Background into the audits conducted by Swedish DPA
In response to complaints lodged by the non-profit organization NOYB, the Swedish DPA initiated audits targeting four companies and their utilization of the Google Analytics tool. These complaints emerged in the wake of the CJEU’s momentous ruling in Schrems II, which declared the use of Standard Contractual Clauses for EU-US data transfers to be insufficient. Given that the Google Analytics tool involves the transfer of personal data to the United States, data controllers are obligated to implement additional security measures to safeguard the privacy of the transmitted information. However, disconcertingly, numerous companies persist in employing this tool without adequate safety precautions in place, as was the case with the four audited companies.
Findings of the audits
The Swedish DPA found that all four companies transferred personal data via Google Analytics via the use of Standard Contractual Clauses, however failed to implement additional security measures to ensure the protection of transferred personal data.
As pointed out by CJEU in Schrems II case, when personal data is transferred to the United States, the use of Standard Contractual Clauses is not enough to ensure the security of personal data and additional security measures must be implemented. All four companies audited by the Swedish DPA used Google Analytics and transferred personal data on the basis of SCC’s without ensuring additional technical and organizational measures. All this resulted the fine of 12 million SEK (about 1 million Euro) on Tele2 and fine of 300,000 SEK (about 25500 EUR) on CDON for using Google Analytics on their webpages despite the CJEU’s ruling in Schrems II case.
What is next?
Is this significant fine issued by the Swedish DPA is a red signal for the other market participants? There is no unequivocal answer as on the 10th of July, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. The decision concludes that the US ensures an adequate level of protection – comparable to that of the EU – for personal data transferred from the EU to US companies under the new framework.
- the use of cookie walls may be permitted subject to some considerations in Austria;
- the Danish DPA recently stated that cookie walls can be used legally under four circumstances;
- it is possible to use a cookie wall by following guidance from the German DPA that needs to be considered.
The content of this article is intended to provide a general guide to the subject matter. If you need assistance regarding the specific situation related with the use of cookie, or any other question related to personal data protection, please consult the experts of ECOVIS ProventusLaw.
This review was prepared by internationally certified ECOVIS ProventusLaw data protection expert Milda Šlekytė and junior associate Julija Ginotytė