Data protection risk with third-party services?

Stefan Hessel

These are stormy times for app and website providers and operators: In recent weeks, numerous decisions by European data protection supervisory authorities and courts regarding popular and widely used third-party services have been promulgated. Below, we provide an overview of the current decisions and strategies for minimising legal risks when using third-party services.

A prominent recent example is the "Google Analytics" analysis tool. In addition to the Austrian data protection authority (PDF only in German), the French Commission Nationale de l'Informatique et des Libertés (only in German) has also declared the use of the tool to be illegal, as according to the authorities, among other things, the user's IP address is transmitted to the US and thus to a third country without sufficient guarantees. Since these decisions are based on a total of 101 complaints filed by the "noyb" association of data protection activist Max Schrems, and since the European data protection authorities have coordinated their efforts in this regard, further identical decisions can be expected in the near future.

The Wiesbaden Administrative Court (only in German), in turn, had provisionally declared the popular consent manager "Cookiebot" inadmissible in summary proceedings, also because of the transfer of data to the United States. However, the Hessian Administrative Court has meanwhile rescinded this decision in its ruling of 17 January 2022 (Case 10 B 2486/21) (only in German) pending the conclusion of the main proceedings.

Both decisions and services are merely exemplary for the more profound problem of third-country personal data transfers, which has become significantly more difficult, especially with regard to US providers, as a result of the "Schrems II Decision" of the European Court of Justice (ECJ).

This problem is also reflected in a ruling by the District Court of Munich dated 19 January 2022 (Case 3 O 17493/20), albeit from a different and possibly more critical perspective for companies. In its judgement, the District Court of Munich awarded a website user damages of EUR 100,00 for pain and suffering due to the integration of fonts via "Google Fonts". As grounds, the District Court stated that when the respective website is called up, a connection is always established to a Google server in the US, with at least the IP address of the respective website visitor being transmitted to Google. Particularly in the case of websites of larger companies with thousands of hits per day, a considerable amount of damages could quickly be achieved in the event of corresponding complaints from users. This is particularly the case since, as a result of the recent rulings, a significant increase in the number of corresponding lawsuits is to be expected due to the increased public attention. A prohibition order by the data protection supervisory authorities could then even seem harmless in comparison, so long as it does not affect any significant business processes.

What companies should pay attention to now

Several decisions against the use of popular web tools within a few weeks provide a call for action. Companies should immediately check whether the use of a service with third-country transfers is mandatory for the company or whether European alternatives might not be able to be used if necessary.

Detached from individual decisions and in a more general context, particular attention should be paid to the selection and integration of alternatives that are not problematic from a data protection point of view and to the strategic implementation of technical measures, such as encryption or pseudonymisation, when using new services and developing new products in the sense of "privacy by design". If data protection is already taken into account during development, questions that arise can usually be answered much more easily and solutions can be better integrated into the respective processes. The European Union Agency for Cyber Security (ENISA) has also recently published recommendations on this in guidelines on "Data Protection Engineering".

If the use of a particular service is mandatory, a so-called "transfer impact assessment" should be carried out in any case when using standard contractual clauses as a transfer mechanism. Meanwhile, some light at the end of the "third country tunnel" is provided by the fact that the current decisions "increase pressure on the US to make concessions on data protection for EU citizens" (only in German), which at the same time should accelerate the ongoing negotiations for a successor to the EU-US Privacy Shield.

At the same time, however, the next challenges are already emerging: Just a few weeks ago, the Belgian data protection supervisory authority fined IAB Europe EUR 250,000 for alleged data protection violations in the Transparency and Consent Framework (TCF). As grounds, the Belgian data protection supervisory authority pointed out, among other things, that in its view the processing and transfer of data are carried out without a legal basis and without sufficient information being provided to the data subjects...a far-reaching decision, because the TCF is used on countless websites to obtain consent for the display of personalised advertising.

Even without a transfer to third countries, the integration of third-party services can raise data protection issues that should be clarified in advance during the development of apps and websites, both with regard to the risk of a prohibition order and because of the risk of claims for damages for pain and suffering.

[February 2022]