The Swedish Privacy Authority (Integritetsskyddsmyndigheten – IMY) has fined two companies SEK 12.3 million (€1 million/$1.1 million) for using Google Analytics and warned two others against the same practice.

In a decision published yesterday, the agency explains that by using Google Analytics to generate web statistics, the companies violated the European Union’s General Data Protection Regulation (GDPR).

Specifically, the companies breached GDPR Article 46(1), which prohibits the transfer of personal data to countries or international organizations that lack safeguards for security and legal redress mechanisms.

The United States has been identified as a risk location for the storage of European user data, in accordance with the Judgment “Schrems II” of July 2020where the Court of Justice of the European Union (CJEU) ruled that any transfer of data to the United States under the then existing mechanism, “Privacy Shield”, was unlawful.

This breach is the same for which the Irish Data Protection Commission (DPC) Meta fined $1.3 billion for the transfer of user data based in the EU to servers in the United States

IMY, following the filing of a relevant complaint by the Austrian digital rights organization None of Your Business (NOYB), conducted audits to determine the type of data that the Google Analytics tool sends to the United States and concluded that it was personal information.

The audits concerned a version of the Google Analytics tool from August 14, 2020.

“IMY considers the data transferred to the United States via the Google statistics tool to be personal data because the data may be linked to other unique data that is transferred”, States.

The four companies that have been reprimanded are:

Tele2 SA – an Internet and telecommunications service provider in Sweden, recently decided on its own initiative to no longer use Google Analytics.

The other three organizations are ordered to stop using Google Analytics and put in place adequate data protection measures no later than one month after IMY’s decision, which was announced on June 30, 2023.

The use of Google Analytics has again been found to be non-compliant with the GDPR by data protection authorities in Austria, FranceAnd Italy.

However, IMY’s decision to impose financial penalties on violators makes it the first of its kind.

These decisions also serve as an industry-wide guide, and other companies using Google Analytics may decide to adjust their strategy to comply with EU rules and regulations.