IMY (Sweden) - DI-2020-11397: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Tags: Reverted Visual edit
Line 67: Line 67:
}}
}}


The Swedish DPA held that - by using Google Analytics provided by Google LLC - the controller breached [[Article 44 GDPR]]. SCCs and safeguards that were in place could not support data transfers to the US in a way that would not undermine the level of protection of personal data guaranteed by the GDPR.  
The Swedish DPA held that - by using Google Analytics provided by Google LLC - the controller breached [[Article 44 GDPR]]. SCCs and the safeguards that were in place could not sufficiently support the data transfers to the US under the GDPR.  


== English Summary ==
== English Summary ==

Revision as of 10:40, 4 July 2023

IMY - DI-2020-11397
LogoSE.png
Authority: IMY (Sweden)
Jurisdiction: Sweden
Relevant Law: Article 44 GDPR
Article 56 GDPR
Article 60 GDPR
50 US Code § 1881 (b)(4)
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 300000 SEK
Parties: CDON AB
National Case Number/Name: DI-2020-11397
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Swedish
Original Source: IMY (Sweden) (in SV)
Initial Contributor: n/a

The Swedish DPA held that - by using Google Analytics provided by Google LLC - the controller breached Article 44 GDPR. SCCs and the safeguards that were in place could not sufficiently support the data transfers to the US under the GDPR.

English Summary

Facts

E-commerce marketplace provider CDON AB (the controller) used Google Analytics tool provided by Google LLC on its website www.cdon.fi as from 14 August 2020.

In 2020, noyb lodged a complaint with the Austrian DPA alleging that the controller breached the provisions of Chapter V GDPR. Within its complaint, noyb argued that an unlawful transfer of personal data had taken place through the use of the Google Analytics tool when the data subject in question had visited the controller’s website.

Thereafter, the complaint was transferred in accordance with the provisions on co-operation in cross-border processing of the GDPR to the Swedish DPA - the lead supervisory authority pursuant to Article 56 GDPR. Following the complaint filed by noyb, the Swedish DPA initiated supervision of the controller. The supervision carried out by the DPA concerned whether the controller transfers personal data to the US through its use of the Google analytics tool, and whether the controller has legal support for this under Chapter V GDPR.

Holding

Firstly, the DPA considered whether the data processed through Google analytics tool constitutes personal data and found that the data does constitute personal data as cookies containing unique identifiers were placed on the data subject’s device and subsequently transmitted to Google LLC. It was highlighted by the DPA, that even if such unique identifiers would not in themselves be considered to make individuals identifiable, it must be taken into account that in the present case those unique identifiers can be combined with additional elements.

Secondly, the DPA considered whether CDON AB is the controller, and held that - by deciding to implement the Google Analytics tool on its website for the purpose of enabling the controller to analyse how the website is used – CDON AB determined the purposes and means of the collection and subsequent transfer of those personal data. The DPA confirmed that CDON AB is the controller.

Thirdly, the DPA investigated whether the controller’s transfer of personal data to the US is compatible with Article 44 GDPR and has legal support under Chapter V GDPR. The investigation showed that the controller and Google had implemented standard contractual clauses (‘SCCs’) within the meaning of Article 46 GDPR. By citing the Schrems II judgment, the DPA noted that the use of the SCCs is not in itself sufficient to achieve an acceptable level of protection for the personal data transferred when transferring personal data to the US when the data importer is to be classified as a provider of electronic communications services within the meaning of 50 US Code § 1881 (b)(4).

Fourhtly, it was assessed whether the controller had implemented sufficient additional safeguards for the data transfers. After the assessment, the DPA found that the additional safeguards adopted by Google were not effective, as they do not prevent the possibility for US intelligence agencies to access the personal data or render such access ineffective. Moreover, neither the SCCs nor the other measures invoked (truncating last octet of IP addresses) by the controller could support the transfer as set out in Chapter V GDPR.

Eventually, the DPA found that, with the transfers, the controller undermined the level of protection of personal data of data subjects guaranteed by Article 44 GDPR and consequently breached Article 44 GDPR. The DPA issued a fine of 300.000 SEK (approx. EUR 25.000). The controller was also ordered to ensure that its processing within the framework of the use of the Google Analytics tool complies with Article 44 GDPR and other provisions under Chapter V GDPR. According to the DPA, this shall be done in particular by ceasing to use of the Google Analytics tool, unless adequate safeguards have been taken.

Comment

https://www.imy.se/nyheter/bolag-maste-sluta-anvanda-google-analytics/

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Swedish original. Please refer to the Swedish original for more details.

1(25)






                                                                        CDON AB
                                                                        Box 385
                                                                        20123 Malmö






Diary number:
DI-2020-11397 Decision after supervision according to

                                 data protection regulation - CDON AB's

Date:
2023-06-30 transfer of personal data to

                                 third country





                                 Content

                                 The Privacy Protection Authority's decision................................................... ............................3

                                 1 Description of the supervisory matter ............................................... .....................................3

                                        1.1 The processing................................................... ............................................3

                                        1.2 What is stated in the complaint............................................. ..............................3
                                        1.3 What CDON has stated............................................. .....................................4

                                               1.3.1 Who has implemented the Tool and for what purpose, etc. ........4

                                               1.3.2 Recipient of the data ............................................. .....................5

                                               1.3.3 The data processed in the Tool and what constitutes it
                                               personal data ................................................ ........................................5

                                               1.3.4 Categories of persons affected by the processing......................5
                                               1.3.5 When the code for the Tool is executed and recipients are provided access .5

                                               1.3.6 How long is the personal data stored............................................ ......5

                                               1.3.7 In which countries the personal data is processed...................................5

                                               1.3.8 CDON's relationship with Google LLC ......................................... ..............6
                                               1.3.9 Ensuring that the processing does not take place for the recipients' own benefit

                                               purpose ................................................ ................................................ .6
                                               1.3.10 Description of CDON's use of the Tool..........................6

                                               1.3.11 Own controls of transfers affected by the judgment Schrems II6

Postal address: 1.3.12 Transfer tool according to chapter V of the data protection regulation .......7
Box 8114
104 20 Stockholm 1.3.13 Control of obstacles to enforcement in legislation in third countries............7
                                               1.3.14 What information is covered by the definition of personal data..........7
Website:
www.imy.se 1.3.15 The effectiveness of protective measures taken by Google and CDON8
E-mail:
imy@imy.se 1.3.16 Taken additional protective measures in addition to those taken by Google
                                               ................................................... ................................................... ..............8
Phone:
08-657 61 00


                                                               Page 1 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 2(25)
                                       Date: 2023-06-30






                                                1.4 What Google LLC has stated............................................. ............................8

                                                1.5 CDON's comment on Google's opinion............................................ .........10

                                       2 Justification of the decision................................................... ................................................... 10

                                                2.1 The framework for the review............................................... ................................10

                                                2.2 This concerns the processing of personal data............................................. .11

                                                         2.2.1 Applicable regulations, etc. ................................................... ...11
                                                         2.2.2 The Privacy Protection Authority's assessment...................................12

                                                2.3 CDON is the personal data controller for the processing...................................15

                                                2.4 Transfer of personal data to third countries............................................. ....15

                                                         2.4.1 Applicable regulations, etc. ................................................ ...15

                                                         2.4.2 The Privacy Protection Authority's assessment...................................17

                                       3 Choice of intervention................................................... ................................................ .......20

                                                3.1 Legal regulation................................................ ..........................................20

                                                3.2 Should a penalty fee be imposed?............................................ ..........................21

                                                3.3 Other interventions................................................... ........................................23
                                       4 Appeal reference ................................................ ..........................................25

                                                4.1 How to appeal .............................................. ........................................25












































                                                                            Page 2 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 3(25)
                               Date: 2023-06-30






                               The Privacy Protection Authority's decision


                               The Swedish Privacy Protection Authority states that CDON AB processes personal data in
                               violation of Article 44 of the Data Protection Regulation by since August 14, 2020

                               and until the date of this decision use the Google Analytics tool, which is provided
                               by Google LLC, on its website www.cdon.fi, thereby transferring
                               personal data to third countries without the conditions according to chapter V of the regulation being

                               fulfilled.

                               The Privacy Protection Authority orders with the support of Article 58.2 d i

                               data protection regulation CDON AB to ensure that the company's processing of
                               personal data within the framework of the company's use of the Google Analytics tool
                               complies with Article 44 and other provisions of Chapter V. This shall especially

                               happen by CDON AB ceasing to use that version of the tool
                               Google Analytics as used on August 14, 2020, if not sufficient
                               protective measures have been taken. The measures must be completed no later than one month after

                               this decision gained legal force.

                               IMY decides with the support of article 58.2 and 83 of the data protection regulation that CDON AB

                               shall pay an administrative sanction fee of SEK 300,000 (three hundred thousand) for
                               violation of Article 44 of the Data Protection Regulation.


                               1 Description of the supervisory matter


                               1.1 The processing

                               The Swedish Privacy Protection Agency (IMY) has started supervision of CDON AB (below

                               CDON or the company) due to a complaint. The complaint concerns an alleged
                               violation of the provisions of Chapter V of the Data Protection Regulation linked to
                               transfer of the complainant's personal data to third countries. The transfer is alleged to have taken place

                               when the complainant visited the company's website, www.cdon.fi (hereinafter "the company's website"
                               or the "Website") through the Google Analytics tool (hereinafter the Tool) which
                               provided by Google LLC.


                               The complaint has been handed over to IMY, in its capacity as the responsible supervisory authority according to
                               Article 56 of the Data Protection Regulation. The handover has taken place from the supervisory authority

                               in the country where the complainant has filed his complaint (Austria) in accordance with
                               the regulation's provisions on cooperation in cross-border processing.


                               The proceedings at IMY have taken place through an exchange of letters. Against the background that it applies
                               cross-border treatment, IMY has used the mechanisms for cooperation
                               and uniformity found in Chapter VII of the Data Protection Regulation. Affected

                               supervisory authorities have been the supervisory authorities in Germany, Norway, Estonia,
                               Denmark, Portugal, Spain, Finland and Austria.


                               1.2 What is stated in the complaint

                               The complaint essentially states the following.



                               1
                               regarding the processing of personal data and about the free flow of such data and about the cancellation of avr med
                               directive 95/46/EC (General Data Protection Regulation).



                                                             Page 3 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 4(25)
                               Date: 2023-06-30







                               On August 14, 2020, the complainant visited CDON's website. During the visit,
                               the complainant signed in to his Google account, which is linked to the complainant's email address.
                               CDON had implemented on its website a Javascript code for Google services,

                               including Google Analytics. In accordance with clause 5.1.1 b of the terms of Google's
                               processing of personal data for Google's advertising products and also Google's terms and conditions

                               for processing "the New Order Data Processing Conditions for Google Advertising
                               Products" Google processes personal data of the data controller (i.e.
                               CDON) account and must therefore be classified as the company's personal data assistant.


                               During the visit to the company's website, CDON processed the complainant's personal data,

                               at least the complainant's IP address and data collected through cookies. Part of the
                               the data has been transferred to Google. In accordance with clause 10 of the terms of treatment
                               of personal data for Google's advertising products, CDON has approved that Google receives

                               process personal data about the complainant in the United States. Such transfer of data requires
                               legal support in accordance with chapter V of the data protection regulation.


                               According to the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), 2
                               the company no longer relies on a decision on an adequate level of protection in accordance with Article 45 i

                               data protection regulation for the transfer of data to the United States. CDON should not base
                               the transfer of data on standardized data protection regulations according to article

                               46.2 c of the data protection regulation if the recipient country does not ensure adequate protection
                               with regard to Union law for the personal data that is transferred.


                               Google shall be classified as a provider of electronic communications services in it
                               meaning referred to in 50 US Code § 1881 (4)(b) and is thus subject to surveillance
                               by US intelligence agencies in accordance with 50 US § 1881a (section 702 i

                               Foreign Intelligence Surveillance Act, hereinafter “702 FISA”). Google provides it
                               US government with personal data in accordance with these regulations.

                               CDON cannot therefore ensure adequate protection of the complainant's personal data when
                               these are transferred to Google.


                               1.3 What CDON has stated


                               CDON AB has in opinions on 15 January 2021, 15 February 2022 and 31
                               August 2022 essentially stated the following.


                               1.3.1 Who has implemented the Tool and for what purpose, etc.
                               The code for the Tool was embedded on the Website at the time of the complaint and is

                               still embedded on the Website. The decision to embed the Tool on
                               The website was taken over by CDON, a company registered in Sweden. Data is collected from
                               all people who visit the Website, which probably includes registered users

                               from more than one EU/EEA member state.


                               CDON uses the Tool in order to get to know the traffic and uses the Website
                               in order to be able to make various operationally critical decisions. It is with the help of the Tool e.g.
                               possible to find out which product categories are most popular and how customers

                               navigates, partly to find the CDON, partly to complete a purchase.





                               2 ECJ judgment Facebook Ireland and Schrems (Schrems II), C-311/18, EU:C:2020:559.
                               3See https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-subchapVI-
                               sec1881.htm and https://www.govinfo.gov/content/pkg/USCODE-2011-title50/html/USCODE-2011-title50-chap36-
                               subchapVI-sec1881a.htm.



                                                             Page 4 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 5(25)
                                Date: 2023-06-30






                                1.3.2 Recipient of the data

                                Within the scope of CDON's use of the Tool on the Website is provided
                                personal data only to Google.


                                1.3.3 The data processed in the Tool and what constitutes it
                                personal data
                                The information that is processed within the framework of CDON's use of the Tool is

                                various characteristics or actions taken by the visitor on the website, such as:

                                    1. Which elements the user saw when navigating and looking around

                                         the website,
                                    2. Clicked on an Image/Banner on the Website,

                                    3. Added or removed something to the shopping cart,
                                    4. Arrived at the checkout or completed a purchase,
                                    5. Clicked on suggestions for accessories on product pages or added something to the wish list,

                                    6. If the user is a member of CDON's customer club, as well as
                                    7. Which search string the user used to search internally on the Website.


                                In addition to this data, Google also gets access to the respective user's IP address.

                                1.3.4 Categories of persons affected by the processing

                                The categories of persons affected by the processing are all categories of
                                people visiting the Website. CDON does not have any option to distinguish if
                                information about particularly vulnerable persons is processed. This is because CDON only

                                processes anonymous "behavioral data" regarding how a user navigates
                                The website. The information processed by CDON is no more than what applies
                                the actual transmission of the information to Google. CDON can neither before nor after

                                the disclosure to Google to identify individual users. What a unique category of person
                                users belong to, CDON is therefore not aware of.


                                1.3.5 When the code for the Tool is executed and recipients are provided access
                                Immediately after the Website has finished loading in the user's browser, it has

                                transmitted information to Google about where the user is on the Website.
                                Since January 12, 2021, CDON has activated a tool that means that respectively
                                user consent is required for the Tool's content to be integrated and run in

                                the user's browser.

                                1.3.6 How long the personal data is stored

                                Data and other information are not stored by CDON but are transferred using
                                The real-time tool from CDON to Google. CDON's assessment is that it
                                anonymization of IP addresses described below means the data transferred

                                to Google can no longer be linked to a specific individual and thus is not to be considered
                                as personal data. At Google, personal data is only stored until the IP-
                                                           4
                                the addresses have been truncated. According to information from Google, the truncation is performed as soon as possible
                                it is technically possible


                                1.3.7 In which countries the personal data is processed
                                The data transferred to the Tool is stored, among other things, in the United States.





                                4 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).



                                                              Page 5 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 6(25)
                               Date: 2023-06-30






                               1.3.8 CDON's relationship with Google LLC
                               CDON shares the assessment made by Google regarding the distribution of

                               the personal data responsibility, which means that Google is considered to process data within the framework
                               for CDON's use of the Tool as a personal data assistant for CDON. CDON
                               acts as personal data controller.


                               The terms that apply to the Tool are partly Google's terms of use, partly Google's
                               conditions for processing data.


                               The distribution of personal data responsibility agreed by Google and CDON
                               stated in the Google Ads Data Processing Terms.


                               1.3.9 Ensuring that the processing does not take place for the recipients' own purposes
                               CDON has had no reason to assume that Google does not meet the requirements that follow from the aforementioned
                               Google Ads Data Processing Terms, why Google's compliance with these not yet

                               has been further checked by CDON.

                               1.3.10 Description of CDON's use of the Tool

                               CDON uses the Tool in order to get to know the traffic on the Website and to
                               be able to make various business-critical decisions based on that information. It's included
                               with the help of the Tool, for example, it is possible to find out which product categories are

                               most popular and how customers navigate the Website to find CDON and for
                               to complete a purchase.


                               1.3.11 Own checks on transfers affected by the Schrems II ruling
                               As a result of the Schrems II judgment, CDON has taken measures in the form of identifying which
                               of CDON's partners who are located in countries outside the EU/EEA and in

                               relation to the respective cooperation partners requested information about which additional
                               security measures they have taken as a result of the decision.


                               On October 26, 2020, CDON requested information from Google regarding the effect of
                               CDON's embedding of the code for the Tool on the Website. Google has not
                               came back with a response to CDON's request for information and CDON has of this

                               reason, in addition to repeating the request to Google and reminding of answers, searched widely
                               available information about the actions taken by Google as a result of
                               the ruling.


                               According to publicly available information from Google, Google has in addition to
                               the standard contract clauses have taken the following additional safeguards in relation to

                               The tool:

                                    • Google ensures a secure transfer of JavaScript libraries and measurement data

                                        using the encryption protocol HTTP HSTS (Strict Transport Security).
                                    • The tool has been certified according to the internationally accepted independent
                                        the safety standards ISO 27001.


                               In addition to these measures, CDON has also chosen to activate IP-
                               anonymization, which means that IP addresses are truncated. The IP anonymization
                               (the truncation) means that the last octet in IPv4 addresses, respectively the last 80

                               the bits in IPv6 addresses are deleted immediately after the addresses are sent to
                               the collection network for the Tool. Since CDON's view is that it is IP-
                               the addresses that result in other data being collected and transmitted using

                               The tool is to be considered as personal data is CDON's assessment that the truncation



                                                             Page 6 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 7(25)
                               Date: 2023-06-30






                               of the IP addresses means that no information transmitted to Google is considered

                               as personal data after the IP anonymization/truncation has been carried out.


                               1.3.12 Transfer tool according to chapter V of the data protection regulation
                               Transfers of personal data to recipients in third countries within the framework of CDON's
                               use of the Tool is carried out with the support of the European Commission

                               standard contract clauses (2010/87/EU).


                               In accordance with the versions of Google's terms for the processing of data that have been
                               effective since August 12, 2020, Google and CDON have entered into the EU's
                               standard contractual clauses for the transfer of data from a data controller

                               within the EU to a personal data processor outside the EU, based on the European Commission's template
                               2010/87/EU.


                               1.3.13 Control of obstacles to enforcement in legislation in third countries
                               In order to ensure that the contractual obligations in the standard contract clauses are fulfilled have

                               CDON sent the request for information to Google regarding the third country transfer
                               as described above and CDON has not received a response.


                               1.3.14 What information is covered by the definition of personal data
                               It is important to distinguish between the concepts of being able to distinguish between users and not being able to

                               identify a specific individual. The latter, identification of a specific individual is not
                               the purpose of using the Tool and it is also not possible with that information
                               which is collected by unique identifier(s) (which can be derived to the browser or

                               entity (ie CDON's Google Analytics account ID)) either alone or in combination
                               with, among other things, the information generated when visiting the Website (i.e.

                               Web address (URL) and HTML title of that Web site or information about
                               browser). CDON is of the firm opinion that IP addresses are necessary
                               to, among other things, process the information generated when visiting the Website

                               (ie web address (URL) and HTML title of that Website or information about
                               browser) can be considered to constitute personal data. CDON white words to dynamic
                               IP addresses under certain circumstances may be considered personal data. The

                               distinguishing users made possible by the information collected by
                               however, unique identifier(s) is not sufficient for a specific individual to be able to

                               is identified, with or without aids such as thinning, but it is
                               only in combination with a full IP address as the information collected
                               of unique identifier(s) and information generated when visiting the Website can

                               will constitute personal data.

                               Justices Breyer and M.I.C.M. provides support for the assessment that dynamic IP addresses i

                               all cases are to be regarded as personal data. Dynamic IP addresses according to EU
                               the court must be considered as personal data in relation to the supplier concerned

                               of information or communication services, not in relation to each actor who receives
                               access to an IP address. In the Breyer case regarding the assessment of which aids
                               which can reasonably be used to identify the person in question,

                               the EU Court judged that according to German law there were legal means that make this possible
                               for the provider of electronic information or communication services, that in particular
                               in case of IT attacks, contact the competent authority for action

                               necessary measures to obtain such information from the internet provider and
                               initiate criminal proceedings. It can be questioned about an American authority

                               with a truncated IP address, which can be one of 256 alternative IP addresses, has

                               5 ECJ judgment Breyer, C-582/14, EU:C:2016:779.
                               6 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492.



                                                             Page 7 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 8(25)
                               Date: 2023-06-30






                               such legal means as may reasonably be used to enable
                               the identification of a single individual, when in the Breyer case it was even considered
                               problematic with a full IP address relative to the actual provider

                               of the natural person's IT services.

                               1.3.15 Effectiveness of safeguards taken by Google and CDON

                               Referring to the answers above, CDON, in addition to the activation of IP-
                               the anonymization, not considering the implementation of supplementary measures because
                               Google has informed that additional measures have been taken.


                               The truncation of the IP addresses is an effective protection measure. Regardless of the truncation of
                               The IP addresses occur before, in connection with, or in direct connection with the transfer of

                               the information from CDON to Google. The truncation of the IP addresses means that
                               the information stored on Google's servers in the United States does not constitute personal data. In a
                               situation where the truncation is only carried out when the data has been received by Google

                               LCC, but at the latest in direct connection with the reception, the truncation means that all
                               data that has been transferred by CDON to Google and that is stored on Google's servers
                               will not constitute personal data because the IP address, which is the unique one

                               identifiers which mean that other transmitted information constitutes personal data, has
                               anonymized. IP address without the last octet can be any of 256 alternatives
                               IP addresses and therefore cannot a truncated IP address by thinning together

                               with other information, is considered to constitute personal data.

                               1.3.16 Additional safeguards taken in addition to those taken by Google

                               During the handling of the case, CDON has thoroughly analyzed and investigated the possibilities
                               to switch to another solution that does not involve the use of the Tool. Coop has
                               made preparations for such a change, which the company should hopefully be able to do

                               execute promptly in case the IMY's final decision involves a finding that
                               The tool is not compatible with the data protection regulation and this gains legal force. The
                               however, it must be emphasized that CDON's analysis shows that such a change will

                               be very burdensome for the company (especially in comparison to other players on
                               the market) why it cannot be implemented before there is clarity in relation to what
                               that applies to the Tool regarding what is a sufficient protective measure.



                               1.4 What Google LLC has stated


                               IMY has added to the case an opinion from Google LLC (Google) on April 9, 2021 which
                               Google submitted to the Austrian supervisory authority. The statement answers questions
                               which IMY and a number of supervisory authorities have asked Google due to in part

                               joint handling of similar complaints received by these authorities.
                               CDON has been given the opportunity to comment on Google's opinion. By Google's opinion
                               the following appears about the Tool.


                               A JavaScript code is included on a web page. When a user visits (calls) a
                               web page, the code triggers a download of a JavaScript file. Then performed

                               the tracking operation of the Tool, which consists of collecting information related to
                               to the call in different ways and send the information to the Tool's servers.


                               A website administrator who has integrated the Tool on his website can send
                               instructions to Google for processing the data collected. These
                               instructions are transmitted via the so-called tag manager that handles it

                               tracking code that the webmaster has integrated into his website and via



                                                             Page 8 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 9(25)
                               Date: 2023-06-30






                               tag manager settings. Whoever integrated the Tool can do different things
                               settings, for example regarding storage time. The tool also makes it possible for it
                               which integrated it to monitor and maintain the stability of its website,

                               for example by staying informed about events such as peaks in visitor traffic
                               or lack of traffic. The tool also enables a website administrator to
                               measure and optimize the effectiveness of advertising campaigns carried out using

                               other tools from Google.

                               In this context, the Tool collects the visitor's http calls and information about

                               including the visitor's browser and operating system. According to Google, contains one
                               http calls for any page information about the browser and device making
                               the call, such as domain name, and information about the browser, such as type,

                               reference and language. The tool stores and reads cookies in the visitor's browser in order to
                               evaluate the visitor's session and other information about the call. Through these
                               cookies enable the Tool to identify unique users (UUID) over

                               browsing sessions, but the Tool cannot identify unique users in different browsers
                               or units. If a website owner's website has its own authentication system
                               can the website owner use the ID feature, to more accurately identify one

                               users on all the devices and browsers they use to access
                               the website.
                               When the information is collected, it is transferred to the Tool's servers. All data that

                               collected via The tool is stored in the United States.

                               Google has introduced, among other things, the following legal, organizational and technical

                               protective measures to regulate data transfers within the framework of the Tool.

                               Google has taken legal and organizational protective measures such that the company
                               always carry out a thorough examination of a request for access from government

                               authorities on user data can be implemented. It is lawyers/specially trained
                               staff conducting these trials and investigating whether such a request is
                               compliant with applicable laws and Google's guidelines. Those registered are informed

                               the disclosure, unless prohibited by law or would adversely affect one
                               emergency. Google has also published a policy on the company's website about how a
                               such requests for access by governmental authorities of user data shall be implemented.


                               Google has taken technical protective measures such as protecting personal data from
                               interception when transferring data in the Tool. By default using HTTP

                               Strict Transport Security (HSTS), which instructs browsers as http to SSL (HTTPS)
                               to use an encryption protocol for all communications between end users,
                               websites and the Tool's servers. Such encryption prevents intruders from

                               passively listen to communications between websites and users.

                               Google also uses an encryption technology to protect personal data, so-called “data in

                               rest" ("data at rest") in data centers, where user data is stored on a disk or
                               backup media to prevent unauthorized access to the data.


                               In addition to the above measures, website owners can use IP anonymization through
                               to use the settings provided by the Tool to limit Google's
                               use of personal data. Such settings include above all that in the code

                               for the Tool enable IP anonymization, which means that IP addresses are truncated and
                               contributes to data minimization. If the IP anonymization service is fully used occurs
                               the anonymization of the IP address almost immediately after the request has been received.





                                                             Page 9 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 10(25)
                               Date: 2023-06-30






                               Google also restricts access to the data from the Tool through authorization control
                               as well as by all personnel having undergone training regarding
                               information security.



                               1.5 CDON's comment on Google's statement


                               CDON maintains what was stated in the opinion of 15 January 2021. In addition to this
                               presents the following to CDON in connection with Google's statement of April 9, 2021.


                               In its use of the Tool, CDON has taken the security measures that the Tool
                               provides.

                               Google's opinion states, among other things, the following:


                                  "As a general matter, unless instructed to do so, Google does not attempt to link
                                  data it collects as a processor on behalf of website owners using Google Analytics

                                  with data it collects as a controller in relation to its users and the relevant policies
                                  and systems are designed to avoid such linking.”

                               Google thus states that the owner of the website has full control over the personal data

                               which Google processes in that there is an opportunity for users of the Tool to
                               give Google special instructions on connecting the personal data with
                               user. CDON has not given Google any such instructions.


                               CDON has instead focused on using the settings as the Tool
                               provides to limit Google's use of personal data. Such

                               settings include, above all, activating IP anonymization in the code of the Tool,
                               which means that IP addresses are truncated. CDON had also limited the storage time for
                               the personal data and has not activated the User-ID function either. So CDON has
                               unable to link a fixed ID for a single user to the user's

                               engagement data from one or more sessions initiated from one or more
                               units.


                               In summary, CDON maintains that the use of the Tool has taken place in accordance
                               with the security measures that the Tool offers. It should also be noted that
                               obligations according to chapter V of the data protection regulation primarily are obligations which
                               is imposed on the exporter, who in this case is CDON's dealer (see EDPB's guidelines

                               05/2021 and decision of the Austrian data protection authority regarding Google Analytics i
                               target 2021-0.586.257 (D155.027)).


                               2 Justification of the decision


                               2.1 The framework for the review

                               Based on the complaint in the case, IMY has only examined whether CDON transfers

                               personal data to the third country USA within the framework of the Tool and if CDON has
                               legal support for it in Chapter V of the Data Protection Regulation. The supervision does not cover if
                               CDON's personal data processing in general is compatible with the data protection regulation.








                                                            Page 10 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 11(25)
                                 Date: 2023-06-30






                                 2.2 This concerns the processing of personal data


                                 2.2.1 Applicable regulations, etc.

                                 In order for the data protection regulation to be applicable, it is required that personal data
                                 treated.


                                 According to Article 1.2, the Data Protection Regulation aims to protect the data of natural persons
                                 fundamental rights and freedoms, in particular their right to the protection of personal data.
                                 According to Article 4.1 of the regulation, personal data is "any information relating to a

                                 identified or identifiable natural person (hereinafter referred to as a data subject), whereby a
                                 identifiable natural person is a person who can be directly or indirectly specifically identified

                                 referring to an identifier such as a name, an identification number, a
                                 location data or online identifiers or one or more factors that are
                                 specific to the natural person's physical, physiological, genetic, psychological,

                                 economic, cultural or social identity'. To determine whether a natural person is
                                 identifiable, one should consider all the aids that, either of it
                                 personal data controller or by another person, may reasonably be used

                                 to directly or indirectly identify the natural person (reason 26 to
                                 data protection regulation).


                                 The term personal data can include all information, both objective and
                                 subjective information, provided that it "refers" to a specific person, which
                                                                                                                      7
                                 they do if, due to their content, purpose or effect, they are linked to the person.

                                 The word "indirectly" in Article 4.1 of the Data Protection Regulation indicates that it is not necessary

                                 that the information itself makes it possible to identify the registered person for that to be
                                 a personal data. Recital 26 of the data protection regulation also states that in order to
                                 determine whether a natural person is identifiable, all aids, such as e.g. thinning

                                 ("singling out" in the English language version), which, either of it
                                 personal data controller or by another person, may reasonably be used
                                 to directly or indirectly identify the natural person, is taken into account. To determine

                                 if aids can with reasonable probability be used to identify it
                                 the natural person should all objective factors, such as costs and time consumption for

                                 identification, taking into account both available technology at the time of processing,
                                 considered. It is clear from Article 4.5 of the regulation that pseudymisation is meant
                                 processing of personal data in a way that means that the personal data does not

                                 longer can be attributed to a specific data subject without the use of supplementary information,
                                 provided that this additional information is kept separately and is subject
                                 for technical and organizational measures that ensure that the personal data does not

                                 attributed to an identified or identifiable natural person.

                                 So-called "web identifiers" (sometimes referred to as "online identifiers") - e.g. IP addresses or

                                 information stored in cookies – can be used to identify a user,
                                 especially when combined with other similar types of information. According to recital 30 to

                                 data protection regulation, natural persons can be linked to online identifiers provided by
                                 their equipment, e.g. IP addresses, cookies or other identifiers. This can leave behind
                                 traces that, especially in combination with unique identifiers and other data such as

                                 collected, can be used to create profiles of natural persons and identify them.

                                 In the Breyer judgment, the European Court of Justice has determined that a person is not considered identifiable through

                                 some information about the risk of identification in practice is negligible, which it is

                                 7 ECJ judgment Nowak, C-434/16, EU:C:2017:994, paragraphs 34–35.
                                 8 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paragraph 41.



                                                               Page 11 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 12(25)
                                Date: 2023-06-30







                                identification of the relevant person is prohibited by law or impossible to carry out i
                                practice. However, the European Court of Justice has in the judgment M.I.C.M. from 2021 and in the judgment Breyer struck

                                provided that dynamic IP addresses constitute personal data in relation to the person who
                                processes them, when he also has a legal opportunity to identify the holders of
                                the internet connections using the additional information provided by third parties
                                              10
                                dispose of.


                                2.2.2 The Privacy Protection Authority's assessment
                                To determine whether the information processed through the Tool constitutes personal data
                                shall IMY decide whether Google or CDON through the implementation of the Tool

                                can identify individuals, e.g. the complainant, when visiting the Website or about the risk of
                                it is negligible. 11


                                IMY considers the data processed to be personal data for the following reasons.


                                The investigation shows that CDON implemented the Tool by inserting a
                                JavaScript code (a tag), entered by Google in the source code of the Website. While

                                the page is loaded in the visitor's browser, the JavaScript code from Google LLC's is loaded
                                servers and run locally in the visitor's browser. A cookie is inserted at the same time

                                the visitor's browser and saved on the computer. The cookie contains a text file that collects
                                information about the visitor's operation on the Website. Among other things, a
                                unique identifier in the value of the cookie and this unique identifier is generated and

                                managed by Google.


                                When the complainant visited the Website, or a sub-page of the Website, was transmitted
                                the following information via JavaScript code from the complainant's browser to Google
                                LLC's servers:


                                    1. Unique identifier(s) that identified the browser or device used

                                         to visit the Website as well as a unique identifier that identifies the CDON
                                         (ie CDON's Google Analytics account ID).

                                    2. Web address (URL) and HTML title of the website and web page that
                                         the appellant has visited.
                                    3. Information about browser, operating system, screen resolution,

                                         language setting and date and time of access to the Website.
                                    4. Complainant's IP address.


                                During the appellant's visit (according to point 1 above) said identifier was put in cookies with
                                the names "_gads", "_ga" and "_gid" and subsequently transferred to Google LLC. These

                                identifiers have been created with the aim of being able to distinguish individual visitors, such as
                                the appellant. The unique identifiers thus make the visitors to the Website

                                identifiable. Although such unique identifiers (as per 1 above) would not in themselves be considered
                                make individuals identifiable, however, it must be considered that these unique identifiers in it
                                the current case can be combined with additional elements (according to points 2-4 above)

                                and that it is possible to draw conclusions in relation to information (according to the points
                                2–4 above) which means that information constitutes personal data, regardless of whether the IP address is not

                                transferred in its entirety.




                                9 CJEU judgment Breyer, C-582/14, EU:C:2016:779, paras 45–46.
                                10 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and Breyer judgment, C-582/14,
                                EU:C:2016:779, paragraph 49.
                                11 See the Court of Appeal in Gothenburg's judgment of 11 November 2021 in case no. 2232-21, with the agreement of the sub-instance
                                assessment.



                                                              Page 12 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 13(25)
                                 Date: 2023-06-30







                                 If information is combined (according to points 1–4 above), it means that individual visitors on
                                 The site becomes even more distinguishable. It is thus possible to identify

                                 individual visitors of the Website. That in itself is enough for it to be considered
                                 personal data. It does not require knowledge of the actual visitor's name or
                                 physical address, because the differentiation (through the word "thinning" in recital 26 i

                                 data protection regulation, "singling out" in the English version) in itself is sufficient for
                                 to make the visitor indirectly identifiable. It is also not required to Google or CDON

                                 intends to identify the appellant, but the opportunity to do so is in itself sufficient
                                 to determine whether it is possible to identify a visitor. Objective aids such as
                                 can reasonably be used either by the personal data controller or by someone

                                 other, are all aids that can reasonably be used for the purpose of identifying the appellant.
                                 Examples of objective aids that can reasonably be used are access to additional

                                 information with a third party that would make it possible to identify the complainant with
                                 taking into account both available technology at the time of identification as well as cost
                                 (the time required) for the identification.


                                 IMY states that the European Court of Justice, through the judgment M.I.C.M. and the Breyer ruling stated that

                                 dynamic IP addresses constitute personal data in relation to the person who processes them,
                                 when he also has a legal opportunity to identify the holders of

                                 the internet connections using the additional information provided by third parties
                                 dispose of. IP addresses do not lose their character of being personal data alone
                                 due to the fact that the means of identification are with third parties. The Breyer ruling and

                                 The M.I.C.M judgment should be interpreted based on what is actually stated in the judgments ie. that about it
                                 there is a legal possibility to gain access to supplementary information for the purpose of

                                 identify the appellant it is objectively clear that there is a “means which reasonably can
                                 will be used' to identify the complainant. According to IMY, the judgments should not be read
                                 on the contrary, in the way that a legally regulated possibility to gain access must be demonstrated

                                 to data that can link IP addresses to natural persons so that the IP addresses will
                                 considered to be personal data. An interpretation of the concept of personal information which means that

                                 it must always be demonstrated a legal possibility to link such data to a physical
                                 person would, according to IMY, mean a significant limitation of the regulation
                                 protection area, and open up possibilities to circumvent the protection in the regulation. This one

                                 interpretation would, among other things, be contrary to the purpose of the regulation according to Article 1.2 i
                                 data protection regulation. The Breyer judgment was decided under previously applicable directives

                                 95/46 and the concept of "singling out" according to recital 26 of the current regulation (that it does not
                                 knowledge of the actual visitor's name or physical address is required, because

                                 the distinction itself is sufficient to make the visitor identifiable), was not specified in
                                 previously applicable directives as a method for identifying personal data.


                                 In this context, other information is also added (according to points 1–3 above) such as IP
                                 the address can be combined with to enable identification. Google action
                                 regarding truncation of an IP address means that it is still possible to distinguish IP-

                                 the address, as it can be combined with other data transferred to
                                 third country (to the USA). This enables identification, which in itself is sufficient to

                                 the data together shall constitute personal data.





                                 12 ECJ judgment M.I.C.M, C-597/19, EU:C:2021:492, paragraphs 102–104 and Breyer judgment, C-582/14
                                 EU:C:2016:779, paragraph 49.
                                 13 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                 address, a number between 0 and 255), which itself can only be one of 256 options. The effect of this action
                                 means that it is still possible to distinguish the IP address from the other IP addresses (255 options), because the IP
                                 the address can be linked with other transferred data (e.g. information about unit and time of visit) to
                                 third country.



                                                                Page 13 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 14(25)
                                Date: 2023-06-30







                                In addition, several other supervisory authorities within the EU/ESS have decided that the transfer of
                                personal data to third countries has occurred when using the Tool because it

                                it has been possible to combine IP addresses with other data (according to points 1–3
                                above), and thus enabled differentiation of data and identification of IP address,
                                which in itself is sufficient to determine that it is a matter of treatment of
                                                 14
                                personal data.


                                IMY notes that there may also be reasons to compare IP addresses with
                                pseudonymised personal data. Pseudonymization of personal data means
                                according to article 4.5 of the data protection regulation that the data - similar to dynamic IP

                                addresses - cannot be directly attributed to a specific data subject without supplementary
                                data is used. According to recital 26 of the data protection regulation, such data should

                                considered to be information about an identifiable natural person.

                                A narrower interpretation of the concept of personal data would undermine, according to IMY

                                the scope of the right to the protection of personal data, which is guaranteed in Article 8 i
                                The Charter of Fundamental Rights of the European Union, because it would

                                make it possible for personal data controllers to specifically single out individuals together
                                with personal data (eg when they visit a certain website) at the same time as individuals

                                are denied the right to protection against the dissemination of such information about them. Such an interpretation would
                                undermine the level of protection for individuals and would not be compatible with the wide
                                scope given by the data protection rules in the practice of the EU Court of Justice. 15


                                CDON has also, by the appellant being logged in to his Google account at

                                the visit to the Website, processed information where conclusions could be drawn about it
                                individual based on their registration with Google. It appears from Google's statement that
                                implementation of the Tool on a website makes it possible to obtain information about

                                a user of a Google account (ie a registrant) has visited the website in
                                question. Google does state that certain conditions must be met for Google to

                                be able to receive such information, e.g. that the user (complainant) has not deactivated
                                processing and display of personal advertisements. Because the appellant was logged in
                                in their Google account when visiting the Website, Google can therefore still have

                                had the opportunity to receive information about the logged-in user's visits to
                                The website. The fact that it does not appear from the complaint that no personal

                                ads have been shown, does not mean that Google cannot obtain information about the logged in person
                                the user's visit to the Website.


                                IMY finds against the background of the unique identifiers that can identify the browser
                                or the device, the ability to derive the individual through his Google account, they

                                the dynamic IP addresses as well as the possibility to combine these with additional ones
                                information that CDON's use of the Tool on a web page involves processing

                                of personal data.










                                1Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google
                                Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                                of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                                regarding complaint Google Analytics represented by NOYB, local case number 9782890.
                                1 See, for example, the judgment of the European Court of Justice Latvijas Republikas Saeima (Points de pénalité), C-439/19, EU:C:2021:504,
                                paragraph 61, judgment Nowak, C-434/16, EU:C:2017:994, paragraph 33 and judgment Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59.



                                                              Page 14 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 15(25)
                               Date: 2023-06-30






                               2.3 CDON is the personal data controller for the processing


                               Personal data controller is, among other things, a legal person who alone or
                               together with others determines the purposes and means of the processing of

                               personal data (Article 4.7 of the Data Protection Regulation). Personal data assistant is among
                               another, a legal entity that processes personal data for it
                               account of the personal data controller (Article 4.8 of the data protection regulation).


                               The responses provided by CDON show that CDON has made the decision to implement

                               The tool on the Website. Furthermore, it appears that CDON's purpose for this was to
                               the company must be able to analyze how the Website is used, in particular to be able to follow
                               the use of the website over time.


                               IMY finds that CDON by deciding to implement the Tool on the Website i
                               said purpose has established the purposes and means of the collection and it

                               the subsequent transfer of this personal data. CDON is therefore
                               personal data controller for this processing.


                               2.4 Transfer of personal data to third countries


                               The investigation shows that the data collected via the Tool is stored by Google
                               LLC in the United States. Thus, the personal data collected via the Tool is transferred to the United States.


                               The question is therefore whether CDON's transfer of personal data to the USA is compatible with
                               Article 44 of the Data Protection Regulation and has legal support for it in Chapter V.


                               2.4.1 Applicable regulations, etc.
                               According to article 44 of the data protection regulation, which has the title "General principle for

                               transfer of data", includes the transfer of personal data that is under
                               processing or are intended to be processed after they have been transferred to a third country -
                               i.e. a country outside the EU/EEA - only take place under the condition that it

                               personal data controller and the personal data assistant, subject to others
                               provisions of the data protection regulation, meet the conditions in chapter V. All
                               provisions of said chapter shall be applied to ensure that the level of protection

                               of natural persons ensured by the data protection regulation is not undermined.


                               Chapter V of the data protection regulation contains tools that can be used for transfers
                               to third countries to ensure a level of protection essentially equivalent to that which
                               guaranteed within the EU/EEA. It can e.g. be transfer supported by a decision on

                               adequate level of protection (Article 45) and transfer covered by appropriate
                               protective measures (Article 46). There are also exceptions for special situations (Article 49).


                               In the judgment Schrems II, the Court of Justice of the European Union has annulled that decision on adequacy
                               level of protection that previously applied to the United States. Because a decision on adequate
                               level of protection since July 2020 is missing, transfers to the US may not be based on Article 45.


                               Article 46.1 provides, among other things, that in the absence of a decision in accordance with Article

                               45.3 a personal data controller or a personal data assistant may only transfer
                               personal data to a third country after taking appropriate safeguards, and on


                               16 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 in accordance with the European Parliament and
                               Council Directive 95/46/EC on whether adequate protection is ensured by the Privacy Shield in
                               The European Union and the United States and the judgment of the European Court of Justice Facebook Ireland and Schrems (Schrems II), C-
                               311/18, EU:C:2020:559.



                                                             Page 15 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 16(25)

                                 Date: 2023-06-30






                                 conditions that statutory rights of registered and effective remedies for

                                 registered are available. Article 46.2 c stipulates that such suitable
                                 safeguards may take the form of standardized data protection regulations adopted

                                 by the Commission in accordance with the review procedure referred to in Article 93(2).

                                 In the judgment Schrems II, the European Court of Justice did not reject standard contract clauses which

                                 transfer tool. However, the court found that they are not binding on
                                 the authorities of the third country. The Court of Justice of the European Union stated that “[even] if thus

                                 there are situations where the recipient of such a transfer, depending on the legal situation and
                                 current practice in the third country concerned, can guarantee the necessary protection of

                                 data solely with the support of the standardized data protection regulations, exists
                                 the other situations in which the provisions of these clauses cannot be one

                                 sufficient means to ensure effective protection of the personal data in practice
                                 which is transferred to the third country concerned.' According to the European Court of Justice, this is "among other things

                                 the case when the legislation of the third country allows the authorities of that third country to do
                                 interference with the rights of the registered persons regarding these data.” 17


                                 The reason why the European Court of Justice annulled the decision on adequate level of protection
                                 with the US was how the US intelligence agencies can access

                                 personal data. According to the court, the conclusion of standard contract clauses cannot in itself
                                 ensure a level of protection required by Article 44 of the Data Protection Regulation,

                                 as the guarantees stated therein do not apply when requested by such authorities
                                 access. The European Court of Justice therefore stated the following:


                                     It thus appears that the standardized data protection provisions which

                                     the commission adopted with the support of article 46.2 c of the same regulation only aims to
                                     provide the personal data controllers or their personal data assistants established

                                     in the Union contractual safeguards that are applied uniformly throughout
                                     third countries and thus independent of the level of protection ensured in each of
                                     these countries. Because these standardized data protection regulations, with regard

                                     to their nature, cannot lead to protective measures that go beyond a contractual obligation
                                     to ensure that the level of protection required under Union law is observed, it may be

                                     necessary, depending on the situation prevailing in a particular third country, for it
                                     personal data controller to take additional measures to ensure that the level of protection
                                             18
                                     observed.


                                 In the European Data Protection Board's (EDPB) recommendations on the consequences of
                                 the judgment clarifies that if the assessment of legislation and practice in the third country involves

                                 that the protection that the transmission tool is supposed to guarantee cannot be maintained in practice
                                 the exporter must, within the framework of his transfer, as a rule either cancel
                                 the transfer or take appropriate additional protective measures. The EDPB thereby notes

                                 that "further measures can only be considered effective in the sense referred to in the EU
                                 the court's judgment "Schrems II" if and to the extent that they - alone or in combination -

                                 addresses the specific deficiencies identified during the assessment of the situation i
                                 the third country in terms of its laws and practices applicable to the transfer”. 20






                                 17
                                 18 Paragraphs 125-126.
                                 19 Item 133.
                                   EDPB, Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU
                                 level of protection of personal data, Version 2.0, adopted on 18 June 2021 (hereinafter "EDPB's Recommendations
                                 01/2020”).
                                 20EDPB's Recommendations 01/2020, point 75; IMY's translation.


                                                                Page 16 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 17(25)

                                Date: 2023-06-30






                                It appears from the EDPB's recommendations that such additional protective measures can
                                                                                                         21
                                fall into three categories: contractual, organizational and technical.


                                Regarding contractual measures, the EDPB states that such measures “[...] can
                                supplement and reinforce the safeguards that the transfer tool and relevant
                                legislation in the third country provides [...]. Considering that the contractual

                                the measures are of such a nature that they cannot generally bind the authorities in it
                                the third country because they are not parties to the agreement, these measures may often be necessary

                                combined with other technical and organizational measures to provide it
                                level of data protection required [...]'. 22


                                Regarding organizational measures, the EDPB emphasizes “[a]t choose and implement a

                                or more of these measures will not necessarily and systematically
                                ensure that [a] transfer meets the basic equivalence standard which

                                required by EU legislation. Depending on the particular circumstances surrounding
                                the transfer and the assessment made by the law of the third country is required
                                organizational measures to supplement contractual and/or technical measures

                                to ensure a level of protection for personal data that is substantially equivalent to that
                                which is guaranteed within the EU/EEA”. 23


                                Regarding technical measures, the EDPB points out that “these measures will in particular

                                be necessary when the legislation of that country imposes obligations on the importer which
                                contravenes the guarantees in Article 46 of the Data Protection Regulation transfer tools and

                                which in particular may infringe upon the contractual guarantee of one in all essentials
                                equivalent protection against the authorities of the third country gaining access to these
                                           24
                                tasks". The EDPB thereby states that "the measures specified [in the Recommendations]
                                are intended to ensure that access to the transmitted data for public
                                authorities in third countries do not interfere with the expediency of the appropriate

                                the safeguards in Article 46 of the Data Protection Regulation transfer tools. These
                                measures would be necessary to guarantee a substantially equivalent

                                level of protection as that guaranteed within the EU/EEA, even if the public ones
                                access by the authorities is consistent with the legislation of the importer's country, where such

                                access in practice goes beyond what is necessary and proportionate in one
                                democratic society. The purpose of these measures is to prevent potentially unauthorized

                                access by preventing the authorities from identifying the registered, drag
                                conclusions about them, point them out in another context or connect the transmitted ones

                                the data to other data sets which, among other things, may contain network identifiers such as
                                provided by the devices, applications, tools and protocols used by
                                                                     25
                                registered in other contexts".

                                2.4.2 The Privacy Protection Authority's assessment

                                2.4.2.1 Applicable Transfer Tool

                                The investigation shows that CDON and Google have entered into standardized agreements
                                data protection regulations (standard contract clauses) in the sense referred to in Article

                                46 for the transfer of personal data to the United States. These clauses are in line with those which
                                published by the European Commission in decision 2010/87/EU and therefore one
                                transfer tools according to chapter V of the data protection regulation.




                                21
                                22EDPB's Recommendations 01/2020, point 52.
                                  EDPB's Recommendations 01/2020, point 99; IMY's translation.
                                23EDPB's Recommendations 01/2020, point 128; IMY's translation.
                                24EDPB's Recommendations 01/2020, point 77; IMY's translation.
                                25 EDPB's Recommendations 01/2020, point 79; IMY's translation.


                                                               Page 17 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 18(25)
                               Date: 2023-06-30






                               2.4.2.2 The legislation and the situation in the third country

                               As can be seen from the judgment Schrems II, the use of standard contract clauses may require
                               additional protective measures as a complement. Therefore, an analysis of

                               the legislation in the relevant third country is made.

                               IMY believes that the analysis that the EU Court has already done in the judgment Schrems II, which

                               relates to similar conditions, is relevant and current, and that it can therefore be added
                               basis for the assessment in the case without any further analysis of the legal
                               the situation in the United States needs to be done.


                               Google LLC, as the importer of the data to the United States, shall be classified as

                               provider of electronic communications services within the meaning of 50 US
                               Code § 1881 (b)(4). Google is therefore subject to surveillance by American
                               intelligence services in accordance with 50 US § 1881a (“702 FISA”) and thus liable

                               to provide the US government with personal data when 702 FISA is used.


                               The European Court of Justice found in the judgment Schrems II that the American
                               surveillance programs based on 702 FISA, Executive Order 12333
                               (hereinafter “E.O. 12333”) and Presidential Policy Directive 28 (hereinafter “PPD-28”) in the

                               American legislation does not correspond to the minimum requirements that apply in EU law
                               according to the principle of proportionality. This means that the monitoring programs that are established
                               on these provisions cannot be considered to be limited to what is strict

                               necessary. The court also found that the monitoring programs do not provide
                               the registered rights enforceable against US authorities i
                                                                                                                  26
                               court, which means that these people do not have the right to an effective remedy.

                               Against this background, IMY notes that the use of the EU Commission's

                               standard contract clauses are not in themselves sufficient to achieve an acceptable level of protection
                               for the transferred personal data.


                               2.4.2.3 Additional safeguards implemented by Google and CDON
                               The next question is whether CDON has taken sufficient additional safeguards.


                               As a personal data controller and exporter of the personal data, CDON is obliged to
                               ensure that the rules of the data protection regulation are complied with. This responsibility includes, among other things

                               to assess in each individual case when transferring personal data to third countries which
                               additional safeguards to be used and to what extent, including that

                               evaluate if the actions taken by the receiver (Google) and the exporter (CDON)
                               taken together are sufficient to achieve an acceptable level of protection.


                               2.4.2.3.1 Google's additional safeguards
                               Google LLC, as an importer of personal data, has taken contractual,
                               organizational and technical measures to complement the standard contract clauses.

                               In a statement on April 9, 2021, Google described that the company has taken measures.


                               The question is about the additional safeguards taken by CDON and Google LLC
                               are effective, in other words hindering US intelligence agencies' ability to
                               access the transferred personal data.


                               As regards the legal and organizational measures, it can be stated that neither
                               information to users of the Tool (such as CDON), the publication of a


                               26Items 184 and 192. Item 259 et seq.
                               27Regardless of whether such a notification would even be permissible under US law.



                                                             Page 18 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 19(25)
                                Date: 2023-06-30







                                transparency report or a publicly available “Government Request Handling Policy”
                                impedes or reduces the ability of US intelligence agencies to obtain
                                access to the personal data. Furthermore, it is not described what it means to

                                Google LLC's makes a "careful review of each request" for the "legality" of
                                US intelligence services. IMY notes that this does not affect the legality of

                                such requests because, according to the European Court of Justice, they are not compatible with the requirements of
                                EU data protection rules.


                                As regards the technical measures taken, it can be stated that neither
                                Google LLC or CDON has clarified how the described measures – such as protection of

                                communication between Google services, protection of data during transfer between
                                data center, protection of communications between users and websites or “physical
                                security” – hinders or reduces the ability of US intelligence agencies to

                                prepare access to the data with the support of the US regulations.


                                Regarding the encryption technology used – for example for so-called "data at rest"
                                ("data at rest") in data centers, which Google LLC mentions as a technical measure - has Google
                                LLC as an importer of personal data nevertheless an obligation to grant access to or

                                hand over imported personal data at the disposal of Google LLC, including
                                any encryption keys required to make the data intelligible. Thus

                                such a technical measure cannot be considered effective as long as Google LLC has
                                possibility to access the personal data in plain text.


                                Regarding what Google LLC's stated that "to the extent information for measurement i
                                Google Analytics transmitted by website owners constitutes personal data, they receive
                                considered to be pseudonymized” it can be stated that universal unique identifiers

                                (UUID) is not covered by the concept of pseudonymisation in Article 4.5 i
                                data protection regulation. Pseudonymization can be a privacy-enhancing technique,

                                but the unique identifiers, as described above, have the specific purpose of distinguishing
                                user and not to act as protection. In addition, individual identifiable genomes are made
                                what is stated above about the possibility of combining unique identifiers and others

                                data (eg metadata from browsers or devices and the IP address) and
                                the ability to link such information to a Google account for logged-in users.


                                Regarding Google's measure "anonymization of IP addresses" in the form of truncation 29
                                it is not clear from Google's response if this action takes place before the transfer, or if

                                the entire IP address is transferred to the USA and shortened only after the transfer to the USA. From
                                from a technical point of view, it has thus not been shown that there is no potential access to the whole
                                The IP address before the last octet is truncated.



                                Against this background, IMY notes that the additional protective measures taken
                                of Google are not effective, because they do not prevent American
                                intelligence services' ability to access the personal data or does so

                                access ineffective.


                                2.4.2.3.2 CDON's own additional safeguards
                                CDON has stated that the company has taken additional protective measures in addition to those
                                actions taken by Google. According to CDON, these consist of activation of





                                2See EDPB's Recommendations 01/2020, point 81.
                                2IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).



                                                              Page 19 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 20(25)
                                Date: 2023-06-30






                                the function for truncation 30of the last octet in IP address before the data is transferred to
                                Google, which means masking the last octet. 31



                                As stated above regarding Google's measures, it is not clear from Google's response whether
                                this action occurs before the transfer or if the entire IP address is transferred to the United States and
                                truncated only after the transfer to the United States. From a technical point of view, it has thus not

                                shown that after the transfer there is no potential access to the entire IP address before
                                the last octet is truncated.


                                Even if the truncation were to occur before the transfer, it is not a sufficient measure,
                                because the truncated IP address can be combined with other data,
                                as IMY stated above in section 2.2.2. A truncation of an IP address means that

                                only the last octet is masked, which itself can only be one of 256 options
                                (ie in the range 0-255) and because the truncated IP address is distinguishable

                                from other IP addresses, this data can be combined with other data (according to
                                above in section 2.2.2) and enable identification, which in itself is sufficient to determine
                                if the data together constitute personal data. Although the masking of last

                                the octet constitutes an integrity-enhancing measure, as it limits the scope of de
                                information to which authorities can gain access (in third countries), IMY states that it nevertheless
                                can connect the transferred data to other data that is also transferred to

                                Google LLC (in third countries).

                                Against this background, IMY notes that neither the additional measures which

                                taken by CDON in addition to the additional measures taken by Google is sufficient
                                effective in preventing US intelligence agencies from accessing

                                the personal data or render such access ineffective.

                                2.4.2.3.3 The Privacy Protection Authority's conclusion

                                The IMY finds that CDON's and Google's actions are neither individually nor collectively
                                effective enough to prevent US intelligence agencies from obtaining
                                access to the personal data or render such access ineffective.


                                Against this background, IMY finds that neither standard contract clauses nor the others

                                measures invoked by CDON may provide such support for the transfer as specified in Chapter
                                V in the data protection regulation.


                                With this transfer of data, CDON therefore undermines the level of protection for
                                personal data of data subjects guaranteed in Article 44 of the Data Protection Regulation.


                                IMY therefore notes that CDON AB is in breach of Article 44 of the data protection regulation.


                                3 Choice of intervention


                                3.1 Legal regulation


                                In the event of violations of the data protection regulation, IMY has a number of corrective measures
                                powers to be available according to Article 58.2 a–j of the data protection regulation, among other things
                                reprimand, injunction and penalty fees.




                                30 IP address truncation means that asterisks or zeros replace other digits in the last octets (the last digits of an IP
                                address, a number between 0 and 255).
                                31 See above in the section on what CDON has stated, under the heading "Additional protective measures taken".



                                                              Page 20 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 21(25)
                                Date: 2023-06-30






                                IMY shall impose penalty fees in addition to or in lieu of other corrective measures

                                as referred to in Article 58(2), depending on the circumstances of each individual case.


                                Each supervisory authority must ensure that the imposition of administrative
                                penalty charges in each individual case are effective, proportionate and dissuasive. The
                                stated in Article 83.1 of the Data Protection Regulation.


                                In article 83.2 of the data protection regulation, the factors that must be considered in order to
                                decide whether an administrative penalty fee should be imposed, but also at

                                the determination of the amount of the penalty fee. If it is a question of a smaller one
                                breach will receive the IMY as set out in recital 148 instead of imposing a

                                penalty fee issue a reprimand according to article 58.2 b of the regulation. Consideration shall
                                in the assessment, aggravating and mitigating circumstances in the case are taken into account, such as
                                the nature, severity and duration of the breach and previous breaches of

                                relevance.


                                The EDPB has adopted guidelines on the calculation of administrative penalty fees according to
                                the data protection regulation which aims to create a harmonized method and principles
                                for calculation of penalty fees. 32


                                3.2 Should a penalty fee be imposed?


                                IMY has found above that the transfers of personal data to the USA that take place via
                                The Google Analytics tool and which CDON is responsible for violations of Article 44 i
                                data protection regulation. Violations of that provision can according to Article 83

                                incur penalty charges.


                                In light of, among other things, the fact that CDON transferred a large amount of personal data, that
                                the processing has been going on for a long time and that the transfer meant that
                                the personal data could not be guaranteed the level of protection given in the EU/EEA is

                                don't ask about a minor infraction. CDON must therefore be charged a penalty fee for
                                the established violation. See also further below under 3.3 for a detailed

                                description of the seriousness of the violation.

                                3.2.1 At what amount should the penalty fee be determined?

                                When determining the maximum amount of a penalty charge to be imposed on a company
                                shall the definition of the concept of company be used as used by the EU Court of Justice
                                application of Articles 101 and 102 of the TFEU (see recital 150 i

                                data protection regulation). It appears from the court's practice that this includes every entity
                                that carries out economic activities, regardless of the legal form of the entity and the way of doing so

                                financing as well as even if the unit in the legal sense consists of several physical or
                                legal entities. 33


                                According to Article 83.5 c of the data protection regulation, in the event of a violation of, among other things,
                                article 44 in accordance with 83.2 administrative penalty fees of up to 20 are imposed

                                million EUR or, in the case of a company, of up to 4% of the total global
                                the annual turnover during the previous budget year, depending on which value is the highest.


                                IMY assesses that the company's turnover to be used as a basis for calculation of
                                the administrative sanction fee is CDON's annual report for the year 2022. The company


                                32EDPB's guidelines 8/2020 Guidelines 04/2022 on the calculation of administrative fines under the GDPR (adopted for
                                public consultation on 12 May 2022).
                                33 See Judgment in Akzo Nobel, C-516/15, EU:C:2017:314, point. 48



                                                               Page 21 of 25The Swedish Privacy Agency Diary number: DI-2020-11397 22(25)
                                 Date: 2023-06-30






                                 had a turnover of approximately SEK 461,000,000 during that budget year. This amount is less than 20

                                 million EUR and of this the penalty fee can be determined in an amount of up to 20
                                 EUR million.


                                 When determining the size of the penalty fee, IMY shall take into account the violation

                                 seriousness and taking into account both aggravating and mitigating circumstances
                                 determine an administrative sanction amount that is effective in the individual case,

                                 proportionate and dissuasive.


                                 IMY assesses that the following factors are important for the assessment of the infringement
                                 seriousness.


                                 As regards the assessment of the seriousness of the infringement, there is initially
                                 factors which mean that there are reasons to view the violation more seriously. CDON has

                                 transferred a large amount of personal data to third countries. The transfer has meant that
                                 the personal data has not been able to guarantee the level of protection given in the EU/EES which

                                 itself is a serious violation. In addition, it is difficult that the transfer of
                                 personal data has been going on for a long time, i.e. as of August 14, 2020

                                 and are still ongoing, and that they have occurred systematically. IMY also considers that now
                                 approximately 3 years have passed since the European Court of Justice rejected the
                                                                                         34
                                 the commission's decision on an adequate level of protection in the USA whereby the conditions for
                                 transfers of personal data to the United States changed.


                                 In the meantime, the EDPB has made recommendations on the consequences of the judgment

                                 which was out for public consultation on 10 November 2020 and adopted in final form
                                 on 18 June 2021. In addition, several other supervisory authorities within the EU/ESS have

                                 issued orders to cease use of the Tool until
                                 sufficiently effective safety protection measures have been taken by them
                                 personal data controller. The decisions have included cases where the personal data controller

                                 has also taken measures such as "anonymization of IP addresses" in the form of
                                 truncation.35


                                 Although these recommendations and decisions clearly point to the risks of and

                                 the difficulties in ensuring a sufficient level of protection for data transfers to companies
                                 in the US, CDON has not taken its own additional safeguards. Google action
                                                      36
                                 regarding IP address truncation means that it is still possible to distinguish IP
                                 the address, as it can be combined with other data transferred to

                                 third country (to the USA). This enables identification, which means that the data
                                 together constitute personal data.


                                 CDON's website is also a well-visited e-commerce portal that offers goods from

                                 many different suppliers and is available in several countries and in several languages. It's moving
                                 on information about a large number of registered persons in the EU/EEA who can be identified indirectly and



                                 3 Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 according to the European Parliament and the Council
                                 directive 95/46/EC on whether adequate protection is ensured by the privacy shield in the EU and the United
                                 the states.
                                 3Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaints Google
                                 Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                                 of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                                 regarding complaint Google Analytics represented by NOYB, local case number 9782890.
                                 36
                                  Truncation of IP address "anonymization of IP address" means that asterisk or zeros replace other digits at the end
                                 octets (the last digits of an IP address, a number between 0 and 255), which itself can only be one of 256 options.
                                 The effect of this action is that it is still possible to distinguish the IP address from the other IP addresses (255
                                 option), as the IP address can be combined with other transmitted data (e.g. device information and
                                 time of the visit) to third countries (to the USA).


                                                               Page 22 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 23(25)
                                Date: 2023-06-30






                                whose data can be combined with other data about them. Regarding
                                the nature of the data already follows from CDON's own purpose for the processing – i.e.

                                to, among other things, be able to draw conclusions about how the data subjects navigate and find their way around
                                The website, that the data combined makes it possible to draw relatively

                                precise conclusions about the privacy of the data subjects and map them, such as
                                regarding what they buy and what goods they are interested in over time. CDON's analysis
                                of the Tool shows that there are proposals for a solution other than the Tool, but the company

                                has chosen not to introduce this solution due to the fact that such a change would be
                                particularly burdensome for the company. CDON's processing of personal data entails risks
                                for serious infringement of the freedom and rights of individuals, which gives CDON a special

                                responsibilities that entail high requirements for transfers to third countries, where IMY in total
                                assesses that CDON has not demonstrated that the company has carried out a sufficient analysis and mapping

                                and also has not taken the necessary safety measures to limit the risks of
                                those registered.


                                IMY notes at the same time that there are factors that speak in the opposite direction. IMY takes into account
                                the particular situation that arose after the judgment and the interpretation of the EDPB's

                                recommendations, where there was a gap after the transfer tool to the United States
                                according to the Commission's previous decision rejected by the European Court of Justice. IMY also considers
                                that CDON has taken certain, albeit insufficient, measures to limit them

                                personal data transmitted by activating "anonymization of IP addresses"
                                by truncation. This relationship is also taken into account in the assessment of
                                the seriousness of the violations.


                                Overall, IMY assesses, against the background of the reported circumstances, that they

                                the violations in question are of low seriousness. The starting point for the calculation
                                of the penalty fee should therefore be set low in relation to the current maximum amount.
                                There are also reasons to ensure a proportional penalty fee in the individual case

                                already at this stage to further adjust the starting point for the continued calculation
                                downwards taking into account the turnover that is the basis for the calculation of
                                the penalty fee.


                                In addition to assessing the seriousness of the violation, IMY must assess whether it exists
                                any aggravating or mitigating circumstances that become relevant

                                the amount of the penalty fee. IMY assesses that there is no further aggravating factor or
                                mitigating circumstances, in addition to those considered in the assessment of

                                the degree of seriousness, which affects the size of the penalty fee.

                                Based on an overall assessment of the said circumstances and against the background that the

                                the administrative penalty fee must be effective, proportionate and dissuasive
                                IMY assesses that the penalty fee can stay at 300,000 (three hundred thousand) kroner.


                                3.3 Other interventions


                                In light of the established violation, IMY makes the assessment that CDON must
                                ordered according to article 58.2 d of the data protection regulation to ensure that the company's
                                processing of personal data within the framework of the company's use of the tool

                                Google Analytics complies with Article 44 and other provisions of Chapter V.
                                This shall be done in particular by ceasing to use that version of the tool


                                37Austrian supervisory authority (Datenschultzbehörde) decision of 22 April 2022 regarding complaint Google
                                Analytics represented by NOYB with local case number 1354838270, French regulatory authority (CNIL) decision
                                of February 10, 2022 represented by NOYB and the Italian Supervisory Authority (Garante) decision of June 9, 2022
                                regarding complaint Google Analytics represented by NOYB, local case number 9782890.



                                                              Page 23 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 24(25)
                               Date: 2023-06-30






                               Google Analytics as used on August 14, 2020, if not sufficient

                               protective measures have been taken. The measures must be completed no later than one month after
                               this decision gained legal force.










                               This decision has been taken by the general manager Lena Lindgren Schelin after a presentation
                               by lawyer Sandra Arvidsson. In the final proceedings, the chief justice also has

                               David Törngren, unit manager Catharina Fernquist and IT-och
                               information security specialist Mats Juhlén participated.


                               Lena Lindgren Schelin, 2023-06-30 (This is an electronic signature)


                               Appendix
                               Appendix 1 – Information on payment of penalty fee


















































                                                             Page 24 of 25 The Swedish Privacy Agency Diary number: DI-2020-11397 25(25)
                                Date: 2023-06-30






                                4 Appeal reference


                                4.1 How to Appeal

                                If you want to appeal the decision, you must write to the Swedish Privacy Agency. Enter in
                                the letter which decision you are appealing and the change you are requesting. The appeal shall

                                have been received by the Privacy Protection Authority no later than three weeks from the day you received it
                                part of the decision. If the appeal has been received in time, send
                                The Privacy Protection Authority forwards it to the Administrative Court in Stockholm
                                examination.


                                You can e-mail the appeal to the Privacy Protection Authority if it does not contain
                                any privacy-sensitive personal data or information that may be covered by

                                secrecy. The authority's contact details appear on the first page of the decision.




















































                                                              Page 25 of 25