Data pro­tec­tion risk with third-party services?

hese are stor­my times for app and web­site pro­vi­ders and ope­ra­tors: In recent weeks, num­e­rous decis­i­ons by Euro­pean data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and courts regar­ding popu­lar and wide­ly used third-party ser­vices have been pro­mul­ga­ted. Below, we pro­vi­de an over­view of the cur­rent decis­i­ons and stra­te­gies for mini­mi­sing legal risks when using third-party services.

A pro­mi­nent recent exam­p­le is the “Goog­le Ana­ly­tics” ana­ly­sis tool. In addi­ti­on to the Aus­tri­an data pro­tec­tion aut­ho­ri­ty (PDF only in Ger­man), the French Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (only in Ger­man) has also declared the use of the tool to be ille­gal, as accor­ding to the aut­ho­ri­ties, among other things, the user’s IP address is trans­mit­ted to the US and thus to a third coun­try wit­hout suf­fi­ci­ent gua­ran­tees. Sin­ce the­se decis­i­ons are based on a total of 101 com­plaints filed by the “noyb” asso­cia­ti­on of data pro­tec­tion acti­vist Max Schrems, and sin­ce the Euro­pean data pro­tec­tion aut­ho­ri­ties have coor­di­na­ted their efforts in this regard, fur­ther iden­ti­cal decis­i­ons can be expec­ted in the near future.

The Wies­ba­den Admi­nis­tra­ti­ve Court (only in Ger­man), in turn, had pro­vi­sio­nal­ly declared the popu­lar con­sent mana­ger “Coo­kie­bot” inad­mis­si­ble in sum­ma­ry pro­cee­dings, also becau­se of the trans­fer of data to the United Sta­tes. Howe­ver, the Hes­si­an Admi­nis­tra­ti­ve Court has mean­while resc­in­ded this decis­i­on in its ruling of 17 Janu­ary 2022 (Case 10 B 2486/21) (only in Ger­man) pen­ding the con­clu­si­on of the main proceedings.

Both decis­i­ons and ser­vices are mere­ly exem­pla­ry for the more pro­found pro­blem of third-country per­so­nal data trans­fers, which has beco­me signi­fi­cant­ly more dif­fi­cult, espe­ci­al­ly with regard to US pro­vi­ders, as a result of the “Schrems II Decis­i­on” of the Euro­pean Court of Jus­ti­ce (ECJ).

This pro­blem is also reflec­ted in a ruling by the Dis­trict Court of Munich dated 19 Janu­ary 2022 (Case 3 O 17493/20), albeit from a dif­fe­rent and pos­si­bly more cri­ti­cal per­spec­ti­ve for com­pa­nies. In its jud­ge­ment, the Dis­trict Court of Munich award­ed a web­site user dama­ges of EUR 100,00 for pain and suf­fe­ring due to the inte­gra­ti­on of fonts via “Goog­le Fonts”. As grounds, the Dis­trict Court sta­ted that when the respec­ti­ve web­site is cal­led up, a con­nec­tion is always estab­lished to a Goog­le ser­ver in the US, with at least the IP address of the respec­ti­ve web­site visi­tor being trans­mit­ted to Goog­le. Par­ti­cu­lar­ly in the case of web­sites of lar­ger com­pa­nies with thou­sands of hits per day, a con­sidera­ble amount of dama­ges could quick­ly be achie­ved in the event of cor­re­spon­ding com­plaints from users. This is par­ti­cu­lar­ly the case sin­ce, as a result of the recent rulings, a signi­fi­cant increase in the num­ber of cor­re­spon­ding lawsuits is to be expec­ted due to the increased public atten­ti­on. A pro­hi­bi­ti­on order by the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties could then even seem harm­less in com­pa­ri­son, so long as it does not affect any signi­fi­cant busi­ness processes.

What com­pa­nies should pay atten­ti­on to now

Seve­ral decis­i­ons against the use of popu­lar web tools within a few weeks pro­vi­de a call for action. Com­pa­nies should imme­dia­te­ly check whe­ther the use of a ser­vice with third-country trans­fers is man­da­to­ry for the com­pa­ny or whe­ther Euro­pean alter­na­ti­ves might not be able to be used if necessary.

Detached from indi­vi­du­al decis­i­ons and in a more gene­ral con­text, par­ti­cu­lar atten­ti­on should be paid to the sel­ec­tion and inte­gra­ti­on of alter­na­ti­ves that are not pro­ble­ma­tic from a data pro­tec­tion point of view and to the stra­te­gic imple­men­ta­ti­on of tech­ni­cal mea­su­res, such as encryp­ti­on or pseud­ony­mi­sa­ti­on, when using new ser­vices and deve­lo­ping new pro­ducts in the sen­se of “pri­va­cy by design”. If data pro­tec­tion is alre­a­dy taken into account during deve­lo­p­ment, ques­ti­ons that ari­se can usual­ly be ans­we­red much more easi­ly and solu­ti­ons can be bet­ter inte­gra­ted into the respec­ti­ve pro­ces­ses. The Euro­pean Uni­on Agen­cy for Cyber Secu­ri­ty (ENISA) has also recent­ly published recom­men­da­ti­ons on this in gui­de­lines on “Data Pro­tec­tion Engi­nee­ring”.

If the use of a par­ti­cu­lar ser­vice is man­da­to­ry, a so-called “trans­fer impact assess­ment” should be car­ri­ed out in any case when using stan­dard con­trac­tu­al clau­ses as a trans­fer mecha­nism. Mean­while, some light at the end of the “third coun­try tun­nel” is pro­vi­ded by the fact that the cur­rent decis­i­ons “increase pres­su­re on the US to make con­ces­si­ons on data pro­tec­tion for EU citi­zens” (only in Ger­man), which at the same time should acce­le­ra­te the ongo­ing nego­tia­ti­ons for a suc­ces­sor to the EU-US Pri­va­cy Shield.

At the same time, howe­ver, the next chal­lenges are alre­a­dy emer­ging: Just a few weeks ago, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty fined IAB Euro­pe EUR 250,000 for alle­ged data pro­tec­tion vio­la­ti­ons in the Trans­pa­ren­cy and Con­sent Frame­work (TCF). As grounds, the Bel­gi­an data pro­tec­tion super­vi­so­ry aut­ho­ri­ty poin­ted out, among other things, that in its view the pro­ces­sing and trans­fer of data are car­ri­ed out wit­hout a legal basis and wit­hout suf­fi­ci­ent infor­ma­ti­on being pro­vi­ded to the data subjects…a far-reaching decis­i­on, becau­se the TCF is used on count­less web­sites to obtain con­sent for the dis­play of per­so­na­li­sed advertising.

Even wit­hout a trans­fer to third count­ries, the inte­gra­ti­on of third-party ser­vices can rai­se data pro­tec­tion issues that should be cla­ri­fied in advan­ce during the deve­lo­p­ment of apps and web­sites, both with regard to the risk of a pro­hi­bi­ti­on order and becau­se of the risk of claims for dama­ges for pain and suffering.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.