VG Wiesbaden - 6 L 738/21.WI
VG Wiesbaden - 6 L 738/21.WI | |
---|---|
Court: | VG Wiesbaden (Germany) |
Jurisdiction: | Germany |
Relevant Law: | Article 4(7) GDPR Article 24 GDPR Article 48 GDPR Article 49 GDPR Article 79 GDPR |
Decided: | 01.12.2021 |
Published: | |
Parties: | RheinMain University of Applied Sciences |
National Case Number/Name: | 6 L 738/21.WI |
European Case Law Identifier: | |
Appeal from: | |
Appeal to: | Not appealed |
Original Language(s): | German |
Original Source: | rewis.io (in German) |
Initial Contributor: | Giel Ritzen |
The Administrative Court of Wiesbaden ordered the RhineMain University of Applied Sciences to stop using the consent manager “Cookiebot” to obtain user’s consent, because website visitor’s personal data was unlawfully transferred to the United States.
English Summary
Facts
Controller is the RhineMain University of Applied Sciences. On its website (https://www.hs-rm.de), it used the consent manager “Cookiebot” to obtain users' consent to the use of cookies, and the "Google Tag Manager". Data subject regularly visits the website to look for specialist literature in their online catalogue, and found that their IP address is automatically transmitted to Google’s server each time they visit the website, without having given consent. In addition to their IP address, all kinds of information on the hardware and software of the user’s terminal device is sent, i.e., the accessed’ website, their operating system and its version, the browser and its version, the screen resolution etc.
Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement.
After the data subject had written three warning letters to the controller, the latter responded on 7 June 2021 that it no longer used the Google Tag Manager, but refused to submit the obligation to cease and desist regarding Cookiebot. Hence, on 8 June 2021, the data subject applied for interim relief.
Holding
The Court upheld the appeal and ordered controller to terminate the integration of Cookiebot for the purpose of obtaining consent on its website, since the transmission of personal data is unlawful.
First, it noted that the data subject could invoke the right to effective judicial remedy, pursuant to Article 79 GDPR, and that this provision does not have a blocking effect for further judicial remedies. Second, the Court confirmed that the conditions of the right to injunctive relief have been fulfilled. It considered that the controller processes the unabridged IP-address of data subject, after which the company behind “Cookiebot”, Cybot, also processes this IP-address. Although the controller claimed that this was an anonymised version of the IP-address, it follows from the information provided by Cybot that this is not the case. Moreover, the Court noted, referring to Breyer (Case C-582/14), that an IP address is personal data. Because Cybot uses the processing services of Akamai by storing their data on its servers, a data transfer to a third country, namely the USA, takes place. The Court acknowledged that the data might be stored on the servers of the European affiliate of Akamai, namely A Technologies GmbH. However, according to the Court, this was irrelevant since the company's headquarters are located in Cambridge, Massachusetts, USA.
Then, the Court stated that this transfer is inadmissible according to Article 48, and Article 49 GDPR. Because Akamai is an American company, it is subject to the US Cloud Act, and therefore obliged to disclose all data in their possession. There is no international agreement between the EU and USA to serve as a legal basis, so Article 48 GDPR does not apply. Moreover, the Court considered that none of the conditions referred to in Article 49(1) and Article 49(2) GDPR is fulfilled, so this provision does also not apply. Lastly, the Court stipulated that the controller is responsible for the data transfer, pursuant to Article 24, in conjunction with Article 4(7) GDPR, although the controller does not transmit the data itself. The Court concluded that, because the controller embedded Cookiebot on its website, it indirectly decided on the purposes of the processing.
Comment
The Court's reasoning can be regarded as questionable, since there are a number of implications. First, the Court never evaluated whether a transfer actually occurred, but it assumed it. Second, although the Court acknowledged the use of standard contractual clauses, the Court did not refer to the SCC's in its decision, and only discussed the lawfulness of the data transfer in relation to Article 48 and Article 49 GDPR. Third, the Court never assessed whether the US Cloud Act would undermine the SCC's as safeguards.
For more detail, read the following contribution on the iapp's website.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
The respondent is also responsible for this data processing i. S. d. Art. 24, Art. 4 Clause 7 GDPR. Accordingly, the person responsible is the body that alone or jointly with others decides on the purposes and means of processing personal data. This is the case here. By deciding to use the "C [xxx] bot" service on its website, the respondent will in any case decide on the means of data processing. Because just by integrating the service on your website, you decide that the collection and transmission of the personal data of the website users, which are also stored on Ak. take place, takes place. It also decides indirectly on the purposes of the processing. Because knowing the information provided by Cy. and Ak., which it has obtained at the latest in the course of the present proceedings, it can decide for or against that the service is used on its website and thus data processing possibly also to that of Cy. or Ak. specified purposes takes place, or vice versa, by removing the service, you can ensure that the data processing for these purposes no longer takes place. It may be used for subsequent processes, such as storage and use by Ak. no longer be jointly responsible, as this is a different phase of data processing (see ECJ, judgment of July 29, 2019 - C-40/17 - Fashion-ID, marginal number 79, 84). It is responsible for the collection and transmission to Ak., Which are triggered directly by the integration of the service on the website of the respondent. According to the case law of the ECJ, the responsibility of an actor, especially in the context of joint responsibility, does not depend on the fact that every responsible person has access to the relevant personal data (ECJ, ruling of July 10, 2018 - C-25 / 17 - Jehovah's Witnesses, para. 69).