Recently, the Cologne District Court ruled that a German mobile operator’s use of Google Analytics violated the GDPR’s requirements for international data transfers.
The Cologne District Court ruling only applies to the defendant in the case, Telekom Deutschland GmbH. Still, its position is essential to know and understand for any business operating in the European Union (“EU“) that uses Google Analytics.
The controversy surrounding data transfers from the EU to the US stems from the European Court of Justice’s invalidation of the Privacy Shield in the Schrems II case in 2020. As a result, the unrestricted transfer of all data, including analytics data, was no longer allowed.
We have summarised the key aspects of the judgment below and also provide the full text of the decision, which has been automatically translated into English. If you are interested in the Court’s detailed analysis of the use of Google Analytics, you can find it on pages 24-29.
IP addresses are personal data under the GDPR
According to the Court’s decision, dynamic IP addresses are recognised as personal data if data controllers can use them to identify a specific data subject.
In this case, the mobile network operator in Germany and Google Analytics in the United States are data controllers that can identify a data subject through an IP address.
Telekom Deutschland GmbH, as a telecommunications service provider, can identify an individual by IP address by combining that address with other available information, such as the date, time, or duration of a particular user’s visit to its website.
Similar identification capabilities are available to Google Analytics, which may use IP address data and other services to create a personal profile and use it for identification purposes.
The US does not provide an adequate level of personal data protection
In 2020, the European Court of Justice annulled the EU-US Privacy Shield in the Schrems II case. Since the annulment of the Privacy Shield, data can only be transferred from the EU to the US if adequate safeguards or derogations are in place, as provided by the GDPR.
As a reminder, the GDPR generally provides for three cases of international data transfers – based on an adequacy decision (Article 45 of the GDPR), subject to appropriate safeguards (Article 46 of the GDPR), or following derogations for special situations (Article 49 of the GDPR).
If there is an adequacy decision between the EU and a particular country, this is sufficient for data transfers. If there is no such decision (or it has been revoked, as in the case with the United States), either the use of appropriate safeguards (most often standard contractual clauses developed by the European Commission) or derogations for special situations are required (if the data transfer is not systematic).
Standard contractual clauses alone cannot be used as a basis for data transfers, as they do not protect against access by US government authorities
The European Commission’s Standard Contractual Clauses (or SCCs) are one of the key tools for international data transfers under the GDPR. However, they are essentially a contract that cannot oblige authorities in any country, including the United States, to refrain from action.
In the Schrems II case, the European Court of Justice invalidated the Privacy Shield precisely because of the relevant US legislation, which allows for data surveillance and monitoring in the United States.
In this context, the use of the SCCs alone to transfer data from the EU to the US is not sufficient. Other technical or organisational measures must be taken, which Telekom Deutschland GmbH has not demonstrated. Such measures may include, for example, those set out in the recommendations of the European Data Protection Board for international data transfers.
In the case of international data transfers based on the explicit consent under the derogations provided for in Article 49 of the GDPR, it is necessary to clearly inform data subjects about such transfers
In addition, the Cologne District Court also stated in its judgment that in the case of data transfers based on derogation, in particular where there is the explicit consent of the data subject, it is first and foremost necessary to inform the data subject of the international transfer.
In this case, Telekom Deutschland GmbH generally failed to inform its users about the transfer of data to Google Analytics, violating the GDPR. As the data subjects were not even informed about the transfer of their data to Google, the mobile operator could not rely on the explicit consent as a basis for the international transfer.
Therefore, it is important to remember that IP addresses are personal data, and their transfer to Google Analytics requires not only the use of standard contractual clauses but also additional technical and organisational measures that may offset the ability of US government agencies to monitor the data.