The state university RheinMain is no longer allowed to integrate the Cookiebot service on its website www.hs-rm.de. The Wiesbaden Administrative Court decided in an urgent procedure. The Cookiebot asks users to consent to the storage of cookies on their end device. The legal problem: This involves transferring data from website visitors to the servers of a US company.
Now granted cease and desist request asked a user who regularly inquires about specialist literature in the university library’s online catalog. He complained that the consent manager of the Danish provider Cybot transmitted data such as his IP address to a server of the US-based cloud company Akamai Technologies. Even if the corresponding server is possibly located in the EU, the US group has access to it, so that the US Cloud Act with broad query options for US authorities takes effect.
The responsible chamber with three judges also sees it this way: Since Akamai’s headquarters are in the US state of Massachusetts, the Cookiebot leads to a transmission that is not permitted under the General Data Protection Regulation (GDPR) (Az. 6 L 738 / 21.WI). Akamai is subject to the Cloud Act, which obliges US service providers to “disclose all data in their possession, custody or control”, regardless of location. In view of the Schrems II decision of the European Court of Justice (ECJ), this practice is inadmissible.
Responsibility lies with the operator of the website
The Cookiebot does not ask users for consent to a transfer of personal information to the USA, and does not inform them of the risks involved, the administrative court stated. The university is responsible for the immediately triggered survey and the transfer to Akamai.
With the decision – as far as can be seen – a German court dealt with the relationship between the Cloud Act and the GDPR for the first time. This was followed by relevant statements by the European Data Protection Committee (EDSA) on Schrems II, with which the ECJ overturned the agreement for the Privacy Shield on data transfer to the USA.
The judges recognize data transmission that needs justification when the parent company of a cloud provider is based in the USA. This is not only the case with Akamai, but also with other cloud giants such as Amazon, Microsoft, Google, Apple and Cloudflare. If the decision is confirmed in the main proceedings and subsequently becomes legally binding, it should have an impact far beyond the university and the Cookiebot.
Standard contractual clause alone is not enough
The educational institution had relied on a standard contractual clause that is said to have been concluded between Cybot and Akamai. According to the university, only the “anonymized” Internet identifier (last three digits set to zero), the date and time of consent, the browser’s user agent, the URL, an anonymous, random and encrypted key and the consent status are transmitted to Cybot. If an unabridged IP address is sent to Akamai to establish a connection to the servers, it will not be processed or stored.
The applicant argued that the Akamai server was obviously processing clear data. At most it could be a question of transport encryption. Such a measure does not represent a sufficient protective measure within the meaning of the Schrems II decision. This view was confirmed by an expert from the Hessian data protection officer.
The court referred to a statement by Cybot, according to which the IP address will not be anonymized. Even if the cookie service only transmits the unabridged Internet identifier when it is loaded once, it is already a matter of “processing of personal data which is significant in terms of data protection law”.
The “anonymous” key does not exclude an “individualization” based on the other data, the judges work out further. The user can be identified even if his name is not known. This is a date that can be related to a person. The university can lodge a complaint against the urgent decision within two weeks. A final regulation is also reserved for the main proceedings.
Lawyer: “Spectacular Decision”
Jonas Breyer, the applicant’s lawyer, spoke to heise online of a “spectacular” decision. An inadmissible data transfer is also present in the case of website plugins that are hosted and loaded by a cloud service with a US connection. Last but not least, this applies to social network tools, Google Analytics, reCAPTCHA or YouTube, US video conferencing services and other online functions from US providers.
The court made it clear that the personal reference of cookies must always be assessed in the context of additional, mostly extensive data. The ECJ had previously stated that, for lawful transfer to the USA, standard contractual clauses would have to be supplemented by suitable additional technical and organizational measures such as encryption, explained the data protection expert.
The common US providers have so far generally waived such safeguards. Their services are therefore “regularly not usable in a legally compliant manner”. Even employers who let their employees handle relevant services are legally responsible. As a possible solution, Breyer sees – in addition to end-to-end encryption – fiduciary approaches that Microsoft has tried out with T-Systems and that Google wants to launch.