Schrems-II ruling means university can’t use cookie tool, says German court

The Wiesbaden Administrative Court has decided in summary proceedings that the RhineMain University of Applied Sciences cannot use the tool, which transmits a user's full IP address to servers of a company whose headquarters are located in the US.

The tool is used to obtain website users’ consent to the use of cookies. The service also monitors the cookies used and blocks those for which consent has not been given.

A user of the university's website had asked the court to stop the university from using the tool because the service transmits personal data of the users to servers of a company with headquarters in the US. New rules have applied to the transfer of data from the EU to the US since July 2020, as the Court of Justice of the European Union (CJEU) overturned the EU-US Privacy Shield on 16 July 2020, which until then regulated the exchange of data between the EU and the US.

This ruling, known as  Schrems II, arose due to data protection considerations and clarified that businesses can rely on standard contractual clauses as a legal basis for the transfer of personal data to countries outside the EU, provided that they guarantee an adequate level of data protection during the transfer.

Against this background, the Wiesbaden Administrative Court granted the application of the website user and prohibited the university from continuing to use the cookie service in its current form by issuing a temporary injunction. It stated that the transfer of the data created a third-country connection, which was inadmissible in view of the Schrems II decision. The court also said that users of the university's website were not asked for their consent to the transfer of data to the US and were not informed about the associated risks. Also this form of data transfer was not considered necessary for the operation of the university's website.

Kirsten Wolgast, a data protection law expert at Pinsent Masons, said the decision raises questions: "GDPR and ePrivacy requirements including those following from the Schrems II decision of the CJEU do not only apply to the use of cookies but also to the use of cookie consent tools to the extent personal data are processed by them. The Court further confirms the view that a full IP address in combination with a key stored in the user’s browser constitutes personal data."

"Neither appears surprising. However, the Court seems to take the view that in this case the user’s consent would have been the only option to legitimise the data transfer to the service provider and US servers. In the decision, the court only deals with the legal relationships between the university and the service providers involved in the use of the cookie consent tool to a limited extent, and it remains unclear whether the use of the tool could also be permissible if the EU Standard Contractual Clauses were used and on the basis of a transfer impact assessment."  

It is not the university itself that transmits the data to the US, but a service provider commissioned by it. However, the 6th chamber of the Wiesbaden Administrative Court concluded that the university was the body responsible for the data transfer, as it decided that the data would be collected and transferred by including the tool on its website.

"This illustrates the wider importance of carrying out due diligence on third party suppliers to comply with the Schrems II judgment," said Rosie Nance of Pinsent Masons. "Organisations caught by the EU or UK GDPR need to confirm whether any of their suppliers transfer personal data to the US or other third countries, and carry out a risk assessment for any transfers to confirm whether they can proceed lawfully.  This needs to be done for all suppliers, even those providing tools to meet a privacy compliance obligation like cookie consent management."

The university can lodge an appeal against the decision within two weeks. In this case, the Hessian Administrative Court in Kassel would have to decide on the matter.