The RheinMain State University of Applied Sciences is allowed to use the Cookiebot service on its website. This was decided by the administrative court in Kassel for formal reasons. In December, the administrative court in Wiesbaden issued an interim order forbidding the university from using the service. The associated transfer of data to the USA is illegal. The university has lodged a complaint against this – initially with success. But the argument goes on.
Arnd Böken is a lawyer and notary and a partner at GvW Graf von Westphalen Rechtsanwälte in Berlin. He focuses on digitization, data protection and IT law.
How it all began: The RheinMain University of Applied Sciences uses the Cookiebot service from the Danish provider Cybot on its website to obtain consent to the setting of cookies. A website visitor who regularly searches for specialist literature in the university’s online catalog complained about this and requested that the Cookiebot service no longer be integrated into the website.
The reason: The service transmits its IP address to a cloud provider based in the USA. The user considers this data export to the USA to be illegal because the USA does not offer data protection comparable to EU standards.
Export of data to the USA
The Administrative Court granted the application; The court temporarily prohibited the university from using the Cookiebot (VG Wiesbaden Az. 6 L 738/21) by means of a temporary injunction. The university is responsible for the transmission of the IP addresses to the USA because they operate the website. According to Art. 44 GDPR, this export is illegal. In doing so, the administrative court essentially relied on the fact that the university did not obtain the consent of the website visitors for the data export.
This procedure is of great importance for a large number of websites. Many operators use cookie consent services or other services on their websites where IP addresses and other personal data can end up in the USA.
The ban on use by order in temporary legal protection is now off the table. That’s how it should be. Questions about the use of consent management platforms are far-reaching and complex. The judicial main proceedings are more suitable for this than the interim legal protection. Here it is decided whether the university is permitted to use the Cookiebot service.
Data export to the USA is one of the most important issues for website operators at the moment. In December 2021, the German data protection authorities published the Telemedia Orientation Guide. The authorities are extremely critical of the export of IP addresses and other personal data to the USA and emphasize that the integration of such services into websites is only permissible if the legality of the data export has been checked beforehand.
The authorities are even stricter than the administrative court in Wiesbaden. The Wiesbaden Administrative Court essentially based the temporary ban in December on the fact that the website operator did not obtain consent for the export. The court held that the data could have been transferred to the US if the website visitors had given their prior consent. In practice, this is important: many websites also obtain consent for data export along with consent to the setting of cookies.
The data protection authorities see it differently – they are of the opinion that such consents to data export are ineffective and that the export of the data remains illegal. However, the legal view of the authorities may not be correct. The website visitor is responsible and can decide what to do with their data. But the view shows how strict the standards of the authorities are.
The decisions of the courts in Wiesbaden and Kassel as well as the guidance provided by the authorities show that data export is currently a hot topic. Anyone who operates a website with cookies must take a close look at which services they integrate and how these services deal with the data of website visitors. Above all, whether they also export this data outside of Europe and whether the legal requirements for the export are in place.
The controversy over Cookiebot continues
As the legal industry service JUVE now reports, the RheinMain University of Applied Sciences has lodged a complaint with the Administrative Court (VGH) in Kassel. In response to this complaint, in January 2022 the VGH overturned the temporary order of the VG Wiesbaden (Az. 10 B 2486/21) because it saw no need to rush. In addition, the difficult legal questions should not be answered in summary proceedings but in main proceedings. This means that the university can continue to use the Cookiebot service for the time being.
In a recent judgment, the Munich Regional Court pointed out another aspect. The point here was that a website operator used Google Fonts and when the Google server was called up, the IP addresses of the website visitors were transmitted to Google. According to the district court, this is illegal because there is no legal basis for the transmission. Therefore, the district court ordered the operator of the website to pay damages of 100 euros (Az. 3 O 17493/20). The verdict is not yet legally binding. 100 euros doesn’t sound like much either – but if all visitors to a website complain, large sums can quickly accumulate.
See also:
(ur)