Do not send an IP address to the United States • The registry


German court ruled that sharing IP addresses with US-based servers for cookie consent purposes was illegal under EU data protection law and the European Court of Justice ruling Schrems II.

Hochschule RheinMain University in Germany was barred this week by the Administrative Court in Wiesbaden from using a cookie preference service that shares the end-user’s full IP address with servers at a company whose headquarters is in the United States.

A complainant alleged that Danish provider Cybot’s CookieBot consent manager transmitted data such as IP addresses being shared with US cloud computing company Akamai Technologies.

What is Schrems I?

In the first case, resulting from a complaint lodged with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately overturned the largest EU-US data-sharing deal. , Safe Harbor. Schrems had alleged that Facebook had violated the so-called Safe Harbor Agreement which protects the privacy of EU citizens, by transferring its users’ data to the US National Security Agency (NSA).

In Schrems I, in 2015, the highest court in Europe ruled that the sharing of data between the EU and the US under the Safe Harbor was invalid.

What is Schrems II?

Schrems, a former law student, brought in the latest edition of the long-running case (officially known as Schrems II) in 2015, complaining that the Irish data protection agency was still not blocking Facebook Ireland Ltd (as the EU representative of the Zuckerberg Empire) to transmit its data to the United States under the Privacy Shield.

In July last year, the EU Court of Justice overturned the so-called Privacy Shield data protection agreements between the political bloc and the United States, triggering a new wave of legal confusion over the transfer of data from subjects from the EU to America.

The court granted a temporary injunction to prevent further data sharing. The decision could be the subject of a legal challenge, but if upheld it could have ramifications for European companies using similar services.

The court said the data shared was personal data because the end user can be clearly identified from a combination of a key that identifies the website visitor, which is stored in the user’s browser, and the full IP address transmitted.

The cookie service processes the full IP address of the end user on the servers of a company headquartered in the United States. This creates a reference to a third country, namely the United States, which is inadmissible with regard to the so-called Schrems II decision of the European Court of Justice.

In June, the European Data Protection Board (EDPB) finalized guidance for businesses on how to proceed following the Schrems II decision, which rescinded the Privacy Shield data-sharing agreement between the EU and the US.

In its final version of recommendations on additional measures to take into account the decision, the EDPB said that the data transfer could be hampered if the law of a third country allows the authorities to access the data transferred from it. EU, even without the intervention of the importer.

In Schrems II, named after Austrian lawyer and privacy activist Max Schrems, the EU Court of Justice declared that Section 702 of the U.S. Intelligence Review Act foreigner, as well as a US presidential decree and political directive on data collection by spies were not in compliance. EU data protection requirements.

The ruling could be another reason why the standard contractual clauses cannot be used to comply with the law in cases where data is shared between the EU and the US. See this analysis by lawyers Rafi Azim-Khan and Steve Farmer for more details. ®


Comments are closed.