Quick Summary of the Ruling
- Telekom Deutschland GmbH has been prohibited from transmitting personal data to Google servers in the USA for analysis and marketing purposes
- The Cologne Regional Court ruled in favor of the Consumer Association of North Rhine-Westphalia (Verbraucherzentrale NRW) in a lawsuit against Telekom
- The court found that Telekom did not comply with the strict data protection requirements of the General Data Protection Regulation (GDPR) when transferring data to the USA
- The court referred to the "Schrems II" decision of the European Court of Justice, which concluded that the USA does not provide adequate data protection
- Telekom's practice of transmitting personal data, including IP addresses and browser information, to Google LLC in the USA has been prohibited
- The court stated that obtaining consent through a cookie banner is not sufficient for explicit consent to transfer data to a third country like the USA
- The ruling emphasizes the need for companies to ensure that data protection standards are maintained across national borders
Further Details of the Ruling
Telekom is prohibited from transmitting personal data to Google servers in the USA. The Consumer Association of North Rhine-Westphalia (Verbraucherzentrale NRW) has successfully filed a lawsuit against Telekom Deutschland GmbH in the Cologne Regional Court, preventing the company from sending personal data for analysis and marketing purposes to the USA via its website, "telekom.de."
Specifically, the lawsuit focuses on the transmission of IP addresses, information about the user's browser, and the device being used. When users accessed the "telekom.de" website, Telekom Deutschland GmbH was sending personal data to Google LLC in the USA in order to utilize their analysis and marketing services, Google Ad Services.
The Cologne Regional Court, in a ruling obtained by the Consumer Association of North Rhine-Westphalia, has now prohibited this practice (33 O 376/22). Wolfgang Schuldzinski, a board member of the Consumer Association of North Rhine-Westphalia, emphasized the importance for companies to ensure that data protection standards are maintained even across national borders. If companies fail to meet these requirements, valuable consumer data should not be transmitted.
The Cologne Regional Court is one of the first courts to identify a violation of the principles established in the "Schrems II" decision of the European Court of Justice (ECJ). The ECJ concluded in 2020 that the USA does not provide an adequate level of data protection, thus imposing high barriers to data transfers. The Cologne Regional Court referred to the ECJ and ruled that Telekom did not comply with the strict requirements of the General Data Protection Regulation (GDPR) when transferring data to the USA.
The court found that Telekom had not taken sufficient measures to ensure GDPR-compliant transfer of personal data to the USA. A simple consent obtained through a cookie banner with an "Accept All" button does not suffice as explicit consent for transferring data to a third country like the USA. The court highlighted the need for more extensive consumer education in this regard. However, the ruling is not yet legally binding.
Insufficient Guarantee of European Data Protection Rights in the USA
In the "Schrems II" decision (C-311/18), the ECJ determined that US laws governing access by security agencies to personal data violate the EU Charter of Fundamental Rights. Firstly, the access to personal data of non-Americans is not restricted, and secondly, non-Americans are not granted enforceable rights against such access.
The GDPR sets a high standard for the lawful transfer of personal data from EU citizens in these cases, effectively prohibiting the previous practices of companies. However, an examination of Telekom's data traffic revealed that data such as IP addresses, information about the user's browser, and the device being used continued to be transmitted to the USA for the use of the "Google Ads" advertising service.
Use of Google Ads Requires Consent
Google Ads enables advertisers to display ads based on search results when users interact with the company's own services. Personal data transmission is essential for displaying interest-based advertising on specific pages based on users' personal profiles and browsing behavior.
To find further information on the ruling of the Cologne Regional Court, visit: www.verbraucherzentrale.nrw/node/83922
Ensure Peace of Mind with Privacy-centric Website Analytics
In light of the recent CJEU ruling, it has become crucial for companies to adopt GDPR-compliant tech solutions like Visitor Analytics to safeguard their data and maintain responsible data handling practices.
Visitor Analytics offers a privacy-first analytics platform designed to empower website owners with valuable insights into their website's performance while prioritizing the privacy of their visitors' data.
By embracing Visitor Analytics, companies can effectively protect their visitors' data privacy while still gaining comprehensive knowledge about their website traffic and user behavior.
As Google's Universal Analytics approaches its sunset, now is the ideal moment for companies to make the switch and eliminate the inherent risks associated with using non-compliant solutions.
Moreover, migrating to Visitor Analytics not only ensures data compliance but also presents an opportunity for significant cost savings. By consolidating various features such as heatmaps, session recordings, polls, surveys, and more into a single platform, companies can streamline their martech stack and benefit from competitive pricing.
With Visitor Analytics, companies can have peace of mind, knowing that their data is secure, their practices are GDPR compliant, and they are making informed decisions about their website's performance—all in one comprehensive and cost-effective solution.