VG Wiesbaden - 6 L 738/21.WI
|VG Wiesbaden - 6 L 738/21.WI
|VG Wiesbaden (Germany)
|Article 4(7) GDPR
Article 24 GDPR
Article 48 GDPR
Article 49 GDPR
Article 79 GDPR
|RheinMain University of Applied Sciences
|National Case Number/Name:
|6 L 738/21.WI
|European Case Law Identifier:
|rewis.io (in German)
The Administrative Court of Wiesbaden ordered the RhineMain University of Applied Sciences to stop using the consent manager “Cookiebot” to obtain user’s consent, because website visitor’s personal data was unlawfully transferred to the United States.
English Summary[edit | edit source]
Facts[edit | edit source]
Moreover, Cookiebot is a service offered by the Danish provider Cybot. Although the company is established in Denmark, the target domain “consent.cookiebot.com” refers to a server with an IP address registered with the US-based cloud company Akamai Technologies Inc. (hereafter: Akamai). Although the server might be located in the EU, the cloud company has access to the data on this server. Therefore, the US Cloud Act applies, which means that US governmental agencies can request access to this data, without a court order or mutual legal assistance agreement.
After the data subject had written three warning letters to the controller, the latter responded on 7 June 2021 that it no longer used the Google Tag Manager, but refused to submit the obligation to cease and desist regarding Cookiebot. Hence, on 8 June 2021, the data subject applied for interim relief.
Holding[edit | edit source]
The Court upheld the appeal and ordered controller to terminate the integration of Cookiebot for the purpose of obtaining consent on its website, since the transmission of personal data is unlawful.
First, it noted that the data subject could invoke the right to effective judicial remedy, pursuant to Article 79 GDPR, and that this provision does not have a blocking effect for further judicial remedies. Second, the Court confirmed that the conditions of the right to injunctive relief have been fulfilled. It considered that the controller processes the unabridged IP-address of data subject, after which the company behind “Cookiebot”, Cybot, also processes this IP-address. Although the controller claimed that this was an anonymised version of the IP-address, it follows from the information provided by Cybot that this is not the case. Moreover, the Court noted, referring to Breyer (Case C-582/14), that an IP address is personal data. Because Cybot uses the processing services of Akamai by storing their data on its servers, a data transfer to a third country, namely the USA, takes place. The Court acknowledged that the data might be stored on the servers of the European affiliate of Akamai, namely A Technologies GmbH. However, according to the Court, this was irrelevant since the company's headquarters are located in Cambridge, Massachusetts, USA.
Then, the Court stated that this transfer is inadmissible according to Article 48, and Article 49 GDPR. Because Akamai is an American company, it is subject to the US Cloud Act, and therefore obliged to disclose all data in their possession. There is no international agreement between the EU and USA to serve as a legal basis, so Article 48 GDPR does not apply. Moreover, the Court considered that none of the conditions referred to in Article 49(1) and Article 49(2) GDPR is fulfilled, so this provision does also not apply. Lastly, the Court stipulated that the controller is responsible for the data transfer, pursuant to Article 24, in conjunction with Article 4(7) GDPR, although the controller does not transmit the data itself. The Court concluded that, because the controller embedded Cookiebot on its website, it indirectly decided on the purposes of the processing.
Comment[edit | edit source]
Although one must consider that this decision is one of the first decisions in this particular field, and there is not a lot of case law to build on, one can also ask questions about the Court's reasoning. First, the Court never evaluated whether a transfer actually occurred, but it assumed it. Second, although the Court acknowledged the use of standard contractual clauses, the Court did not refer to the SCC's in its decision, and only discussed the lawfulness of the data transfer in relation to Article 48 and Article 49 GDPR. Third, the Court never assessed whether the US Cloud Act would undermine the SCC's as safeguards.
However, it seems that the University have lodged an appeal against this decision, since the decision has been made more than two weeks ago, and a party must lodge an appeal within two weeks of the decision pursuant to § 146 (1) VwGO. Hence, it will be the Hessian Administrative Court in Kassel that will decide whether the reasoning of the Administrative Court of Wiesbaden will be upheld.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.