Swedish DPA, Google Analytics, and GDPR

What if you were told you using Google Analytics could result in a hefty fine? This isn't a hypothetical scenario. The recent actions of the Swedish Data Protection Authority (DPA) flooded my LinkedIn newsfeed this morning. noyb.eu filed 101 complaints, leading to the Swedish DPA fining companies for using Google Analytics and ordering them to cease its use.

The link below will lead you to the Swedish DPA ruling (in english):

And Nyob highlights:

"Following noyb’s?101 complaints?on unlawful EU-US data transfers, the Swedish data protection authority (IMY) issued decisions against four companies and imposed a fine of 12 mio SEK (1 mio Euro) against telecommunication provider Tele2 and 300.000 SEK against online retailer CDON for using Google Analytics on their webpage. Although many other European authorities (e.g.?Austria,?France?and?Italy) already found that the use of Google Analytics violates the GDPR, this is the first financial penalty imposed on companies for using Google Analytics, despite the CJEU's rulings on EU-US data transfers."

Here's a quick rundown from some #dataprivacy experts in the field you should follow:

• Cory Underwood highlighted, "All companies are ordered to cease GA usage." In fact, "all" as in "those affected by this ruling", not "all" as in "ALL!"... but still... you get the point! What the ruling says is "These decisions have implications not only for these four companies, but can also provide guidance for other organisations that use Google Analytics" (emphasis mine).
• Brian Clifton noted, "I do not see the version number of GA making any difference to this judgement" - a sentiment with which I concur.
• PrivacyDesigner / Pekka Lampelto pointed out, "Organisations relied on Standard Contractual Clauses as a transfer mechanism but did not implement supplementary measures."
• Niamh Phelan reminded us of the 2020 case: "In July 2020, DPC v’s Facebook Ireland (Schrems II), the European Union Court of Justice (CJEU) struck down Privacy Shield as US cannot be trusted with European’s data."
• Federico Marengo emphasised the urgency of "reaching an agreement for the transatlantic transfer of data."

My Take

As a long-standing advocate for #dataethics in #marketing and #analytics, I've often repeated the #NoConsentNoTracking mantra, sometimes to the displeasure and incomprehension of my fellow #digitalmarketing & #digitalanalytics colleagues.

Every week, something new reinforces my belief in the #NoConsentNoTracking principles I put forth.

This ruling is just the latest example of why transparency, consent, and control - beyond what the Law imposes - are so important. Just take the recent actions against companies like Criteo - fined 40M euros "for failing to verify that the persons from whom it processed data had given their consent".

Another example can be found in my recent newsletter, where I was referring to a service that scapes your LinkedIn profile and enrich it with a psychographic personality analysis (see "The Risks of Hyper-Personalization at Scale") - without the concerned data subject knowledge, consent and control.

On the brighter side, I see some organizations taking steps towards greater transparency. For example, an organization I was talking to decided to not wait for the new Canadian Bill C-11 and embrace good practices like Data Privacy Impact Assessments (DPIA) and simple disclosure of their data practice.

The importance of this ruling cannot be overstated. It could affect not only Google, but logically, every single company relying on #martech, #adtech, and #tech from vendors in the US. It's not just about the fact that data is being transferred to the US - the fact that the company itself is registered in the US is equally significant. On that point, eight #privacy experts at Norton Rose Fulbright , who I trust know what they are talking about, said in February 2022, "Deactivating US cookies/migrating to EU based adtech vendors: Consider deactivating US cookies and operating the EU facing website or app with EU adtech vendors only. Although practically speaking, migrating to EU based adtech vendors may be difficult."

This case and others like it serve as a reminder of the critical importance of understanding our data flows We need to know where our data is going, who is receiving it, and how it is being protected (btw, PrivacyDesigner is an awesome solution for this!). In light of today's events, it's clear that the use of Standard Contractual Clauses alone may not ensure #GDPR compliance.

As companies continue to grapple with these challenges, the need for transparency, ethical data practices, and user consent and control becomes more evident. This is not just about compliance with regulations - it's about respecting the privacy and rights of individuals. In the long term, companies that embody the essence of the law, going beyond mere minimal compliance, are the ones poised for success.

So, what's your next move? Have you explored alternatives to Google Analytics that are not US-based? Is your organization merely ticking off legal compliance boxes, or is it striving to exceed expectations by championing transparency, consent, and control as fundamental values?

Don't hesitate to reach out if you would like me to speak to your audience about?#digitalmarketing,?#digitalanalytics,?#dataprivacy?or the use of?#generativeAI?in marketing & analytics.

If you've made it this far and you want to support me, you can?Buy Me a Coffee!

This text has been proofread and improved with the help of ChatGPT.

* The image heading this article was generated with the following Midjourney prompt: "Visualize the concept of data ethics in the digital landscape. The content should be a maze made of binary code, with a person at the entrance holding a torch that illuminates the path ahead. The torch should represent transparency, consent, and control. The medium should be hyper-realistic photography, with a style that combines elements of cyberpunk aesthetics and film noir. The lighting should be low-key and high contrast, with the torch casting a warm, inviting light against the cold, blue hue of the binary code. The colors should be predominantly blue and orange, creating a visually striking contrast. The composition should be a wide-angle shot, taken with a Nikon D850 DSLR, Nikkor 14-24mm f/2.8 lens, Resolution 45.7 megapixels, ISO sensitivity: 25,600, Shutter speed 1/8000 second. The focus should be on the person and the entrance of the maze, with the rest of the maze fading into the background. --ar 16:9 --v 5.1 --style raw --q 2 --s 750"