German Court Rules Transfer of Personal Data to US-Based Cookie Provider Requires Cross-Border Mechanism Under GDPR, Even if Data Never Leaves EEA

Enforcement Edge: Shining Light on Government Enforcement

By Camille Vermosen Alex Altman Jami Vibbert

On December 1, 2021, a Wiesbaden Administrative Court in Germany held that companies may not use a cookie management provider that relies on a US-based service to collect personal data, regardless of whether data leaves the European Economic Area (EEA), without an adequate transfer mechanism. Article 44 of the General Data Protection Regulation (GDPR) prohibits “transfers” of personal data from the EEA to another jurisdiction unless a specific transfer mechanism (set forth in Articles 45 through 48) is in place or a derogation from the prohibition (Article 49) applies. The ruling here assumes that a cross-border “transfer” subject to Article 44 occurs—even if data never actually leaves the EEA—if the recipient of data may formally be subject to data production requests by non-EEA authorities. This reasoning, if adopted outside of the cookie context and by other courts and data protection authorities, could effectively prohibit US-based companies from processing personal data in the EEA without ensuring appropriate transfer mechanisms and additional safeguards are in place.

The Controversy

RhineMain University of Applied Sciences (RMU), based in Wiesbaden, Germany, used a consent management platform called “Cookiebot” to store the cookie preferences of its end users. After a user set her cookie preferences, Cookiebot would collect, among other things, the user’s IP address, URL, and a randomly assigned unique “user key.” This data was stored locally by RMU to honor the user’s preferences and by Cookiebot to satisfy the demonstrable proof of consent required under the GDPR. Although Cookiebot is based in Denmark, it used a US-based content delivery network—Akamai Technologies Inc.—to collect this data.

A user of the RMU website sued and asked the court to stop RMU from using the Cookiebot tool. The user argued that because the service used a US-based content delivery network to collect this data, it was a transfer subject to Article 44 for which RMU did not establish a proper transfer mechanism, even though Akamai may have stored the Cookiebot data on EEA servers rather than in the United States.

The Decision

The court granted the user’s application and temporarily enjoined RMU from using Cookiebot. The court held that the mere use of a US-based provider to collect personal data was an unlawful “transfer” of data to a third country pursuant to Article 44 of the GDPR for two reasons. First, starting from the position that the data in question constituted “personal data” subject to the GDPR, the court reasoned that a US cloud provider could be obligated to produce all data in its possession, custody, or control to US agencies under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), regardless of whether the data is stored inside or outside the United States. The court opined that the transfer was impermissible because the CLOUD Act could be used to compel disclosure of personal data in absence of “an international agreement, such as a mutual legal assistance treaty” and would thus be in violation of Article 48. Second, the court found that none of the derogations permitting cross-border transfers under Article 49 would apply. Notably, the court did not opine on whether the standard contractual clauses (SCCs) adopted under Article 46(2)(c) provided a legal basis for transfer, because the parties did not execute the SCCs, presumably because they did not believe a transfer was occurring. The court observed, though, that even if the parties had entered into the SCCs, the SCCs alone would not be sufficient because the parties had not undertaken any additional protective measures contemplated by the SCCs against inadmissible data transfers to the United States.

The Implications

Although interim and subject to appeal, this Wiesbaden decision is important because it arguably expands the definition of “transfers” beyond actual exports of personal data, subjecting virtually all processing activities involving a company with operations in any third country to the limitations of Article 44. Several specific aspects of the decision are significant:

First, the decision rests on an assumption that a unlawful data transfer can occur even where the data is stored in and never leaves the EEA.
Second, the location of a company is not a dispositive factor in assessing whether a transfer has occurred. The decision seems to include even an EEA-based company in the analysis if it is also subject to non-EEA law that might require the production of data to a foreign government regardless of where the data is stored.
Third, given the relatively low-risk data at issue in the case (i.e., IP addresses and cookie preferences), the decision suggests that even minor processing activities may be curtailed.
Finally, although the court did not consider whether the SCCs could remain a viable transfer mechanism under the circumstances, its decision could drive EEA-based companies with US affiliates to enter into the SCCs, even where the US affiliates have no hand in processing the data at issue. This would, in turn, require contracting parties—all in the EEA—to institute additional protective measures to prevent unlawful disclosures in the United States. This represents a possible upheaval both philosophically and practically and may pose significant additional burdens for multinational companies.

For questions about compliance with the GDPR, contact the authors or any of the members of our Privacy, Cybersecurity & Data Strategy team.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.