Coop Sverige AB – Complaint Upheld (Sweden, 2023)

[https://www.coop.se/ Coop Sverige AB] (the controller) used Google Analytics tool provided by Google LLC (processor) on its website. For the use of this tool, the controller transferred users’ personal data to the processor, in the US. In 2020, noyb lodged a complaint against the controller with the Austrian DPA, alleging that the transfer of personal data through the use of Google Analytics tool was in violation of the provisions of Chapter V GDPR. The complaint was transferred to the Swedish DPA in its quality of lead supervisory authority pursuant to Article 56 GDPR. Following the complaint, the DPA investigated the data transfers from the controller to the US through the use of Google Analytics. In its defense, the controller explained that the transfer was based on SCC’s concluded with Google Analytics pursuant to Article 46 GDPR and that it put in place additional safeguards. Firstly, the DPA assessed whether the data processed through Google Analytics tool constituted personal data and found that it did. Indeed, generic IP address and users’ unique identifiers collected through cookies were transmitted to Google LLC. The DPA outlined that although such unique identifiers would not make the users identifiable in themselves, they could be combined with additional elements and enable to distinguish individual visitors. Secondly, the DPA held that Coop decided to implement the Google Analytics tool on its website for its own analytics purposes. By determining the means and purposes of the processing, Coop qualified as the controller. Thirdly, the DPA assessed the compatibility of the transfer with Article 44 GDPR and if it was supported by a transfer basis under Chapter V GDPR. Referring to CJEU Schrems II judgment, the DPA noted that the use of SCC’s is not in itself sufficient to achieve an acceptable level of protection in the context of data transfers to the US and that an analysis of the national provisions must be carried out. Under national US law,