Although it is “only” a provisional order that the Wiesbaden Administrative Court issued on 1.12.2021, it has several aspects to it.
What was the case about?
The Rhine-Main University of Applied Sciences had integrated both the Google Tag Manager and the Cookiebot content tool on its website at hs-rm.de, which among other things enabled an online catalog of the university library for researching specialist literature.
On 5/26/2021, the applicant issued a warning to the university and requested it to sign a cease-and-desist declaration with a penalty clause regarding the Google Tag Manager and Cookiebot services.
After 7.6.2021, the university refrained from using Google Tag Manager and informed the applicant of this in writing. At the same time, the university refused to issue a cease-and-desist declaration with a penalty clause. The Constent tool Cookiebot continued to be used. On 8.6.2021 the applicant therefore applied for interim legal protection.
The university’s decision not to use Google Tag Manager did not rectify the situation.
In its ruling of December 1, 2021 (Ref.: 6 L 738/21.WI), the Wiesbaden Administrative Court prohibited the further use of the Cookiebot content tool with immediate effect until a decision is made on the merits of the case. The reasons for the ruling are well worth reading and it will be interesting to see whether the ruling in the main case will be the same.
The verdict
After the university had renounced the use of Google Tag Manager, the only request was to prohibit the use of Cookiebot. The judgment of the VG Wiesbaden in the wording:
In all other respects, the petitioner's application is admissible and well-founded. The defendant is obliged to terminate the integration of the service "C[xxx]bot" for the purpose of obtaining consent on its website www.hs-rm.de, as the integration is accompanied by the unlawful transmission of personal data of the website users and thus in particular of the applicant.
https://rewis.io/service/pdf/urteile/2tj-01-12-2021-6-l-73821wi.pdfThe court’s reasoning is comprehensive in nature and, as a whole, hits the issue of third country transfers following the Schrems II ruling of the European Court of Justice.
The reasons for the decision
First, the court found that in order to provide the service, the cookie bot provider Cybot transfers, among other things, the unabbreviated IP address to the U.S. service provider Akamai Technologies. The service provider offers CDN services to protect websites against DDOS attacks, for example. The defense’s argument that only abbreviated and anonymized IP addresses are transmitted was deemed inaccurate by the court:
It does claim that only an anonymized IP address is transmitted, with the last three digits set to zero. However, this is contradicted by Cy.'s own statement to the contrary. Even if the service C[xxx]bot only transmits the unabbreviated IP address when it is loaded for the first time, this is still a significant processing operation under data protection law. The collection and transmission of personal data already constitutes processing pursuant to Art. 4 No. 2 of the GDPR.
https://rewis.io/service/pdf/urteile/2tj-01-12-2021-6-l-73821wi.pdfAccording to the Schrems II ruling of the ECJ, the transfer of personal data to the USA can only take place under the condition of additional guarantees and measures for the conclusion of a contract, based on the standard contractual clauses of the EU (SCCs). This prerequisite was not present in the case of the data transfer by Cybot, the Consent Tool provider. Consequently, the data transfer was at most legally possible under the condition of Art. 49 (1) sentence 1 lit. a-f and sentence 2. The existence of these justifications was denied by the Wiesbaden Administrative Court.
In addition, in the opinion of the court, further data was transferred, including a cookie key, which would enable personalized evaluation and profiling.
The key can therefore be clearly assigned to the website user and their cookie preferences, otherwise the service would not be able to link the website user and their previously stated cookie preferences. Together with the likewise transmitted (see above) unabbreviated IP address of the website user, the user is thus clearly identifiable by C[xxx]bot. The key may be "anonymous" in that it cannot be associated with the name of the end user. However, this does not rule out individualization with the help of the other existing data about the end user, because the user can be identified on the basis of the storage of the key, even if his name is not known.
https://rewis.io/service/pdf/urteile/2tj-01-12-2021-6-l-73821wi.pdfAre CDNs and services such as Google Tag Manager or Cookiebot becoming an incalculable risk?
We have already pointed out several times in the past that systems and services in third countries should only be used under strictly limited conditions. In the context of a globally networked online economy, it is almost impossible for companies to do without the transfer of personal data, especially to the USA. The Wiesbaden court’s argument that alternative European variants are available for the use of consent tools that do not require such data transfers is understandable. However, it becomes difficult when using services such as the CDN services offered by Akamai to increase data security. At least at present, such a security infrastructure is unlikely to be found in Europe at reasonable conditions. Companies would be well advised to critically examine all processing procedures and consider alternatives that are less problematic from a data protection perspective.