At the beginning of July, Sweden’s Data Protection Authority (Swedish DPA) made significant waves with its latest work, addressing the outcomes of their audits on the use of Google Analytics. The findings resulted in 4 impactful decisions, one voluntary suspension of Google Analytics usage, three orders to cease further use, and the issuance of two substantial administrative fines. By this, the Swedish DPA joined the club of regulators worldwide, increasing their focus on the use of cookies and other similar technologies.
Background into the audits conducted by Swedish DPA
In response to complaints lodged by the non-profit organization NOYB, the Swedish DPA initiated audits targeting four companies and their utilization of the Google Analytics tool. These complaints emerged in the wake of the CJEU’s momentous ruling in Schrems II, which declared the use of Standard Contractual Clauses for EU-US data transfers to be insufficient. Given that the Google Analytics tool involves the transfer of personal data to the United States, data controllers are obligated to implement additional security measures to safeguard the privacy of the transmitted information. However, disconcertingly, numerous companies persist in employing this tool without adequate safety precautions in place, as was the case with the four audited companies.
Findings of the audits
The Swedish DPA found that all four companies transferred personal data via Google Analytics via the use of Standard Contractual Clauses, however failed to implement additional security measures to ensure the protection of transferred personal data.
As pointed out by CJEU in Schrems II case, when personal data is transferred to the United States, the use of Standard Contractual Clauses is not enough to ensure the security of personal data and additional security measures must be implemented. All four companies audited by the Swedish DPA used Google Analytics and transferred personal data on the basis of SCC’s without ensuring additional technical and organizational measures. All this resulted the fine of 12 million SEK (about 1 million Euro) on Tele2 and fine of 300,000 SEK (about 25500 EUR) on CDON for using Google Analytics on their webpages despite the CJEU’s ruling in Schrems II case.
What is next?
Is this significant fine issued by the Swedish DPA is a red signal for the other market participants? There is no unequivocal answer as on the 10th of July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. The decision concludes that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to US companies under the new framework.
On the other hand, the use of cookies is not only the problem of data transfer to third countries and application of adequate security measures. The use of cookie means the right informing of data subjects about used cookies, avoiding cookies’ walls, placing cookies with consent (except strictly necessary), etc. Even the EU regulation is applied to all EU Member States, we could see some different rules applied in different countries. For example, the general rule is that no cookie wall could be used. However, Austria, Denmark and Germany have some exemptions:
- the use of cookie walls may be permitted subject to some considerations in Austria;
- the Danish DPA recently stated that cookie walls can be used legally under four circumstances;
- it is possible to use a cookie wall by following guidance from the German DPA that needs to be considered.
This is only one of the examples that the use of cookie is complex issue and that it is not simple preparation of the cookie policy and placing a cookie banner. By starting to use the cookie, companies have to think about the real need for different types of cookie, ways of getting valid consent from data subjects regarding the use of cookie, provision of related information, and constant updates about used cookie, in case of data transfer to third countries – assessment of such transfer, application of additional security measures, following the requirements from law, etc. The start of imposing fines for using cookies does not mean that Google Analytics or any other type of cookie will be restricted to use. No, it means that companies and organizations are forced to put more effort into seeking full compliance when they are using cookie; meanwhile, the providers of cookie shall rethink their services compliance too.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with the use of cookie, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė