The The Wiesbaden Administrative Court ("Court") prohibited the use of a cookie consent management platform hosted by a US-based service provider by the RheinMain University of Applied Sciences ("University") in its decision ("Decision") dated 1 December 2021. The Court evaluated that the use of a consent management platform hosted by a US-based provider constitutes a cross-border data transfer under the General Data Protection Regulation (GDPR). The Decision was made in interim proceedings, and is therefore not final and binding. However, the findings of the Court are important as they concern the cookie practices of companies.

Background

The University uses a consent management platform on its website to store the cookie preferences of visitors, and the consent management platform uses a US-based hosting provider for its services. The applicant requested that the University cease its collaboration with the consent management platform on the grounds that this collaboration causes visitor data to be transferred to the US.

Evaluation of the Court

The Court first concluded that, in the case at hand, the data in question is considered to be personal data. The consent management platform processes the user key, which identifies the website visitor, and the IP addresses of the visitors. The combination of the user key and IP addresses allows the visitors to be identified; therefore, it constitutes personal data.

The Court further decided that the University is the data controller responsible for the transfer of this data. The Court evaluated that even though the University does not transfer the data itself, by incorporating the consent management platform into its website, the University decides on the collection and transfer of the personal data and moreover establishes the purpose of processing. Accordingly, from the Court's perspective, the University qualifies as a data controller.

The most important analysis of the Court is on the data transfer aspect of the case. The Court considered the use of a cookie management platform that uses a US-based hosting provider as a cross-border data transfer under the GDPR. The Court decided that the transfer occurs if there is a chance of non-EU authorities' access to the data, regardless of whether the data leaves the EU or not. This argument of the Court is based on the fact that the hosting provider is established in the US and is subject to the CLOUD Act. As per the CLOUD Act, the US authorities may request that the relevant companies hand over the stored data. The Court further argued that such transfer is also prohibited under the Schrems II decision held by the EU Court of Justice.

Moreover, the Court emphasized that, in the case at hand, the University has failed to (i) obtain the explicit consent of the data subjects and (ii) inform the data subjects of the possible risks of such transfer under the CLOUD Act. It further stated that it was not necessary for the University to transfer such data. The Court did not touch on the use of Standard Contractual Clauses ("SCC") in its evaluation.

Importance of the Decision

The Decision is subject to interim proceedings and is not yet binding. Therefore, it may be appealed. However, the Court's perspective on the use of US-based cookie management providers is important and concerns many European companies operating websites. The companies that use US-based hosting providers for their cookie-plugins should consider the findings of the Court, since such practice may trigger cross-border data transfer restrictions. One significant aspect is that it is not clear whether the University duly applied SCCs to ensure legitimate transfer, as the SCCs did not appear to play a part in the Court's Decision.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.