On Dec. 1, the Wiesbaden Administrative Court issued a first-of-its-kind decision holding that companies cannot use a cookie management provider that relies on a U.S.-based service to collect data, irrespective of whether the data actually ever leaves the EU. Because cookie management requirements apply for EU websites generally, EU-wide adoption of this case’s theories would affect a broad range of companies that do business both within and outside the EU. Although the decision was made at the interim injunction stage and could thus be modified if the case proceeds to trial, its implications are significant and warrant attention now. The plaintiff’s attorney in the case has described to media his view that “website plugins that are hosted and loaded by a cloud service with any U.S. connection” now create “impermissible data transfers.” Although the “any connection” statement is overbroad as a matter of U.S. law, that quotation suggests the range of cross-border transfers prohibited under the court’s approach.
The Wiesbaden decision
The Rhine-Main University of Applied Sciences integrated the cookie management tool “Cookiebot,” from the Danish company Cybot, on its website. Cookiebot displays a banner that lets the user set her cookie preferences. When the user does so, Cookiebot collects, inter alia, the user’s IP address, the URL governed by the user’s preferences (i.e., RMU’s website), and a unique random “user key” assigned to the user. The user key and preferences are stored locally so RMU’s site continues to honor user preferences. Cookiebot also stores all the above data in its own environment. Per Cookiebot, this is done so — as required by the EU General Data Protection Regulation — the company has demonstrable proof users consented to cookie storage.
The alleged problem was Cookiebot used a U.S.-based content delivery network (Akamai Technologies) to collect this data. Importantly, the Wiesbaden court appeared to accept that Akamai may have stored Cookiebot data on EU servers, and not in the U.S., which suggests Cookiebot’s agreement is with Akamai’s German affiliate. But the court, in part supported by testimony it requested from the Hessian Data Protection Commission, ruled this was irrelevant. It held that the mere use of a U.S.-based provider to collect IP addresses and user key data was an unlawful “transfer” because:
- Per the Court of Justice of the European Union, IP addresses are personal data (the court also considered Cookiebot’s “user key” to be personal data).
- Under the Clarifying Lawful Overseas Use of Data Act, a U.S. cloud provider can be obligated to produce all data in its possession, custody, or control to U.S. agencies, irrespective of whether the data is stored in or outside the U.S.
This decision has a number of noteworthy implications. Among the more salient are:
- The court never evaluated whether a “transfer” actually occurred. The decision assumes a “transfer” occurs even if data never leaves the EU, so long as the recipient of data may formally be subject to requests by non-EU authorities. This approach seems different from the European Data Protection Board’s recent definition of a “transfer” — i.e., a disclosure of data to an “importer” who is “in a third country.” None of the EDPB examples apply to data that physically stays in the EU. Here, however, the court reasoned that since data “are processed on Akamai servers, a data transfer to a third country is occurring,” simply because “Akamai Technologies Inc., as an American company, is subject to the CLOUD Act.”
- The court acknowledged Cookiebot claimed to have executed standard contractual clauses with Akamai (although it is unclear whether these were the “old” or the “new” SCCs). The court also heard allegations from the plaintiff that Cookiebot and Akamai had not implemented any “supplemental safeguards” beyond the SCCs. But the SCCs did not appear to play a role in the court’s decision. Instead, the court took the approach that data could only be lawfully transferred to the U.S. via a mutual legal assistance treaty (Article 48 GDPR), or under Article 49 GDPR’s derogations, such as consent. It confined its lawfulness analysis to those grounds alone.
- As a result, the court never evaluated whether there was any significant risk U.S. law would undermine the SCC safeguards. In its final guidance on safeguards needed for transfers, the EDPB allows organizations to consider “the practices in force in the third country” that bear on whether “in practice, the effective protection of the personal data” will be maintained. Nonetheless, the court did not assess the practices in the third country, and how that would impact effective protection.
- The court failed to consider the lack of any real CLOUD Act risk. IP addresses are one of the most abundant pieces of data created by the internet, broadcast by users hundreds of times daily with every website and app click. It is noteworthy the court never asked whether U.S. agencies would ever, in practice, ask for Cookiebot’s specific version of a user’s IP address. The CLOUD Act has narrower effect and narrower change to previous U.S. law than many in Europe have stated. In practice, it is difficult to imagine when the U.S. prosecutors would go to court to connect an IP address with a user’s cookie preferences for one website — the information about cookie preferences is of little use to law enforcement, and reveals little about a user’s private life or activities. It may be relevant for companies to determine whether they have ever received such a request, much as some companies (like Akamai) have determined that they are not subject to Section 702 of the Foreign Intelligence Surveillance Act. The risk of a criminal investigatory request for this data would appear negligible.
- The court never assessed whether — even if IP address data were transferred to the U.S. — this created any significant risk to users. It is unclear what additional risk users would face if IP addresses were stored on servers in the U.S., versus being stored in the EU. Even the plaintiff seems to have had difficulty identifying any concrete risk; the court notes it argued only that Cookiebot’s tool created “a risk” of “unauthorized access.”
Implications of the decision
The new Wiesbaden decision continues a trend toward broader EU definitions of when data may not be processed by entities connected with third countries, including but not limited to the United States. In previous writing for the IAPP, Swire discussed the broad effects of guidance from the EDPB limiting data transfers, which was softened somewhat in final guidance, as well as the April 2021 decision to prohibit cybersecurity provider Cloudflare from providing services to Portugal’s census agency.
One significant aspect of the new decision is it seems to prohibit data processing even when the personal data is stored in the EU and never leaves the EU. The French cloud regulatory agency, ANSSI, has taken a similar position in its proposed certification program for “trusted” cloud providers, supporting the position that cloud providers be immune from foreign laws. Nigel Cory recently critiqued the breadth of the French proposal, which would set strict limits on non-EU control of providers who would serve French government agencies or other “vital” or “essential” services. As mentioned in the introduction, the plaintiff’s attorney in the Wiesbaden case claimed that all “website plugins that are hosted and loaded by a cloud service with any U.S. connection” now create “impermissible data transfers.” (Because the Wiesbaden court cited the CLOUD Act as a reason to limit U.S.-based services, we note that the claim for “any US connection” is incorrect, because the CLOUD Act only applies under U.S. law where there is possession, custody, or control in the U.S.)
Second, since the crux of the court’s decision was that the ability of non-EU governments to request data from an IT provider creates an illicit “transfer,” the headquarters of the provider should not be relevant. In other words, this decision would prohibit processing of data by any provider that is subject to both EU and non-EU law — even if the provider is headquartered in the EU — as long as a request by a foreign government could require production of data irrespective of storage location. Companies like SAP and Capgemini are just as internationally present as large U.S. organizations, and thus just as subject to receive requests from non-EU governments.
Third, another measure of the breadth of the decision concerns the routine nature of the personal data at issue — IP addresses linked only to a user’s cookie preferences on a university website. This breadth contrasts, for instance, with the Cloudflare case, which concerned census data historically treated as more sensitive. To the extent risk of improper access is considered, the Wiesbaden case appears to set a low threshold for permitting any such risk.
Fourth, the new case can be seen in context of other pending enforcement actions. NOYB has filed over 100 complaints alleging improper transfers to the U.S., for a range of data analytics and cookie plug-ins that are pervasive in the current online ecosystem. This first, interim Wiesbaden decision may thus be a harbinger of additional enforcement decisions affecting the operations of websites across the EU.
Photo from Unsplash.com