Sweden’s data-protection watchdog found that the 2020 version of Google Analytics presented data-breach security issues and consumer privacy concerns. An audit suggests the Google tool breached the privacy rules and risks posed by U.S. government surveillance.

It has also warned other companies against the use of Google Analytics, suggesting companies stop using the tools.

The Swedish Authority for Privacy Protection (IMY) fined Tele2 $1.1 million (SEK12 million) for breaching General Data Protection Regulation (GDPR) rules, following an audit of how the operator used Google Analytics services.

Notably, the audit supported a version of Google Analytics from 2020, when the initial complaint was filed.

IMY audited certain companies after complaints were filed by an Austria-based organization that focuses on digital privacy: The financial newspaper Dagens Industri, retailer Coop, and online marketplace CDON, which also faced a financial penalty. This also includes Tele2.

The organization argued that personal data was transferred to the U.S. through Google Analytics and was in violation of GDPR. The regulator pointed to the use of IP address truncation, an anonymization measure.

Data protection regulations, per the IMY, allow personal data to be transferred to third parties outside of the EU if the European Commission has determined that the country in question has an adequate level of protection.

The notice of the audit, posted on the IMY website, stated that IMY considers the data transferred to the U.S. via Google’s statistics tool is personal data because the data can be linked with other unique data that is transferred, the regulator wrote in a statement.

The IMY, based on the audit, concludes that none of the companies’ additional technical security measures are sufficient.

Tele2 has recently stopped using the statistics tool on its own. IMY ordered the other three companies to stop using the tool, too.

The IMY’s audit and the action taken have implications not only for these four companies, but can also provide guidance for other organizations that use Google Analytics, said IMY Legal advisor Sandra Arvidsson.

An audit suggests the Google tool breached the privacy rules and risks posed by U.S. government surveillance. It has also warned other companies against the use of Google Analytics, suggesting companies stop using the tools.