Swedish supervisory authority IMY has issued fines for improper usage of Google Analytics and ordered to stop using the tool, EU-U.S. Data Privacy Framework could potentially be finalized by late July, EU Commission published a proposal for an additional Regulation supplementing the GDPR.

Swedish supervisory authority (IMY) has audited how four companies – CDON, Coop, Dagens Industri and Tele2 – transfer personal data to the U.S. via the Google Analytics tool. The audit concerns a version of Google Analytics from 14th of August 2020 and is based on complaints filed by Max Schrems’ NOYB after the Schrems II ruling issued by the European Court of Justice (CJEU).

As the IMY’s official press-release explains, ‘All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses. From IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient. IMY issues an administrative fine of 12 million SEK against Tele2 and 300,000 SEK against CDON, which has not taken the same extensive protective measures as Coop and Dagens Industri. Tele2 has recently stopped using the statistics tool on its own initiative. IMY orders the other three companies to stop using the tool’. All four decisions are already published at the IMY official website.

According to Sandra Arvidsson (IMY’s legal advisor), ‘These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics’.
***
Meanwhile, according to European Commissioner for Justice Didier Reynders, the EU-U.S. Data Privacy Framework could be finalized by late July.

As the IAPP’s Data Protection Digest states, ‘the U.S. Department of Justice still needs to finalize steps to implement the executive order. The next step will be for the European Commission to put its draft adequacy decision to a vote before the member states. Companies will then have three months to comply with new requirements under the DPF. Many will surely celebrate the fact they will have fewer transfer impact assessments to complete’.

***
The EU Commission published a proposal for an additional Regulation supplementing the GDPR. According to the Explanatory Memorandum, the new Regulation is aimed at tackling issues in such areas as complaints, procedural rights of parties under investigation, cooperation and dispute resolution. In particular, the proposal “provides a form specifying the information required for all complaints under Article 77 GDPR concerning cross-border processing and specifies procedural rules for the involvement of complainants in the procedure, including their right to make their views known”, “provides the parties under investigation with the right to be heard at key stages in the procedure, including during dispute resolution by the Board”, etc.

Swedish supervisory authority IMY has issued fines for improper usage of Google Analytics and ordered to stop using the tool, EU-U.S. Data Privacy Framework could potentially be finalized by late July, EU Commission published a proposal for an additional Regulation supplementing the GDPR.

Swedish supervisory authority IMY has issued fines for improper usage of Google Analytics and ordered to stop using the tool, EU-U.S. Data Privacy Framework could potentially be finalized by late July, EU Commission published a proposal for an additional Regulation supplementing the GDPR.

Related blog posts

DP News – Week 15. Norwegian DPA imposed a 20 million NOK fine, Denmark’s DPA updated data transfer guidance for third countries, France’s DPA fined retail chain for unsolicited marketing.

DP News – Week 14. Subway operator was fined for covert employee monitoring in Iceland, Finnish DPA imposed fine for data retention violations and published its 2024 inspection plan, France’s DPA (CNIL) published a 5-year GDPR compliance review regarding data breaches.