On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using a cookie consent management platform. Contrary to some reports, the court did not rule that U.S.-based consent management solutions or cookies cannot be used anymore. The injunction can still be appealed and could also be lifted in the main proceedings.
In the specific case, the defendant used the “Cookiebot” consent management platform (CMP) to store the cookie preferences of its end users. The CMP processes data such as each end user’s IP addresses and a “cookie key” (CMP Data). Cookiebot is based in Denmark and uses a U.S.-based hosting provider (Akamai Technologies Inc.) in connection with the Cookiebot CMP and thus transfers the CMP Data to Akamai Technologies Inc.
What did the AC Wiesbaden decide?
The following points were decided in the preliminary injunction:
- The court ordered the defendant to refrain from using the Cookiebot CMP based on the specific facts in the case.
- The court found that personal data is processed when using the Cookiebot CMP. The full IP address is regarded as personal data. It is irrelevant whether the IP address is only processed when the Cookiebot CMP is opened for the first time as the collection and transfer of the IP address is already “processing of personal data” under the GDPR. Further, the “cookie key,” which is an ID that also stores the cookie consent decision of the end user – as well as a version of the cookie banner, the timestamp for the cookie consent decision, and the end user’s location – is also considered to be personal data. The end user is identifiable due to the combination of the cookie key and the IP address.
- The court held that the transfer of the CMP Data to Akamai Technologies Inc. was an unlawful data transfer to a third country in the specific case. There was no data transfer mechanism under chapter V of the GDPR and no derogation under Article 49 of the GDPR applied. The defendant did not provide sufficient evidence that standard contractual clauses were concluded between Cookiebot and Akamai Technologies, Inc. The defendant only provided the standard contractual clauses template. Further, the derogations in Article 49 of the GDPR did not apply, and, in particular, the defendant did not obtain consent for the third country transfers or inform end users of the risks connected to the transfer (Art. 49 (1) (a) GDPR).
- The court also found that the defendant, as the website provider, was the data controller for the collection of the personal data and transfer to Akamai Technologies Inc. by integrating the Cookiebot CMP in its website.
What did the AC Wiesbaden not decide?
Contrary to some press reports, the AC Wiesbaden did not decide that (1) the use of CMP providers that transfer the end user’s cookie consent data to a third country is always unlawful or (2) (going even further) cookie providers in a third country cannot be used anymore.
The facts in the AC Wiesbaden case were quite specific. Apparently, the defendant was not able to provide sufficient evidence that Cookiebot and Akamai Technologies Inc. concluded standard contractual clauses and that sufficient supplementary measures were implemented. The court did not conclude, however, that if standard contractual clauses were concluded, there still was no sufficient safeguard to justify the data transfer. The decision of the AC Wiesbaden – if standard contractual clauses were actually concluded – is rather open.
What does this mean for your organization?
In general, the AC Wiesbaden decision did not come as a surprise. The defendant could not provide evidence for a safeguard to justify the data transfer and no derogation applied.
There are good arguments, however, that the court’s decision would be different if standard contractual clauses were concluded (or another data transfer vehicle was used) to meet the chapter V GDPR requirements, and, if required and appropriate, a proper data transfer impact assessment was conducted as well as supplementary measures being implemented (e.g., encryption measures, such as encryption at rest and in transit, storage on EU services, potentially with third-country access only for maintenance purposes). With regard to the practice in force in the United States, it could be argued that, in particular, cookie consent decision data is not data that is in the focus of U.S. intelligence agencies. The U.S. government confirmed this in its Schrems II Whitepaper: “Companies whose EU operations involve ordinary commercial products or services, and whose EU-U.S. transfers of personal data involve ordinary commercial information like employee, customer, or sales records, would have no basis to believe U.S. intelligence agencies would seek to collect that data.”
The AC Wiesbaden decision was only a preliminary judgment that the defendant can appeal. The decision was not very thorough in many parts. Due to the lack of the provision of the standard contractual clauses, the implications of the decision are rather limited. Due to the significant amount of press attention this decision has caused and the important privacy questions with regard to international data transfers, it would be important if this case would actually get a decision in the main proceedings.
The case also showed how important it is for organizations to sufficiently conclude, sign, and document their agreements with third-party providers, such as their data processing agreements and standard contractual clauses, in particular, now that it has become quite common to accept the agreements in click-through processes.