Sweden’s data protection authority has fined two companies for using Google Analytics, citing violations of the European Union’s General Data Protection Regulation (GDPR) due to the risk of data being obtained by the US government. The agency also warned other companies about the inadmissibility of using Google’s analytics tool, reports TechCrunch.

The fines, amounting to just over $1.1 million for Swedish telecommunications company Tele2 and less than $30,000 for local online retailer CDON, are the first of their kind since a series of privacy complaints targeting Google Analytics in August 2020.

The regulator found that the additional measures Google applied to European user data sent to the US for processing were insufficient to meet the required legal standard. This concerns, in particular, Google’s use of truncation of IP addresses, which is one of the methods of anonymization. The authority said that Tele2 did not specify whether the truncation was done before or after the data was transferred to the US, thus failing to demonstrate that “no potential access to the entire IP address before the last octet was truncated”.

The authority also found violations of the GDPR in the case of the use of Google Analytics by two other companies, Coop and Dagens Industries, but did not impose fines in these cases. It concluded that the technical security measures taken by these companies were insufficient to provide a level of protection substantially equivalent to that guaranteed within the EU/EEA.

All four companies based their decisions on the transfer of personal data through Google Analytics with standard contractual clauses. However, the authority found that the additional technical security measures taken by either company were not sufficient.

The Swedish data protection authority also highlighted that a number of data protection authorities in the European Union, including those in France and Italy, also warn against the use of Google Analytics due to the same data transfer problem.

Google responded to these fines with the following comment:

“People want the websites they visit to be well designed, easy to use, and respectful of their privacy. Google Analytics helps publishers understand how well their sites and apps are working for their visitors — but not by identifying individuals or tracking them across the web. These organizations, not Google, control what data is collected with these tools, and how it is used. Google helps by providing a range of safeguards, controls and resources for compliance.”

The EU and the US are currently finalizing a third data transfer agreement, called the EU-US Data Protection Framework, which is expected to be concluded at the end of this month. However, there are legal challenges to the new agreement, and various institutions in the EU have expressed concern that some aspects of the revised agreement do not go far enough to address the concerns of European lawmakers.