personal data entails risks of serious infringement
30 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
the states.
31 Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google
Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
32seeing complaint Google Analytics represented by NOYB, local case number 9782890.
Truncation of IP address "anonymization of IP address" means that asterisk or zeros replace other digits at the end
octets (the last digits of an IP address, a number between 0 and 255), which itself can only be one of 256 options.
The effect of this action is that it is still possible to distinguish the IP address from the other IP addresses (255
option), as the IP address can be combined with other transmitted data (e.g. device information and
time of the visit) to third countries (to the USA).
Page 21 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 22(23)
Date: 2023-06-30
of the freedoms and rights of individuals, which gives Tele2s a special responsibility that entails high
requirements for transfers to third countries, where IMY overall assesses that Tele2 does not have
demonstrated that the company has carried out a sufficient analysis and mapping and has also not taken
necessary security measures to limit the risks for the data subjects.
IMY notes at the same time that there are factors that speak in the opposite direction. IMY takes into account
the particular situation that arose after the judgment and the interpretation of the EDPB's
recommendations, where there was a gap after the transfer tool to the United States
according to the Commission's previous decision rejected by the European Court of Justice. IMY also considers
that Tele2 has taken certain, albeit insufficient, measures to limit them
personal data transmitted by activating "anonymization of IP addresses"
by truncation. Tele2 has done an analysis and mapping of the life cycle for
personal data in the Tool. This relationship is also taken into account in the assessment of
the seriousness of the violations.
Overall, IMY assesses, against the background of the reported circumstances, that they
the violations in question are of low seriousness. The starting point for the calculation
of the penalty fee should therefore be set low in relation to the current maximum amount.
In addition to assessing the seriousness of the violation, IMY must assess whether it exists
any aggravating or mitigating circumstances that become relevant
the amount of the penalty fee. IMY assesses that there is no further aggravating factor or
mitigating circumstances, in addition to those considered in the assessment of
the degree of seriousness, which affects the size of the penalty fee.
Based on an overall assessment of the aforementioned circumstances, the high turnover in
relation to the violations found and in light of the fact that the
the administrative penalty fee must be effective, proportionate and dissuasive
IMY assesses that the sanction fee can stay at SEK 12,000,000 (twelve million).
___________________
This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has
David Törngren, unit manager Catharina Fernquist and IT- and
information security specialist Mats Juhlén participated.
Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)
Appendix
Appendix 1 – Information on payment of penalty fee
3Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google
Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
regarding complaint Google Analytics represented by NOYB, local case number 9782890.
Page 22 of 23The Swedish Privacy Agency Diary number: DI-2020-11373 23(23)
Date: 2023-06-30
4 Appeal reference
4.1 How to Appeal
If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
the letter which decision you are appealing and the change you are requesting. The appeal shall
have been received by the Privacy Protection Authority no later than three weeks from the day you received it
part of the decision. If the appeal has been received in time, send
The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
examination.
You can e-mail the appeal to the Privacy Protection Authority if it does not contain
any privacy-sensitive personal data or information that may be covered by
secrecy. The authority's contact details appear on the first page of the decision.
Page 23 of 23
