Sweden’s privacy regulator has ordered three local companies to stop using Google LLC’s ubiquitous Google Analytics service.

The decision, which was made public today, follows several similar regulatory developments in other European Union member states. They all relate to a landmark verdict called Schrems II that the EU’s top court issued in 2020. That verdict has led to increased scrutiny of how tech giants process user data.

Google Analytics is a free service that companies use to measure their website traffic. The Swedish Authority for Privacy Protection, which is also known as IMY, recently conducted a probe into how four local companies use the service. It determined their use of Google Analytics breached GDPR.

One of the four companies, a local internet provider called Tele2 AB, stopped using Google Analytics on its own initiative. The other three have been ordered by IMY to follow suit. Additionally, the regulator fined Tele2 and one of the three other companies over their Google Analytics usage practices.

At the heart of the matter is the fact that Google Analytics transfers EU users’ information to U.S. data centers for processing. For several years, that practice was permitted under a legal framework called Privacy Shield. But in 2020, the EU’s top court struck down Privacy Shield, limiting companies’ ability to move personal user data outside the EU.

Companies can still transfer personal data outside the bloc using a legal mechanism called standard contractual clauses. However, such clauses must be used in conjunction with certain “additional safeguards.” The Swedish Authority for Privacy Protection determined that none of the four companies it investigated met this requirement with their Google Analytics deployments, which is why it ordered them to stop using the service.

The regulator detailed its decision in an announcement titled “companies must stop using Google Analytics.” Furthermore, the regulator stated that its decision “can provide guidance for other organisations” that rely on the service. That suggests local companies’ use of Google Analytics could potentially face more scrutiny going forward.

The regulator’s decision follows similar rulings in several other EU member states. Last year, Austria’s data protection regulator concluded that a local website’s use of Google Analytics breached the GDPR privacy regulation. Since then, regulators in France and Italy have issued similar decisions.

Google Analytics is not the only service that has been facing increased scrutiny since the Privacy Shield data transfer agreement was struck down in 2020. This past May, Meta Platforms Inc. was fined €1.2 billion for transferring EU users’ personal information to the U.S. in breach of GDPR.

Last year, the U.S. and EU signed a preliminary agreement to let companies such as Google continue sending user information to stateside data centers. The agreement is designed to replace the Privacy Shield framework that was struck down in 2020. It’s expected to be finalized by October.

Image: Google