noyb win: First major fine (€ 1 million) for using Google Analytics
Following noyb’s 101 complaints on unlawful EU-US data transfers, the Swedish data protection authority (IMY) issued decisions against four companies and imposed a fine of 12 mio SEK (1 mio Euro) against telecommunication provider Tele2 and 300.000 SEK against online retailer CDON for using Google Analytics on their webpage. Although many other European authorities (e.g. Austria, France and Italy) already found that the use of Google Analytics violates the GDPR, this is the first financial penalty imposed on companies for using Google Analytics, despite the CJEU's rulings on EU-US data transfers.
- Press statement by the Swedish DPA (EN)
- Decision against CDON (EN autotranslation)
- Decision against Coop (EN autotranslation)
- Decision against Dagens Industri (EN autotranslation)
- Decision against Tele2 (EN autotranslation)
CJEU found EU-US transfers illegal (in most cases). In 2020 the CJEU has found that EU-US data transfers are largely illegal, given the vast surveillance options of the US Government. However many EU businesses continue to use services of Google, Meta, Microsoft, Amazon and alike. Many companies however continue to ignore these rulings and rely on claims over "supplementary measures" and so-called Standard Contract Clauses ("SCCs"). noyb has files 101 complaints in 2020 against users of Google and Facebook services in basically all EU Member States.
Previous decisions in other EU Member States. Since then, other European Data Protection Authorities have already found the that the continuous use of Google Analytics was breaching EU law (see e.g. the decisions in Austria, France and Italy). The case law was therefore clear, but many businesses still resist the comply with the law.
First Financial Penalty. The Swedish IMY is now the first Data Protection Authority that did not only make a finding that the transfers are illegal and ordered it to stop, but also issued a (major) fine on two companies: Tele 2 (a Swedish Telecom) and CDON (a Swedish online retailer). Two other companies (Coop and Dagens Industri) got away without a penalty.
Google's "Supplementary Measures" not sufficient. The IMY also highlight that so-called "supplementary measures" were not sufficient. Google has so far largely pointed EU business users to these measures to allegedly overcome shortcomings in US law. This was now (again) rejected by an EU regulator.
Marco Blocher: "Finally, a DPA has imposed a significant fine for the continued use of a tool that transfers personal data to the United States in violation of the GDPR – and banned the further use of that tool. This is a pleasant change compared to other DPAs simply holding that there has been a violation but creating no incentive to comply in the future. We hope that other DPAs follow the Swedish DPAs example and put an end to unlawful data transfers."
Upcoming Agreement. The EU and the US have announced a new agreement in the spring of 2022. So far it is not finalized, but is said to be issued this month. Given that the new deal is structurally the same as two previous deals, it is very likely that the CJEU will again annul it.