Swedish telecommunications company Tele2 has been fined SEK 12 million (€1.01m) by the Swedish Authority for Privacy Protection (IMY) for breaching GDPR regulations with its use of Google Analytics
Following 101 complaints from non-profit organisation None of Your Business (NOYB) of unlawful data transfers from the EU to the US, the IMY found that Tele2 and three other Swedish companies (CDON, Coop and Dagens Industri) had unlawfully transferred data between the EU and USA.
The illegal data transfers reportedly took place as a result of the company’s use of Google Analytics following a ruling by the European Courts of Justice (CJEU) in August 2020 that prohibited the transfer of personal data to the US.
The European data security code GDPR stipulates that the transfer of personal data to third party countries – those outside of the EU/EEA – may only take place if the European Commission decides that they have an “adequate level of protection for personal data”. In the Schrens II ruling in 2020, the CJEU deemed that the US does not meet these criteria, and therefore the actions of Tele2 were unlawful.
In its investigation, IMY noted that the data shared to the US through Google Analytics is considered personal because the data can be linked with other unique data that is transferred.
Audits by the IMY also showed that additional security measures taken by Tele2 to mitigate this security risk when transferring data to the US were insufficient by EU standards. The security measures used by Tele2 and CDON were not as extensive as those implemented by Coop and Dagens Industri, hence the former companies were fined while the latter companies were not.
Tele2 has recently halted its use of Google Analytics independently, and the other three companies have been ordered to stop by IMY.
Keep up to date with all of the latest telecoms news with Total Telecom’s daily newsletter