Four Swedish companies, including Tele2, have been found guilty of unlawful data transfers from the EU to the USA according to the Swedish Data Protection Authority (IMY). These results came on the heels of 101 complaints lodged by non-profit organisation None of Your Business (NOYB). The main concern highlighted was the application of Google Analytics used by the companies, which led to the illicit data transfers, contradicting a ruling by the European Courts of Justice (CJEU) back in August 2020.
Under the European General Data Protection Regulation (GDPR), transmission of personal data to third-party countries, i.e., those outside of the EU/EEA, can only take place under specific conditions. One of these conditions is the requirement for the European Commission to establish that these countries provide an adequate level of protection for personal data.
Nevertheless, in the Schrems II ruling in 2020, the CJEU established that the USA did not meet these requirements. As a result, the activities carried out by Tele2 and the other implicated companies were decreed illegal by the IMY regarding data transfer.
A key aspect of the IMY investigation was the recognition that the data transmitted from the EU to the USA could be classified as personal. This is because the exported data could easily be linked with other unique data.
Yet, one can’t help but notice an interesting finding made evident through IMY audits. It appears that not all companies implicated were equally guilty. The regulatory actions taken by Tele2 and CDON to maintain data security while transferring data were found inadequate by EU standards. On the contrary, the precautions taken by Coop and Dagens Industri were more comprehensive, resulting in no fines for them.
Even though Tele2 independently stopped using Google Analytics, IMY instructed the three remaining companies to cease its use to prevent further transgressions. Consequently, while the illicit use of Google Analytics was at the heart of these recent data transfer issues, IMY’s actions are driving a clear message to all companies to understand and respect the GPDR’s regulations in their operational practices.
In data transfer practices, being vigilant and proactive can never be overstated, especially in light of the ever-evolving global data protection standards. Even if unintentional, non-compliance can lead to significant consequences, especially as regimes worldwide become increasingly strict in their enforcement of data protection laws.
