At times, considerable legal uncertainties have arisen in practice with regard to the data protection requirements for website tracking. The legal uncertainties primarily concern the question of what requirements should be imposed on the request for consent for the transfer to a third country without an adequate level of protection via a consent management platform and what is meant by “additional measures” to safeguard third-country transfers due to the use of cloud-based applications for the realization of server side tracking mechanisms in accordance with the new standard contractual clauses of the EU Commission.
Recent decisions of the supervisory authorities on Google Analytics demonstrate the high requirements for the legally compliant design of standard contractual clauses, especially with regard to the assessment of the “additional measures” designated in the annexes of the SCC.
Finally, the agreement announced on March 25, 2022 between U.S. President Biden and EU Commission President Ursula von der Leyen on a new “Trans Atlantic Data Privacy Framework” (“TADPF“) as a successor agreement to the EU-US Privacy Shield, which was declared invalid by the ECJ, is currently subject to considerable legal uncertainties.
We sat down with Tilman Herbrich of Spirit Legal to explore the legal uncertainties surrounding the transfer of personal data to a country outside the European Union. In this joint article, we would like to address the most common issues related to international data transfers and website tracking:
- Is the transfer of data to a third country permissible by invoking consent as a legal basis?
- What is meant by “additional measures” when it comes to international data transfers under the GDPR?
- Are the “additional measures” offered by Google & Co. sufficient to comply with the GDPR?
- Will there ever be an adequacy decision for transfers to the US?
1. Legal uncertainty Consent for third-country transfer: is a practicable implementation possible?
Even the use of consent management platforms based on cloud solutions, e.g., from AWS, Microsoft Azure or Google as infrastructure, can prevent compliance with the requirements from the ECJ ruling “Schrems II” from the outset, as the case before the VG Wiesbaden (Beschl. v. 01.12.2021 – 6 L 738/21.WI, not legally binding) indicated. Even if one claims a CMP without any third country risk, requesting consent for the third country transfer due to tracking services such as Google Analytics is associated with practical hurdles that are hardly surmountable.
As an exception for a third country transfer, the implementation of an explicit consent pursuant to Art. 49 (1) p. 1 lit. a) GDPR is associated with considerable complexity and risks. On the one hand, supervisory authorities reject the legal admissibility of consent for the transfer to tracking services in third countries. On the other hand, the fulfillment of the information requirements regarding recipients and all third countries in the context of requesting consent in a CMP is associated with practical hurdles that are hardly surmountable:
According to Art. 49 (1) p. 1 lit. a) DSGVO, the transfer to a third country without an adequate level of protection is exceptionally permissible if the data subject has expressly consented to the proposed data transfer after having been informed about the potential risks to him or her of such data transfers without the existence of an adequacy decision and without appropriate safeguards. According to the commentary literature, this exception can be used when personal data is transferred to a technology provider in a third country [see Schantz, in: Simitis/Hornung/Spiecker, gen. Döhmann, DSGVO, Art. 49 marginal no. 19 with further references].
A cautious standard must be applied when examining which processing operations are covered by Art. 49(1) sentence 1(a) GDPR. The European Data Protection Board (“EDPB”) requires prior information on the specific existing risks stemming from the lack of a level of protection in the third country. Abstract references to a lack of adequacy in the third country are not sufficient [see EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 of 25.5.2018, p. 9 f.]. Thus, it is necessary to highlight the potential risks for data subjects arising from the fact that the third country does not provide an adequate level of protection and that no appropriate safeguards are in place.
While such a consent form may be standardized, the EDPB believes that it should include, among other things, the following information, as applicable in the third country in question:
- Lack of a supervisory authority for complaint procedures,
- Lack of data subject rights, and/or
- Lack of data processing principles (Art. 5 GDPR).
In addition, the “comprehensive indication” of recipients in the third country and the respective third country must be precisely designated. Therefore, if this information is not provided, the derogation does not apply [see EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 of 25.5.2018, p. 9].
In the view of the Data Protection Conference, the use of tracking tools to track user behavior cannot, in principle, be based on consent under Article 49 (1) p. 1 lit. a) of the GDPR [DSK, Orientierungshilfe für Anbieter:innen von Telemedien, 2021, p. 32]. The scope and regularity of such transfers would regularly contradict the character of Art. 49 GDPR as an exceptional provision and the requirements of Art. 44 p. 2 GDPR [see also EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 of 25.5.2018, p. 9]. According to Art. 44 p. 2 GDPR, all provisions of Chapter 5 must be applied to ensure that the level of protection for natural persons ensured by this Regulation is not undermined.
It is indeed justifiable to link consent for the third country transfer in a Consent Management Platform (CMP) on the website to consent for the respective tracking tool [Moos/Strassemeyer, DSB 2020, 207, 210].
In practical implementation, however, when using Google Analytics, for example, one will regularly fail to be able to transparently map the extensive information obligations of the EDPB in a consent layer in order to achieve an acceptable consent rate. This is because the listing of the respective third country to which the data is transferred, as well as all of the more than 50 subcontractors for Google Analytics as a recipient, is hardly practical to handle in a legally secure manner due to the scope. For example, Google reserves the right in Section 10.1 Data Processing Terms and Conditions for Google Ads to process personal data in any country in which Google or subcontractors maintain facilities.
In the case of Google Analytics, website visitors would have to be informed in a CMP in each case for the third country about missing data subject rights, complaint possibilities with supervisory authorities and missing data processing principles. The notices would have to be provided for each third country without an adequate level of protection, such as Taiwan, Philippines, Brazil, Mexico, Malaysia, and India [cf. e.g. e.g., on India, study commissioned by the EDPB, Government access to data in third countries, 2021]. Only for third countries such as Japan and Argentina do adequacy decisions exist from the EU Commission under Article 45 GDPR.
Even with consent-based marketing using CMP solutions, the third-country problem cannot be meaningfully overcome when using Google services. A configuration of a CMP that meets the requirements of the supervisory authorities is currently associated with virtually insurmountable practical hurdles due to a lack of case law.
In the context of the risk assessment, it must be considered that in the event of a sanction by the supervisory authorities, not the reduced fine framework according to Section 28 No. 13 TTDSG (EUR 300,000.00), but the fine assessment according to Article 83 (5) c) DSGVO applies (up to 4% worldwide annual turnover).
As a justification for data transfer to unsafe third countries, e.g. to the USA, practically only the agreement of standard contractual clauses remains in the wake of the ECJ case law [ECJ, 16.7.2020 – C-311/18 – Schrems II]. Any data transfer and data access by U.S. companies based on standard contractual clauses pursuant to Art. 46(2)(c) GDPR requires additional technical and organizational measures (“Supplementary Measures“) to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.
Thus, in the future, the data exporter – i.e., any entity such as website operators that transfers personal data to the third country’s sphere of influence, including data transfers from European-based group companies with a U.S. parent company – must first check whether the obligations in the third country can be met and an appropriate level of protection is ensured. If this is not the case – as is the case in the U.S. in particular due to the scope of Section 702 FISA and E.O. 12333 and the access authorizations of the security authorities – concrete compensatory measures must be taken to ensure that the level of protection is actually complied with [Heckmann, Datenschutzkonforme Nutzung von Cloud-Lösungen aus unsicheren Drittländern, Wissenschaftliches Gutachten, 2021, p. 15; Heinzke, GRUR-Prax 2020, 436].
Even if servers are located in Europe, the issue of third countries cannot be avoided from the outset. According to the expert opinion commissioned by the DSK on the current status of U.S. surveillance law and surveillance powers, U.S. companies are subject to the U.S. surveillance law 50 U.S. Code § 1881a (Section 702 FISA), even if they store the data outside the U.S., namely within the EU. Similarly, when using cloud resources from U.S. companies, as with server side Google Tag Manager under the CLOUD Act, if the data is stored on servers within the EU, the U.S. provider could be required to hand over the data [Heckmann, Datenschutzkonforme Nutzung von Cloud-Lösungen aus unsicheren Drittländern, Wissenschaftliches Gutachten, 2021, p. 16; Paal/Kumkar, MMR 2020, 733].
Item 14 of the SCC provides for an obligation to conduct and document a “Transfer Impact Assessment” in which an analysis and mitigation for risks of access by security authorities must be carried out on the basis of “additional measures” as additional contractual, technical and organizational measures.
2. Legal uncertainty third country transfer: what are “additional measures”?
Which “additional measures” have to be taken has to be evaluated on the basis of the “Recommendations 01/2020 on measures […]” version 2.0 published by the EDPB on 18.06.2021 as a follow-up to the new SCC of the EU Commission. Without documentation of additional measures for risk mitigation, the application of the SCC will not be accepted by supervisory authorities. Additional measures may include, for example, anonymization or advanced pseudonymization of data as well as extensive encryption technologies, if it is ensured that recipients in the third country do not have access to the attribution rule for the pseudonymized data as defined in Art. 4 No. 5 GDPR or the data to be processed [Paal/Kumkar, MMR 2020, 733].
With regard to the use of tracking services, it must be evaluated on a case-by-case basis how valid pseudonymization can take place in advance of the transfer of user data to Google in order to ensure “Schrems II” compliance.
3. Legal uncertainty Google & Co.: Are “additional measures” in SCC sufficient?
The European supervisory authorities impose strict requirements on “additional measures” in SCCs for the unmodified use of tracking services from US providers (see already point I.2.b.):
In essence, the supervisory authorities throughout Europe consider the “additional measures” listed by Google in the SCC “Google Ads Data Processing Terms” (including Google Analytics) in Annex II and points 8 and 9 – for example, to shorten the IP address after transmission by Google – to be insufficient, so that the requirements of the “Schrems II” case law are not met.
In its partial decision of December 22, 2021, the Austrian authority had pointed out that unique online identifiers such as IP addresses and unique identifiers such as cookie IDs (in the case of Google Client ID and User ID) are used as a starting point for monitoring by intelligence services. It could not be ruled out that intelligence services had already previously collected information that could be used to trace data from server requests back to individual users.
The fact that the NSA, as the U.S. security agency, accesses cookies, in particular from Google Analytics, to monitor Internet traffic was already sufficiently explained in 2013 in media reports following the Snowden revelations.
Previously, the EDPS had already found that the use of Google Analytics on websites of the European Parliament violated the requirements for third country transfers under Art. 44 et seq. GDPR.
The CNIL had explicitly clarified that UUIDs (Universally Unique Identifier) such as cookie IDs do not constitute pseudonymous data, but have the purpose of identifying a user. Similarly, the DSK had already rejected the assumption of pseudonymization (Art. 4 No. 5 DSGVO) when using advertising IDs, cookie IDs or unique user IDs [DSK, Orientierungshilfe Telemedien, 2019, p. 15].
Additional measures may include, for example, anonymization or valid pseudonymization of data if it is ensured that recipients in the third country do not have access to the attribution rule for the pseudonymized data as defined in Art. 4 No. 5 GDPR or the data to be processed [Paal/Kumkar, MMR 2020, 733]
Following the EDPB recommendations, for effective pseudonymization as an “additional measure” in the sense of the ECJ decision “Schrems II” when using cloud services – such as the server side Google Tag Manager, appropriate procedures for pseudonymization must be applied before transfer to the third party provider [EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0, para. 94 f.]. Transport encryption or “data-at-rest” encryption, as indicated by Google in the proceedings, do not in themselves constitute “additional measures” that ensure a substantially equivalent level of protection.
Even if one completely rejects a risk-based approach in Chapter 5 of the GDPR, as the Austrian authority did in its partial decision of 22.04.2022, a legally compliant use of tracking services is possible if these measures specified by the EDPB are met.
In the case of tracking services such as Google Analytics, whether as a client-side or server-side tracking solution, it is necessary to subject the data parameters for tracking – IP address, user agent, client ID, user ID and, if applicable, order IDs – to valid pseudonymization in advance of transmission so that the requirements from the ECJ ruling “Schrems II” can be fully implemented.
By modifying/synthesizing the processed data parameters, the JENTIS solution enables effective pseudonymization to be implemented so that the requirements for “additional measures” can be documented in a reliable manner.
4. Legal uncertainty TADPF: Will there be a new adequacy decision for the US?
Finally, the agreement announced on March 25, 2022 between U.S. President Biden and EU Commission President Ursula von der Leyen on a new “Trans Atlantic Data Privacy Framework” (“TADPF“) as a successor agreement to the EU-US Privacy Shield, which was declared invalid by the ECJ, is currently subject to considerable legal uncertainty.
To date, no negotiated text of the agreement exists as a basis for a possible Executive Order in the U.S. and a possible adequacy decision by the EU Commission under Article 45 GDPR. In a response from the EU Commission to a question from the EU Parliament dated 11.05.2022, it was stated that the details still had to be worked out and these still had to be implemented in legal texts.
Only on this basis could the EU Commission propose a draft for a new adequacy decision for the USA and initiate the corresponding adoption procedure. The adoption procedure involves obtaining an opinion from the EDPB and a positive vote from the member states in the so-called comitology procedure. The European Parliament has a right of control over the adequacy decisions of the EU Commission as an implementing act within the meaning of Art. 291 AUEV. Only after these procedures have been completed in the context of implementing acts, the Commission may issue a new adequacy decision pursuant to Art. 45 GDPR.
It should be noted that any adequacy decision by the EU Commission does not give carte blanche for data transfers to the USA. As with the predecessor agreement, the EU-US Privacy Shield, a self-certification of U.S. companies with the U.S. government will be required, i.e., a check is required as to whether an active certification for the respective data recipient actually exists.
Notwithstanding this, the following two risks, which have not yet been addressed by the negotiating parties, must be dealt with:
First, there is the question of how to deal with sub-processors, in the case of Google Analytics over 50 sub-processors, as recipients of the data in third countries without an adequate level of protection, such as Taiwan, the Philippines, Brazil, Mexico, Malaysia and India. For these third countries, there is no adequacy decision of the EU Commission.
On the other hand, it is still uncertain whether the Supreme Court’s decision of 04.03.2022 in the “FBI ./. Fazaga” case will have an impact on the current negotiations between the EU and the USA. This is because the “Independent Data Protection Review Court” envisaged in the TADPF could be called into question by the Supreme Court decision due to the upholding of the “state secret privilege”, according to which important information on the surveillance measures does not have to be disclosed to data subjects [see Lejeune, Trans-Atlantic Data Privacy Framework despite U.S. Supreme Court decision in FBI v. Fazaga?, 31.03.2022].
5. Conclusion: Need for Long-Term Strategies for Risk Management
With inadequate industry solutions for server side tracking and a lack of practicality to meet the explicit consent requirements for third party transfers communicated by regulators, there is a growing need for long-term and sustainable strategies for legally compliant and successful third party data use with global infrastructures.
Middleware concepts such as the JENTIS SaaS solution provide a solution to the interconnectedness and risks associated with website tracking. JENTIS allows flexible configuration of the SaaS solution to accommodate the volatility of each company’s individual risk situation. In this way, the JENTIS SaaS solution enables companies to ensure “Schrems II” compliance in the supply chain when using third-party tracking technologies.