The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France, and Italy last year.
The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2.
“In its audits, IMY considers that the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred,” IMY said.
“The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA.”
The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing to implement adequate security measures to anonymize the data prior to the transfer.
Furthermore, CDON, Coop, and Dagens Industri have been ordered to cease using Google Analytics. Tele2 is said to have voluntarily stopped using the service.
The investigation, the IMY added, was based on a complaint filed by the privacy non-profit None of Your Business (noyb) alleging violations of the General Data Protection Regulation (GDPR) laws.
The decision is rooted in the fact that such E.U.-U.S. data transfers have been found illegal in light of potential surveillance worries that data stored in U.S. servers could be subject to access by intelligence agencies in the country.
Similar concerns have led to Meta being levied a record $1.3 billion fine by European Union data protection agencies. That said, the E.U. and U.S. are in the process of finalizing a new data transfer arrangement, called the E.U.-U.S. Data Privacy Framework, that replaces the now-invalid Privacy Shield.