Data pro­tec­tion risk with third-party services?

hese are stor­my times for app and web­site pro­vi­ders and ope­ra­tors: In recent weeks, nume­rous decisi­ons by Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and courts regar­ding popu­lar and wide­ly used third-party ser­vices have been pro­mul­ga­ted. Below, we pro­vi­de an over­view of the cur­rent decisi­ons and stra­te­gies for mini­mi­sing legal risks when using third-party services.

A pro­mi­nent recent examp­le is the “Goog­le Ana­ly­tics” ana­ly­sis tool. In addi­ti­on to the Aus­tri­an data pro­tec­tion aut­ho­ri­ty (PDF only in Ger­man), the French Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (only in Ger­man) has also decla­red the use of the tool to be ille­gal, as accord­ing to the aut­ho­ri­ties, among other things, the user’s IP address is trans­mit­ted to the US and thus to a third coun­try without suf­fi­ci­ent gua­ran­tees. Sin­ce the­se decisi­ons are based on a total of 101 com­p­laints filed by the “noyb” asso­cia­ti­on of data pro­tec­tion acti­vist Max Schrems, and sin­ce the Euro­pean data pro­tec­tion aut­ho­ri­ties have coör­di­na­ted their efforts in this regard, fur­ther iden­ti­cal decisi­ons can be expec­ted in the near future.

The Wies­ba­den Admi­nis­tra­ti­ve Court (only in Ger­man), in turn, had pro­vi­sio­nal­ly decla­red the popu­lar con­sent mana­ger “Coo­kie­bot” inad­mis­si­ble in sum­ma­ry pro­cee­dings, also becau­se of the trans­fer of data to the United Sta­tes. Howe­ver, the Hes­si­an Admi­nis­tra­ti­ve Court has mean­while resc­in­ded this decisi­on in its ruling of 17 Janu­a­ry 2022 (Case 10 B 2486/21) (only in Ger­man) pen­ding the con­clu­si­on of the main proceedings.

Both decisi­ons and ser­vices are merely exem­pla­ry for the more pro­found pro­blem of third-country per­so­nal data trans­fers, which has beco­me signi­fi­cant­ly more dif­fi­cult, espe­cial­ly with regard to US pro­vi­ders, as a result of the “Schrems II Decisi­on” of the Euro­pean Court of Jus­ti­ce (ECJ).

This pro­blem is also reflec­ted in a ruling by the District Court of Munich dated 19 Janu­a­ry 2022 (Case 3 O 17493/20), albeit from a dif­fe­rent and pos­si­b­ly more cri­ti­cal per­spec­ti­ve for com­pa­nies. In its jud­ge­ment, the District Court of Munich awar­ded a web­site user dama­ges of EUR 100,00 for pain and suf­fe­ring due to the inte­gra­ti­on of fonts via “Goog­le Fonts”. As grounds, the District Court sta­ted that when the respec­ti­ve web­site is cal­led up, a con­nec­tion is always estab­lis­hed to a Goog­le ser­ver in the US, with at least the IP address of the respec­ti­ve web­site visi­tor being trans­mit­ted to Goog­le. Par­ti­cu­lar­ly in the case of web­sites of lar­ger com­pa­nies with thousands of hits per day, a con­si­derable amount of dama­ges could quick­ly be achie­ved in the event of cor­re­spon­ding com­p­laints from users. This is par­ti­cu­lar­ly the case sin­ce, as a result of the recent rulings, a signi­fi­cant incre­a­se in the num­ber of cor­re­spon­ding lawsuits is to be expec­ted due to the incre­a­sed public atten­ti­on. A pro­hi­bi­ti­on order by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties could then even seem harm­less in com­pa­ri­son, so long as it does not affect any signi­fi­cant busi­ness processes.

What com­pa­nies should pay atten­ti­on to now

Several decisi­ons against the use of popu­lar web tools wit­hin a few weeks pro­vi­de a call for action. Com­pa­nies should immedia­te­ly check whe­ther the use of a ser­vice with third-country trans­fers is man­da­to­ry for the com­pa­ny or whe­ther Euro­pean alter­na­ti­ves might not be able to be used if necessary.

Detached from indi­vi­du­al decisi­ons and in a more gene­ral con­text, par­ti­cu­lar atten­ti­on should be paid to the selec­tion and inte­gra­ti­on of alter­na­ti­ves that are not pro­ble­ma­tic from a data pro­tec­tion point of view and to the stra­te­gic imple­men­ta­ti­on of tech­ni­cal mea­su­res, such as encryp­ti­on or pseud­ony­mi­sa­ti­on, when using new ser­vices and deve­lo­ping new pro­ducts in the sen­se of “pri­va­cy by design”. If data pro­tec­tion is alrea­dy taken into account during deve­lo­p­ment, ques­ti­ons that ari­se can usual­ly be ans­we­red much more easi­ly and solu­ti­ons can be bet­ter inte­gra­ted into the respec­ti­ve pro­ces­ses. The Euro­pean Uni­on Agen­cy for Cyber Secu­ri­ty (ENISA) has also recent­ly publis­hed recom­men­da­ti­ons on this in gui­de­li­nes on “Data Pro­tec­tion Engi­nee­ring”.

If the use of a par­ti­cu­lar ser­vice is man­da­to­ry, a so-called “trans­fer impact assess­ment” should be car­ri­ed out in any case when using stan­dard con­trac­tu­al clau­ses as a trans­fer mecha­nism. Mean­while, some light at the end of the “third coun­try tun­nel” is pro­vi­ded by the fact that the cur­rent decisi­ons “incre­a­se pres­su­re on the US to make con­ces­si­ons on data pro­tec­tion for EU citi­zens” (only in Ger­man), which at the same time should acce­le­ra­te the ongo­ing nego­tia­ti­ons for a suc­ces­sor to the EU-US Pri­va­cy Shield.

At the same time, howe­ver, the next chal­len­ges are alrea­dy emer­ging: Just a few weeks ago, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty fined IAB Euro­pe EUR 250,000 for alle­ged data pro­tec­tion vio­la­ti­ons in the Trans­pa­ren­cy and Con­sent Frame­work (TCF). As grounds, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty poin­ted out, among other things, that in its view the pro­ces­sing and trans­fer of data are car­ri­ed out without a legal basis and without suf­fi­ci­ent infor­ma­ti­on being pro­vi­ded to the data subjects…a far-reaching decisi­on, becau­se the TCF is used on count­less web­sites to obtain con­sent for the dis­play of per­so­na­li­sed advertising.

Even without a trans­fer to third coun­tries, the inte­gra­ti­on of third-party ser­vices can rai­se data pro­tec­tion issu­es that should be cla­ri­fied in advan­ce during the deve­lo­p­ment of apps and web­sites, both with regard to the risk of a pro­hi­bi­ti­on order and becau­se of the risk of claims for dama­ges for pain and suffering.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.