Sweden-based telecoms company Tele2 has been fined 12 million kronor (1 million euros) by the Swedish data protection authority for breaching the General Data Protection Regulation (GDPR). The company was found to be using Google Analytics to track users on its websites, which was classified as a violation of the GDPR. Similarly, online retailer CDON has been ordered to pay a symbolic contribution of 300,000 kroner (25.39 euros) for the same offense. Two other companies, Coop and Dagens Industri, received warnings but escaped fines as they had implemented better protective measures.
The fines were imposed in light of the “Schrems II” judgment of the European Court of Justice (ECJ) in 2020, which invalidated the transatlantic “Privacy Shield” and impacted the transfer of customer data to the USA. Max Schrems and the data protection association Noyb submitted 101 model complaints across several EU countries, including Sweden. The Swedish supervisory authority, Integritetsskyddsmyndigheten (IMY), determined that the data transmitted to the USA via Google Analytics was personal information and that the security measures implemented by the four companies were insufficient to ensure adequate protection.
While it is possible to use standard contractual clauses for data transfers to third countries, additional steps must be taken to secure the data against external access. Tele2 recently took the initiative to stop using Google Analytics, and the IMY instructed the other three companies to do the same. The agency emphasized that the resolutions should serve as a guide for other organizations still using the service.
Noyb welcomed the penalties imposed by the inspectors, stating that it is essential for companies to comply with data protection laws. The activists also raised concerns about the new data protection framework between the EU and the USA, stating that it structurally resembles the previously repealed agreements and may face legal challenges in the future.