Book Consultation
Pricing
Cases
About us
Webinars
Book Consultation
Pricing
Cases
About us
Webinars
Case Study

IMY Rules Against Google Analytics: Four Companies Must Stop Using the Service

by Berner Setterwall
July 3, 2023
The Swedish Authority for Privacy Protection (IMY) has ordered four companies to cease their use of Google Analytics due to improper data transfer to the USA, highlighting the importance of server-side tracking solutions.

Background

On July 3, 2023, the Swedish Authority for Privacy Protection (IMY) made a significant ruling that has far-reaching implications for companies using Google Analytics. Four major companies - CDON, Coop, Dagens Industri, and Tele2 - were ordered to stop using Google Analytics due to concerns over the transfer of personal data to the United States.

The Ruling

The investigation by IMY revealed several critical issues:

  1. Unauthorized Data Transfer: The companies were found to be transferring personal data to the US through Google Analytics without adequate protection measures.
  2. Insufficient Safeguards: The existing measures were deemed inadequate to protect against potential access by US intelligence services.
  3. GDPR Violations: The data transfers were found to violate Chapter V of the GDPR, which governs international data transfers.

Impact and Implications

This ruling has significant implications for businesses operating in Sweden and the EU:

  1. Immediate Compliance Required: The affected companies must cease using Google Universal Analytics.
  2. Broader Impact: The decision sets a precedent for other companies using similar analytics tools.
  3. Need for Alternative Solutions: Companies must seek GDPR-compliant alternatives for web analytics.

Server-Side Tracking as a Solution

The ruling highlights the importance of server-side tracking solutions:

  1. Data Control: Server-side tracking allows companies to:

    • Control where data is processed and stored
    • Filter sensitive information before it leaves the EU
    • Implement proper anonymization techniques

  2. Compliance Benefits:

    • Keep data processing within EU jurisdiction
    • Implement proper consent management
    • Maintain transparency in data handling

Recommendations for Companies

  1. Audit Current Setup:

    • Review all analytics tools in use
    • Identify potential data transfer risks
    • Document data flows and processing activities

  2. Implement Server-Side Solutions:

    • Move to server-side tracking where possible
    • Ensure data stays within EU jurisdiction
    • Implement proper data filtering and anonymization

  3. Update Privacy Measures:

    • Strengthen consent management
    • Update privacy policies
    • Document compliance measures

Conclusion

The IMY ruling against Google Universal Analytics serves as a wake-up call for companies relying on client-side analytics tools. Server-side tracking emerges as a viable solution to maintain analytics capabilities while ensuring GDPR compliance. By taking control of data processing and implementing proper safeguards, companies can continue to gather valuable insights while respecting user privacy and regulatory requirements.