After an extensive investigation, the Swedish Authority for Privacy Protection (IMY) has ruled that four companies, CDON, Coop, Dagens Industri, and Tele2, must cease their use of Google Analytics for visitor statistics. This decision is based on complaints from the advocacy group None of Your Business (NOYB), in light of the so-called Schrems II ruling by the European Court of Justice, this verdict follows the trend all over Europe with Germany as a leading example .
The investigation revealed that these companies have transferred personal data (IP addresses) to the United States via Google Analytics, which is in violation of GDPR, the current General Data Protection Regulation. According to this regulation, personal data may only be transferred to third countries if the EU Commission has decided that the country in question has adequate data protection, something the United States is currently not considered to have.
The following quote can be found in the decisions:
“During the complainant’s visit, the identifiers mentioned (as per point 1 above) were set in cookies with the names ‘_gads’, ‘_ga’ and ‘_gid’ and then transferred to Google LLC. These identifiers have been created with the purpose of being able to distinguish individual visitors, such as the complainant. The unique identifiers thus make the visitors to the website identifiable. Even if such unique identifiers (according to point 1 above) in themselves would not be considered to make individuals identifiable, it must however be taken into account that these unique identifiers in the current case can be combined with additional elements (according to points 2–4 above) and that it is possible to draw conclusions in relation to information (according to points 2–4 above) which result in data constituting personal data, regardless of whether the IP address has not been transferred in its entirety.”
This can also be read in the various decisions:
“When it comes to Google’s action ‘anonymization of IP addresses’ in the form of truncation24, it is not clear from Google’s response whether this action takes place before the transfer, or if the entire IP address is transferred to the USA and only truncated after the transfer to the USA. From a technical perspective, it has therefore not been shown that there is no potential access to the full IP address before the last octet is truncated.
Against this backdrop, the Swedish Authority for Privacy Protection (IMY) states that the additional protection measures taken by Google are not effective, as they do not prevent the possibility of American intelligence services gaining access to personal data, or make such access ineffective.”
To address this, we at Angry Creative offer our clients a transition to Matomo, a web analytics program that gives full control over the data. Unlike remote-hosted services (such as Google Analytics, Webtrends or Adobe Analytics), you install Matomo on your own server and the data is tracked inside your database. This gives you full control over your data and eliminates the risk of transferring personal data to the United States.
Read more about the decision here: https://www.imy.se/nyheter/fyra-bolag-maste-sluta-anvanda-google-analytics/