cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Ditch Google Analytics, says Swedish data protection agency

The Swedish Authority for Privacy Protection, or IMY, has ordered four companies to cease using Google Analytics following an audit of the transfer of data between them and the US.

user icon David Hollingworth
Wed, 05 Jul 2023
expand image

During the audits, IMY found that the data being transferred could be considered personal data, as it can be linked with “other unique data” being shared with Google Analytics.

As such, IMY found that the security measures those companies had in place to ensure the protection of that data were inadequate.

Further, according to a prior European Union ruling, known as the Schrems II judgement, the US is not considered to have the required level of data protection regulations in place for the transfer of such data.


The General Data Protection Regulation, or GDPR, states that such sharing of data is only allowed if those levels of protection are in place.

One of the companies so ordered, Swedish telco Tele2, has stopped using Google Analytics of its own accord but has still been hit with a 12 million Swedish kronor (about $1.6 million) fine. The three other companies — CDON, Coop, and Dagens Industri — have all been ordered to stop using Google Analytics, and CDON has also been hit with a smaller 300,000 Swedish kronor fine.

“All four companies have based their decisions on the transfer of personal data via Google Analytics on standard contractual clauses,” IMY said in a release on the matter. “From IMY’s audits, it appears that none of the companies’ additional technical security measures are sufficient.”

Sandra Arvidsson, the legal adviser who led the audits, believes other companies should take note of the ruling.

“By the fact that IMY has decided on these cases at the same time, it is made clear what requirements are placed on technical security measures and other measures when transferring personal data to a third country, in this case, the United States,” Arvidsson said.

“These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics.”

In other words, tighten up your security measures if you’re an EU company wanting to take advantage of Google Analytics.

The Swedish ruling follows similar decisions made by France, Austria, and Italy last year.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.