After an extensive investigation, the Swedish Data Protection Authority (IMY) has decided that four companies, CDON, Coop, Dagens Industri and Tele2, must stop using Google Analytics for visitor statistics. This determination is based on complaints from the NGO None of Your Business (NOYB), in light of the European Court of Justice’s so-called Schrems II judgement.
The investigation revealed that these companies transferred personal data (IP addresses) to the United States through Google Analytics, in violation of the GDPR, the current data protection regulation. Under this regulation, personal data can only be transferred to third countries if the European Commission has decided that the country in question has an adequate level of protection for personal data, which the US is currently not considered to have.
The following quotes can be found in the various decisions:
“At the time of the complainant’s visit, the aforementioned identifiers (as referred to in paragraph 1 above) were put into cookies named “_gads”, “_ga” and “_gid” and subsequently transferred to Google LLC. Those identifiers were created for the purpose of distinguishing individual visitors, such as the complainant. The unique identifiers thus make visitors to the Website identifiable. Although such unique identifiers (as per point 1 above) would not in themselves be considered to render individuals identifiable, it must nevertheless be taken into account that in the present case these unique identifiers can be combined with additional elements (as per points 2 to 4 above) and that it is possible to draw conclusions in relation to information (as per points 2 to 4 above) that would render data personal, notwithstanding the fact that the IP address was not transmitted in its entirety”
This can also be read in the different decisions:
“As regards Google’s “IP address anonymisation” measure in the form of truncation24 , it is not clear from Google’s response whether this measure takes place before the transfer, or whether the full IP address is transferred to the US and shortened only after the transfer to the US. Thus, from a technical point of view, it has not been demonstrated that there is no potential access to the full IP address before the last octet is truncated.
Against this background, IMY concludes that the additional safeguards taken by Google are not effective, as they do not prevent the ability of US intelligence agencies to access the personal data or render such access ineffective.”
To address this, at Angry Creative we offer our clients a transition to Matomo, a web analytics programme that provides full control over the data. Unlike remotely hosted services (such as Google Analytics, Webtrends or Adobe Analytics), you install Matomo on your own server and the data is tracked inside your database. This gives you full control over your data and eliminates the risk of transferring personal data to the US.
Read more about the decision here: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/
