The Swedish Authority for Privacy Protection (IMY) fined Tele2 SEK12 million ($1.1 million) for breaching GDPR rules, following an audit of how the operator used Google Analytics services.

IMY stated it audited four companies in total following complaints filed by an Austria-based organisation focusing on digital privacy, which argued personal data was transferred to the US through Google Analytics and was therefore in violation of GDPR.

Data protection regulations allow personal data to be transferred to third parties outside of the EU if the European Commission has decided the country in question has an adequate level of protection, IMY explained.

However, the European Court of Justice ruled the US could not be considered to have protective measures which correspond to the GDPR at the time covered by the audits, IMY explained.

The audit concerned a version of Google Analytics from 2020, when the initial complaint was filed.

Other companies audited by the authority include financial newspaper Dagens Industri, retailer Coop and online marketplace CDON, which also faced a penalty worth SEK300,000.

IMY stated it fined Tele2 and CDON for not taking “the same extensive protective measures” as the other companies.

The authority noted Tele2 recently stopped using Google Analytics, through which it transmitted personal data including IP addresses and cookies from web browsers to the US.

IMY added its decision “have implications not only for these four companies but for other organisations that use Google Analytics”.