Google Analytics Data Privacy Practices Under Scrutiny in Europe
Following similar actions taken by Austria, France, and Italy last year, the Swedish data protection agency has advised businesses against using Google Analytics due to concerns associated with American government spying.
The development follows an audit that the Swedish Authority for Privacy Protection (IMY) conducted on behalf of the four businesses CDON, Coop, Dagens Industri, and Tele2.
In its audits, IMY considers that the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred. The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA
The data protection authorities also penalized Swedish telecom service provider Tele2 $1.1 million and local online marketplace CDON less than $30,000 for failing to put in place sufficient security measures to anonymize the data before the transfer.
Additionally, Google Analytics usage has been prohibited for CDON, Coop, and Dagens Industri. According to reports, Tele2 voluntarily stopped utilizing the service.
Our Readers ALSO READMeta’s Threads App Launching Blocked in Europe Over Privacy Concerns
The investigation, the IMY added, was based on a complaint filed by the privacy non-profit None of Your Business (noyb) alleging violations of the General Data Protection Regulation (GDPR) laws.
The ruling stems from the fact that such E.U.-U.S. data transfers have been determined to be unlawful due to potential surveillance concerns that data held on U.S. computers may be accessible by the nation’s intelligence services.
Similar issues caused European Union data protection authorities to impose a record $1.3 billion fine on Meta. However, a new data transfer agreement between the EU and the US, known as the E.U.-US Data Privacy Framework, is currently being finalized to replace the previously invalid Privacy Shield.