Swedish Authority for Privacy Protection (IMY) and Google Analytics

Swedish Authority for Privacy Protection (IMY) and Google Analytics

In 2022, Sweden's data protection authority, IMY (Integritetsskyddsmyndigheten), joined several other European authorities in ruling that the use of Google Analytics violated GDPR. The decisions specifically addressed the transfer of personal data to the United States and had immediate implications for any Swedish organization using Google Analytics. This article explains what IMY decided, the broader European context, and what it means for your analytics practice.

What IMY Decided

IMY found that using Google Analytics resulted in the transfer of personal data to the US, where it was not adequately protected under GDPR standards. Even with Google's standard contractual clauses and supplementary measures, IMY concluded that the protections were insufficient to prevent potential access by US intelligence agencies. Several Swedish organizations were ordered to stop using Google Analytics or implement additional safeguards that would prevent personal data from reaching US servers.

The key issue was that Google Analytics, as implemented by most websites, transmitted data (including IP addresses and other identifiers) to Google's servers in the United States. Under the Schrems II ruling, such transfers required adequate protection, and IMY determined that the measures in place were not sufficient.

The Investigation Process

IMY's investigation was part of a coordinated effort across European data protection authorities, guided by the EDPB. The European digital rights organization NOYB (led by Max Schrems) filed complaints against websites in multiple EU countries, arguing that their use of Google Analytics violated GDPR because of the US data transfer. This coordinated approach led to a wave of similar decisions across Europe, creating a unified message about the risks of US data transfers.

Broader European Context

IMY's decision did not exist in isolation. Similar rulings were issued across the EU:

• The Austrian data protection authority (DSB) was the first to rule against Google Analytics in January 2022.
• France's CNIL followed with a similar decision in February 2022.
• Italy's Garante issued its ruling in June 2022.
• Several other EU countries reached comparable conclusions through their own investigations.
• The rulings were all based on the Schrems II judgment, which invalidated the EU-US Privacy Shield framework in July 2020.

The EU-US Data Privacy Framework, adopted in July 2023, has since provided a new legal basis for certain US data transfers. This framework partially addresses the concerns raised in these rulings, but its long-term stability remains uncertain, as it could face legal challenges similar to those that brought down the Privacy Shield.

What Changed After the Decision

The IMY decision prompted many Swedish organizations to take action. Some switched to privacy-focused analytics alternatives like Matomo, Plausible, or Fathom. Others implemented server-side tagging to control what data was sent to Google. Some adopted Google Analytics 4 with specific configurations designed to minimize data transfer risks, such as disabling data sharing settings and implementing IP anonymization before data leaves the EU.

What This Means in Practice

If you use Google Analytics, you need to stay informed about the current legal status of EU-US data transfers and ensure your implementation complies with the latest guidance. Practical steps include:

• Implementing server-side tagging to control what data is sent to Google, allowing you to strip personal identifiers before data leaves your server.
• Evaluating privacy-focused analytics alternatives that process data within the EU.
• Ensuring your consent management platform properly blocks analytics scripts until users provide informed consent.
• Reviewing your GA4 configuration settings to minimize data collection and disable features that share data with Google for advertising purposes.
• Maintaining proper documentation of your analytics implementation and the legal basis for any data transfers.

Regardless of which analytics tool you use, maintain proper consent management and ensure your privacy policy accurately describes your data processing activities. The regulatory landscape continues to evolve, and staying informed and adaptable is your best protection against compliance risk.