A German court has ruled that sharing IP addresses with US-based servers for cookie consent purposes is illegal under EU data protection law and the Court’s Schrems II ruling of justice in the EU.
The Hochschule RheinMain University in Germany was prevented this week by the administrative court in Wiesbaden from using a cookie preference service that shares the end user’s full IP address with the servers of a company whose head office is in the United States.
A complainant had alleged that Danish provider Cybot’s CookieBot consent manager passed on data such as IP addresses that were shared with US cloud computing company Akamai Technologies.
What is Schrems I?
In the first case, stemming from a complaint to Ireland’s Data Protection Commissioner in 2011, privacy campaigner Max Schrems ultimately overturned the biggest data-sharing agreement between the EU and the United States, Safe Harbor. Schrems had alleged that Facebook breached the so-called Safe Harbor agreement that protects the privacy of EU citizens, by transferring its users’ data to the US National Security Agency (NSA).
In the Schrems I case, in 2015, Europe’s highest court ruled that data sharing between the EU and the US under Safe Harbor was invalid.
What is Schrems II?
Schrems, a former law student, presented the latest edition of the long-running case (informally known as Schrems II) in 2015, to complain that the Irish data protection agency still did not prevent Facebook Ireland Ltd (as the European representative of the Zuckerberg empire) from transmitting its data to the United States under the Privacy Shield.
In July last year, the Court of Justice of the EU struck down the so-called Privacy Shield data protection agreements between the political bloc and the United States, triggering a new wave of legal confusion over the data transfer of EU subjects to America.
the the court granted a temporary injunction to prevent any further sharing of data. The ruling could be subject to a legal challenge, but if upheld could have ramifications for European companies using similar services.
The court declared that the data shared was personal data because the end user can be clearly identified from a combination of a key that identifies the website visitor, which is stored in the user’s browser, and the full IP address transmitted.
The cookie service processes the end user’s full IP address on the servers of a company headquartered in the United States. This creates a reference to a third country, namely the United States, which is inadmissible under the so-called Schrems II decision of the European Court of Justice.
In June, the European Data Protection Board (EDPB) finalized its advice to businesses on how to proceed following the Schrems II ruling, which overturned the Privacy Shield data-sharing agreement. data between the EU and the United States.
In its final version of the recommendations on additional measures to take account of the decision, the EDPB stated that the transfer of data could be hindered if the legislation of a third country allows authorities to access data transferred from the EU, even without the intervention of the importer.
In the Schrems II ruling, named after Austrian privacy activist and lawyer Max Schrems, the EU Court of Justice ruled that Section 702 of the US Intelligence Surveillance Act foreign, as well as a US presidential decree and policy directive on data collection by spies did not comply with EU data protection requirements.
The ruling could be another reason why standard contractual clauses cannot be relied on to comply with the law in cases where data is shared between the EU and the US. See this analysis by lawyers Rafi Azim-Khan and Steve Farmer for more details. ®