Swedish DPA Imposes Penalties for Data Transfers to Meta

The Swedish Data Protection Authority (IMY) has recently imposed penalties on Apoteket AB and Apohem AB, totaling €3.2 million and €698,000, respectively. These fines come after an investigation revealed that both companies used Meta's Pixel tool inappropriately, resulting in the unauthorized transfer of privacy-sensitive personal data to Meta’s advertising platforms.

According to IMY, Apoteket and Apohem inadvertently transmitted sensitive personal information due to the activation of a new sub-function in Meta Pixel. This function led to the transfer of data concerning non-prescription drugs for various health issues, including self-tests and treatment of venereal diseases, but did not involve prescription medications. The data breach persisted for an extended period before being rectified.

Shirin Daneshgari Nejad, a lawyer at IMY, emphasized the need for stringent data protection measures. "Processing this type of privacy-sensitive personal data involves high risks that entail requirements for a high level of protection," she said.

IMY’s review highlighted that Apoteket and Apohem lacked the necessary routines to identify and address the data transfer issues independently. Maja Welander, another lawyer at IMY, noted that the companies’ failure to detect the deficiencies internally allowed the problem to continue until external sources alerted them.

Broader Regulatory Context

This enforcement action is part of a broader regulatory trend addressing data privacy violations. Recently, Swedish regulators also fined Avanza Bank AB €1.3 million for unlawfully transferring personal data to Meta's advertising platforms. Avanza's violation involved the improper configuration of Meta Pixel, leading to the transfer of sensitive financial information about up to 1 million customers over 18 months. The case against Avanza underscores the critical nature of proper data handling and compliance, especially in the financial sector where the stakes are particularly high.

The fines against Apoteket and Apohem, along with the substantial penalty imposed on Avanza, illustrate a growing regulatory focus on ensuring robust data protection practices across different industries. Both cases signal a strong message that inadequate data protection, particularly involving third-party platforms, will result in severe consequences.

Following the revelation of these issues, Apoteket and Apohem have updated their internal procedures to improve data processing security. Both companies reported the breaches to IMY in 2022 and have since taken corrective measures to align with GDPR requirements.

The IMY’s recent actions, alongside the record fine against Avanza, reflect an intensified crackdown on data privacy breaches, reinforcing the need for stringent data protection measures in the digital age.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.