A German court has ruled that sharing IP addresses with US-based servers for the purpose of cookie consent is unlawful under EU data protection law and the EU Court of Justice Schrems II ruling.
The university Hochschule RheinMain in Germany was this week prevented by Wiesbaden Administrative Court from using a cookie preference service that shares the complete IP address of the end user to the servers of a company whose headquarters are in the US.
A complainant had alleged that the CookieBot consent manager from Danish provider Cybot transmitted data such that IP addresses were shared with US-based cloud company Akamai Technologies.
What is Schrems I?
In the first case, arising from a complaint filed with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately toppled the biggest EU-US data-sharing deal, Safe Harbor. Schrems had alleged that Facebook violated the so-called Safe Harbor agreement which protects EU citizens' privacy, by transferring its users' data to the US National Security Agency (NSA).
In the Schrems I ruling, in 2015, Europe’s highest court ruled that data sharing between the EU and US under the Safe Harbor framework was invalid.
What is Schrems II?
Schrems, a former law student, brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency still wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US under Privacy Shield.
In July last year, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.
The court awarded a temporary injunction to prevent further data sharing. The ruling could be subject to a legal challenge but if upheld it could have ramifications for European companies using similar services.
The court said the data shared was personal data as the end user can be clearly identified from a combination of a key that identifies the website visitor, which is stored in the user's browser, and the transmitted full IP address.
The cookie service processes the complete IP address of the end user on the servers of a company whose corporate headquarters are in the US. This creates a reference to a third country, namely the US, which is inadmissible with regard to the so-called Schrems II decision of the European Court of Justice.
In June, the European Data Protection Board (EDPB) finalised its guidance to businesses in how they should proceed following the Schrems II ruling, which struck down the Privacy Shield data-sharing arrangement between the EU and the US.
- UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private
- Max Schrems hits Irish Data Protection Commissioner with corruption complaint
- Data transfers between the EU and the US: Still unclear on what you're supposed to do? Here's an explainer
- EU and US seek 'common principles' for data governance and AI
In its final version of the recommendations on supplementary measures to accommodate the ruling, EDPB said the transfer of data could be impinged on if legislation in a third country allows authorities to access data transferred from the EU, even without the importer's intervention.
In the Schrems II ruling, named after Austrian privacy activist and lawyer Max Schrems, the EU Court of Justice said that Section 702 of the US Foreign Intelligence Surveillance Act together with a US presidential order and a policy directive on data collection by spies failed to meet EU data protection requirements.
The ruling could be another reason that standard contractual clauses cannot be relied on for compliance with the law in cases where data is shared between the EU and the US. See this analysis from lawyers Rafi Azim-Khan and Steve Farmer for more detail. ®