Germany: VG Wiesbaden prohibits use of Content Delivery Networks

The VG Wiesbaden has declared the transfer of personal data to companies in the field of electronic communications or cloud computing - in this case the operator of a Content Delivery Network [CDN] - to be prohibited on principle in a much-noticed decision pursuant to Section 123 VwGO [Code of Administrative Court Procedure] dated December 1, 2021, Ref. 6 L 738/21.WI. This is because, according to the Wiesbaden Administrative Court, a transfer of personal data to the USA - in this case IP addresses - is already present if the US company or a German subsidiary processes the data on servers in the EU. The VG Wiesbaden had to evaluate the consent management platform "Cookiebot", which is used by many companies in Germany. The reasoning of the decision cannot only be applied to other cloud services of US providers such as Google, Microsoft, Amazon or Salesforce. Any processing of personal data by individuals in the electronic communications sector of cloud computing that is under the control of a U.S. company would thereafter be treated as a third country transfer. In any case, the decision represents the first known ruling on the use of cloud services operated in the EU by a subsidiary of a US company. Nevertheless, doubts remain as to whether the VG had jurisdiction at all and whether it decided the matter correctly in substantive terms as well.

In detail: What is at issue?

The subject of the summary proceedings before the VG Wiesbaden is the applicant's request to prohibit the RhineMain University of Applied Sciences from integrating the cookie service "Cookiebot" offered by the Danish company Cybot A/S on its website in such a way that personal data of the applicant (including his IP address) is transferred to servers operated by companies of the Akamai Technologies Inc. group. The cookie service "Cookiebot" allows to obtain the consent of the users of a website to the cookie use. The service monitors the cookies used and blocks those cookies for which consent has not been given. For this purpose, the "cookie service provider" uses the services of the company Akamai Technologies Inc. by using server capacities of Akamai: Cybot uses Akamai's Content Delivery Network to retrieve the cookie service provider consent script, which resides on an Akamai server. A content delivery network is a network of regionally distributed servers connected over the Internet that is used to deliver content, particularly large media files.

What did the court decide on the admissibility of the data processing?

In a decision dated December 1, 2021, the 6th Chamber of the Wiesbaden Administrative Court granted the application and prohibited RheinMain University of Applied Sciences by way of a temporary injunction from including this cookie service on its website for the purpose of obtaining consent in such a way that personal or -related data of the applicant (including its IP address) is transmitted to servers operated by an external company.

The VG bases the injunctive relief as a public-law injunctive relief on Section 1004 BGB [German Civil Code] analogously in conjunction with Article 79 (1) and Article 5 (1) lit. a GDPR.

The university was obliged to terminate the integration of the cookie service on its website, as this was accompanied by the unlawful transmission of personal data of the website users - the IP address - and thus in particular of the applicant.

The cookie service processes the complete IP address of the end users due to the use of Akamai's Content Delivery Network on servers of a group of companies whose parent company was located in the USA. Whether the data actually reached the USA or remained on a server in the EU and whether Cybot's contractual partner was the US parent or a German subsidiary was irrelevant; the above questions could therefore apparently not be conclusively clarified in the proceedings. In any case there was a transfer of data to a third country pursuant to Article 44 of the GDPR, according to the court. This is because Akamai Inc. could be required to hand over the IP addresses on the basis of the CLOUD Act. The VG probably means as "...provider of electronic communication service or remote computing service..." according to §§ 2704 ff, 2713 Chapter 121 of Title 18, United States Code.

The university is also the data controller, Art. 4 No. 7 DSGVO. It is not the university itself that transfers the data to the USA. However, by including the Cybot service on its website, it decides that the collection and transmission is carried out by the cookie service. It also indirectly decides on the purpose of the processing, since it can decide for or against the use in knowledge of the purposes indicated by the integrated service. This is also not contradicted by the fact that it is no longer responsible for subsequent processes, such as the use of the data by the service.

There is no justification for this: Art. 48 GDPR (mutual legal assistance) does not apply, as there is no mutual legal assistance agreement with the USA. Article 49 of the GDPR (exceptions) also does not provide a basis: Article 49 (1) sentence 1 a) of the GDPR does not apply, since (undisputedly) users of the website were not asked for their consent for the transfer to the USA; accordingly, they were also not informed about the possible risks involved. A justification pursuant to Art. 49 (1) sentence 1 lit. d) of the GDPR is also ruled out, as the transfer is not necessary for important reasons of public interest, as there are alternative providers that comply with data protection requirements. The other possible conditions of Article 49 (1) sentence 1 of the GDPR are obviously not relevant either. Article 49 (1) sentence 2 of the GDPR is already not applicable because the data transfer takes place with regard to countless website users.

What happens next?

The defendant can file an appeal against the decision within two weeks, which would have to be decided by the Higher Administrative of Justice of Hesse in Kassel. Since the Cookiebot can still be found on the homepage until December 9, 2021 and the decision has therefore not been implemented, the university will probably file an appeal pursuant to Section 146 (1) VwGO or has already done so. In addition, the applicant must pursue the main case until January 2022 so that the decision does not lose its effect.

What is to be made of the decision of the VG?

In detail, following the order of presentation in the decision:

According to the facts of the case, the decision is inadmissible, and administrative recourse pursuant to Section 40 (1) sentence 1 VwGO is therefore not available. The operation of a website does not constitute sovereign action and thus there is no dispute under public law: The Articles 5, 6, 44 et seq. and 79 of the GDPR, which are decisive for the dispute, do not contain any special rights or obligations of the state or other holders of public authority (special rights theory). Whether Art. 79 GDPR, in contrast to Art. 77 et seq. GDPR exclusively covers claims under civil law is currently also the subject of a preliminary ruling procedure.

Administrative proceedings could be opened if the applicant had a claim under public law to use the website and was prevented from using it because of Cookiebot. However, there is nothing to suggest that this is the case. The applicant is obviously not a student; in any case, he has not also based his claim on an access claim, for example on the State University Act. It could be that the VGH Hessen will refer the matter to the competent civil court in response to an appeal (Section 146 VwGO) pursuant to Section 17a (2) sentence 1 GVG.

There is also no right to injunctive relief under public law due to the lack of a sovereign act. A civil-law injunctive relief analogous to § 1004 BGB, Art. 79 DSGVO should, however, be justifiable with the argumentation of the VG with voices from the literature and case law. The application of § 1004 BGB complies with the principles of effectiveness and equivalence, according to which the courts of the member states must ensure the protection of rights arising from Community law equivalent to comparable domestic claims, whereby the design of legal remedies and judicial proceedings in the absence of Community law regulation is a matter of domestic law. This is apparently not taken into account by the voices opposing injunctive relief.

In this context, the relationship between Art. 77 f. and Art. 79 GDPR could become interesting, which is the subject of the aforementioned preliminary ruling procedure: can administrative/administrative court proceedings be conducted in parallel with civil proceedings? If so, do the authorities and courts involved examine the infringement independently? Does the decision of the authority take precedence?

Furthermore, the question arises whether the GDPR applies to the transaction at all. This is because the "data exchange" between Akamai Inc./GmbH and Cybot A/S could be a telecommunications service, the permissibility of which could be governed by the respective implementation law, the TTDSG [Data Protection and Privacy in Telecommunications and Telemedia Act] or the TKG [Telecommunications Act] old version due to the area exception for the ePrivacy Directive in Art. 95 GDPR. In this case, Section 6 of the TTDSG and Section 107 of the TKG (old version) could be taken into consideration. As a means of distributing content, CDNs generally serve telecommunications in the sense of § 3 no. 61 c) TKG; in this case, however, they "hosted" a cookie service provider consent script, which may justify a different assessment.

It is also doubtful whether - if the data is processed on a server in the EU - a transfer of data pursuant to Art. 44 DSGVO to the USA is present at all. The Administrative Court assumed that the servers belong to Akamai Inc. Whether it therefore assumed that the servers are “of course” located in the USA or whether it considered the location of the servers to be irrelevant cannot be inferred from the reasons. However, the location of the servers is decisive for the dispute: If they are located in the EU, there is initially no transfer to a third country. According to the Lindqvist ruling of the ECJ of November 6, 2003 - C-101/01, [2003] ECR I-12992, para. 56 et seq. (esp. marginal no. 60) more than the mere provision of data. These must also be retrieved. Nothing else can be inferred from the ECJ's Schrems II ruling of 16.7.2020 - C-311/18, esp. paras. 83, 104 f.. On the contrary, the ECJ problematizes there precisely that U.S. authorities in the U.S. can access the data after the transfer. If it were only a matter of theoretical access, the collection of the data by the Irish subsidiary of Facebook would already have been problematized.

Additionally, the question arises whether the transfer could not be based on the standard contractual clauses pursuant to Art. 46 (2) lit. c DSGVO: In this respect, the university only submitted an unsigned blank contract between Cybot and Akamai Inc. or the German subsidiary of the same name. Therefore, the court - without discussing this further - apparently considered the agreement of the standard contractual clauses as not proven. This is also understandable in view of Article 28 (9) of the GDPR.

With regard to the CLOUD Act, it will have to be clarified in the main proceedings under which circumstances a U.S. company must actually collect data held by its subsidiaries or by itself abroad. According to the U.S. Department of Justice, data from abroad should be collected by means of an agreement or - where this is lacking - by avoiding a violation of local law. The U.S. Department of Justice goes on to state that there are high standards that must be met before data is requested. Finally, it is of interest that, according to the U.S. Department of Justice's account of U.S. law, companies outside the U.S. may also be subject to U.S. jurisdiction – also companies with strong economic links to the USA would have to be avoided. Having said all this, the main question would be whether an actual request, rather than a theoretical request under the CLOUD Act, should be the determining factor.

It would also have to be examined whether the CLOUD Act only implements what is stated in the Cybercrime Convention and with the Second Additional Protocol to the Cybercrime Convention, to which all states of the EU are parties in addition to the U.S.. According to the Cybercrime Convention applicable between the USA and the EU states and in particular Art. 6 f. of the Second Additional Protocol - which according to Art. 18 of the Vienna Convention on the Law of Treaties (VCLC) can already have a preliminary effect from the signing planned for May 2022 - orders for surrender from one state to a service provider in another state are permissible on principle. Whether this also applies to Article 18 of the Cybercrime Convention, to which the USA refer is questionable - cross-border access is likely to be regulated there in Article 32 and requires the cooperation of the state in whose territory the data is stored.

However, equating the (assumed) access by Akamai Inc. to data stored in the EU with a transfer is probably inadmissible for another reason: The 1954 Treaty of Friendship, Commerce and Navigation between the Federal Republic of Germany and the United States of America (TFCN) requires that U.S. companies be treated like German companies - the latter, of course, only need to think about Art. 44 GDPR if they actually want to transfer data. This could stand in the way of an overly broad, preventive application of the GDPR against U.S. companies. The GDPR and other Union law would then not be allowed to be applied to the detriment of the U.S. company pursuant to Article 351(1) TFEU:

The TFCN has the rank of a federal law in Germany, Art. 59 (2) sentence 1 GG. As is well known, Union law takes precedence over federal law and thus the GDPR would also take precedence over the FHSV. However, Article 351 (1) TFEU makes a counter-exception here: treaties which - in the case of Germany - entered into force before January 1, 1958, take precedence over Union law (cf. ECJ Judt. v. 3.2.1994 - Rs C-13/93, para. 17, BeckRS 2004, 74297, beck-online). The FHSV was ratified in 1956 (cf. BGBl. 1956 II p. 487). A further prerequisite is that the treaty claims still exist (cf. Grabitz/Hilf/Nettesheim/Lorenzmeier, 74th EL September 2021, TFEU Art. 351 marginal no. 20).

This is also the case: the TFCN has not been terminated, thus it continues to apply pursuant to Art. XXIX TFCN. Art. VII para. 1 sentence 1 (national treatment) has also not been implicitly abrogated due to the data protection exception in Article XIV c (ii) GATS, since according to Art. 30 para. 1, Art. 59 para. 1 Vienna Convention on the Law of Treaties (VCLT), if they are applicable at all, since contracting parties to the TFCN are USA/Germany and to the GATS the USA/EU. The TFCN is still applicable as long as it does not contradict the GATS, and Article XIV c (ii) GATS allows data protection rules but does not prescribe specific standards.