The EDPB 101 Task Force published a report summarizing its assessment on international data transfers in connection with the use of tracking and analytics cookies (Tracking Cookie). The report is available here. The 101 Task Force comprises of representatives of the supervisory authorities in the EU (SA) and was created back in 2020, in response to the 101 complaints filed by NYOB, a data privacy activism group, regarding data transfers in connection with the use of Tracking Cookies.

Legal effect of the report

The EDPB highlights at the beginning of report that the findings are not legally binding and, depending on circumstances, the SAs might take different views in the future on case-by-case basis. The report however represents the common denominator of the SAs and offers useful guidance on the SAs’ stance regarding data transfers and interpretation of relevant GDPR provisions.

  1. Transfers of personal data

The SAs agreed that before assessing the lawfulness of international data transfers within the meaning of Chapter V of the GDPR, controllers must ensure that all other provisions of the GDPR are complied with. For example, the 101 Task Force concluded that if personal data is collected on a website without a legal basis within the meaning of Article 6(1) of the GDPR, the data processing is unlawful, even if there were no issues with the requirements of Chapter V GDPR.

The report then focuses on international data transfers in connection with the use of Tracking Cookies. The report stresses that after the CJEU Schrems II judgment data transfers based on the invalidated EU-US Privacy Shield are not compliant with the GDPR. Moreover, the 101 Task Force reiterates that safeguards must be in place before any data transfers are carried out. Therefore, using standard data protection clauses (SCCs) with retroactive effect – as argued by one of the website operators in one of the 101 cases – is not permissible.

Finally, the 101 Task Force recalls that even if SCCs are used, additional measures must be implemented to address the deficiencies identified in the CJEU Schrems II judgment. With regard to the use of Tracking Cookies, the 101 Task Force determines that encryption by the data importer was not a suitable measure if the importer had legal obligations to provide cryptographic keys to governmental agencies. They also concluded that anonymization functions, such as IP address anonymization, were not suitable if they took place only after data was transferred to a third country. Additionally, when an EU processor acted as a data exporter on behalf of the website provider which is a controller, the controller was also responsible and could be liable under Chapter V of the GDPR.

  1. Principle of accountability

As controllers, website operators must carefully examine whether the tools used comply with data protection requirements. The 101 Task Force reiterates that the accountability principle requires every data controller to be able to demonstrate that appropriate safeguards have been ensured in data processing operations. Further, the 101 Task Force stresses that the compliance onus is not only on controllers but in certain circumstances, also on the respective providers of tools who process personal data.

  1. Allocation of data protection roles 

Finally, the Task Force agrees that website operators may be liable for the processing of personal data in connection with Tracking Cookies as data controllers as they decide to use such tools. They thus determine the “purposes and means” of processing under Article 4(7) GDPR.

However, the degree of liability must be determined on a case-by-case basis, considering the functions and options of the Tracking Cookies as well as factual circumstances. Agreements between providers and controllers, under Article 28 or Article 26 of the GDPR, do not limit the SAs’ authority to assess the specific situation.

What’s next?

The report is generally a good overview over the issues that the SAs in the EU currently review in connection with Tracking Cookies. It neither raises any new issues nor provide answers how Tracking Cookies by non-EU/EEA providers should be used. For example, the report does not provide guidance on sufficient supplementary measures that could be specifically implemented for Tracking Cookies.

The publication of the report highlights that Tracking Cookies and connected international data transfers are still a hot topic for SAs – at least until the new adequacy decision for EU-US data transferred has been finalized.