The Swedish Privacy Authority (IMI) has recommended corporations against using Google Analytics over surveillance risks that may arise from the US government's involvement. The warning comes amid rising questions over the legality of moving data from Europe to the US under rules such as the General Data Protection Regulation (GDPR).

Following a complaint from the privacy organization NOYB, IMI examined four Swedish companies: CDON, Coop, Dagens Industri, and Tele2. IMI audits discovered violations of GDPR and data transfer rules, resulting in penalties of$30,000 and$1.1 million for CDON and Tele2. According to experts, the punishments set a significant precedent. Tele2 and CDON want to appeal the decision claiming that the fines are disproportionate but have stated that they would obey the instructions. The EU and US policymakers are discussing a new data transfer agreement to replace Privacy Shield. Still, opponents claim it would not prevent US eavesdropping or empower Europeans in US courts.