Cookies and data transfers to the US
A large proportion of tools relying on cookie files and other tracking technologies commonly used by operators of websites in the European Union (e.g. for analytical or statistical purposes) are offered by companies based in the United States—a “third country” for purposes of the EU’s General Data Protection Regulation. This carries certain consequences under the GDPR, as use of such tools may involve the transfer of data to a third country and as such must meet the requirements set forth in Chapter V of the GDPR.
Indeed, the permissibility of transfer of data to the US in connection with the use on various websites of Google Analytics and Facebook Connect tools (relying on cookies and other tracking technologies) was the basis for 101 identical complaints filed by NOYB with 30 supervisory bodies in the European Economic Area.
In a decision dated 22 December 2021, the Austrian Data Protection Authority (Datenschutzbehörde) found that use by the operator of a website of Google Analytics cookies violated both Chapter V of the GDPR, which imposes rules for the transfer of data to third countries and international organisations, as well as the holding by the Court of Justice in C-311/18, Schrems II (Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems).
In its decision, the Austrian regulator found that use of Google Analytics cookies by an Austrian website involved collection and subsequent transmission of personal data, including unique user identification numbers, IP addresses, and browser settings, to Google in the US.
In the Austrian regulator’s view, the standard contractual clauses concluded between the operator of the website and Google did not ensure an adequate level of protection of data within the meaning of the GDPR, primarily for two reasons:
- Google is a supplier of electronic communications services subject to US regulations involving surveillance by US intelligence agencies (i.e. sec. 702 of the Foreign Intelligence Surveillance Act).
- The supplementary technical, organisational and contractual measures taken by Google as part of its Google Analytics tool are inadequate to limit or prevent the possibility of access by American intelligence services to transferred personal data; that is, they do not ensure an adequate level of protection of personal data transferred to the US.
The regulator also rejected Google’s argument that the data collected using cookies and then transferred to the US do not directly relate to or identify specific natural persons, i.e. do not constitute personal data. In the regulator’s view, IP addresses, particularly when combined with internet identifiers, enable identification of specific natural persons and thus qualify as personal data. In this respect the regulator pointed out that actual and immediate identification is not necessary for such data to be deemed personal data. Moreover, the fact that information enabling identifying of a natural person is held by various entities (and not a single entity) is also irrelevant for finding that the person is identifiable and thus that the information constitutes personal data.
This decision resulted from one of the 101 identical complaints concerning use by various companies of Google Analytics and Facebook Connect filed by NOYB across the EEA concerning the permissibility of transferring personal data from the EEA to Google and Facebook in the US in connection with cookies used in these tools.
EDPS decision concerning the European Parliament website
The EDPS stated that the use of standard contractual clauses does not substitute for the individual, case-by-case assessment of the transfer which must be conducted by the exporter (controller) of the data in accordance with Schrems II “to determine whether in the context of the specific transfer, the third country of destination affords the transferred data an essentially equivalent level of protection to that in the EU.” In this respect, the exporter of the data (here, the administrator of the website), where appropriate in collaboration with the data importer in the third country, must carry out an assessment of the proposed safeguards before the transfer is made, and if necessary implement supplementary measures (contractual, technical and organisational) to ensure an essentially equivalent level of protection of the transferred personal data.
Actions by other regulators
Similar doubts as to the use of Google Analytics were signalled by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which issued a warning on the use of Google Analytics. And the French Commission Nationale de l’Informatique et des Libertés (CNIL) issued a decision on 10 February 2022 finding that transfers of personal data via Google Analytics are unlawful, and ordering a French operator to bring its website into compliance with the requirements of the GDPR, and if necessary to cease using Google Analytics under the current terms and instead use a tool that will not involve the transfer of data outside the EU. The CNIL stated that other tools used on websites (cookies and other tracking technologies) leading to the transfer of personal data of users from the EU to the US would also be examined.
Decisions involving the use of Google tools could have a major impact on administrators of websites in the EU, because for analytical and statistical purposes most of them use Google Analytics or other tools using cookies or tracking technologies offered by entities from the United States.
Consent to cookies
Alongside the decision by the Belgian authority in the IAB Europe case, French decisions on cookie banners may also be highly instructive on obtaining valid consent to cookies.
- Cookies requiring the user’s consent were automatically placed on the end user’s device before they were accepted, as soon as the user entered the page.
- The cookie banners did not allow the user to reject the cookies as easily as accept them.
In these proceedings, the CNIL found that these websites offered an easy way to consent to all cookies immediately upon entering the site, but did not make it just as easy to reject cookies. It took just a single click to accept cookies, but rejecting all cookies required several clicks. The CNIL found that the way of structuring acceptance and rejection of cookies impacted the voluntariness of the user’s consent. Internet users care about speed, so the inability to reject cookies as easily as accepting them inclined users to accept cookies. The CNIL also found that Facebook provided users unclear instructions on rejection of cookies, which misled them as to the actual possibility of rejecting cookies.
These decisions are consistent with the CNIL’s guidance on cookies and similar technologies issued in October 2020 and recommendations on acceptable methods of obtaining users’ consent to storage or reading of cookies and similar technologies which do not qualify as essential.
Based on the decisions discussed above, it is incumbent on every website operator to check the following issues:
- Whether non-essential cookies are installed on the end user’s device before the user consents.
- Whether the user can just as easily reject cookies, or withdraw consent to cookies, as accept the cookies.
- Whether the use of Google Analytics includes processing of personal data, and if so, whether the settings for Google Analytics can be modified to ensure compliance with data protection regulations. If it is not possible to change the settings in this way, it is recommended to use alternative solutions not involving the transfer of data outside the EEA.
- Whether the operator uses other tools on its site that could involve data transfers to the US. In that case, the operator should either cease using those tools, or begin anonymising the data, unless the supplier of the tools can demonstrate that additional measures have been taken to ensure an adequate level of protection. But it should be borne in mind that currently data protection authorities tend to regard such additional measures as generally inadequate—even if the supplier declares that the servers are located in the EU—if there is a potential for transfer of the data to the United States.
The future of cookies
Cookies are not a new technology, but regulators are still framing their approach to their use and assessment of their compliance with data protection regulations. As a result of complaints filed by NOYB in the last year, it should be expected that soon regulators in various member states will issues a number of decisions further shaping the approach to cookies across the EU. And at the beginning of March 2022, NOYB announced that it has filed another round of complaints to website operators whose cookie banners do not meet GDPR requirements.