Website review

Cookies leading to cross-border transfers of personal data

Recent decisions by the European Union (EU) have focused on the use of common cookies used on e-commerce and other websites used by consumers and employees and on transfers of personal data collected through cookies to the United States. EU Data Protection Authorities (DPAs) have found that the use of widely used website technologies (i.e. cookies and java script) to automatically collect user device identifiers or through their use of internet protocols (e.g. IP addresses) resulted in the collection of personal data. Data protection authorities further found that the onward transfer of this data to Google servers located in the United States violated EU requirements for cross-border data transfer, as there was no adequate safeguards under the Schrem II decision invalidating the EU-US Privacy Shield. A notable impact of the decisions is to reject the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and may be compelled to surrender it in order for the data to be decrypted and read by security authorities. American surveillance. . Consideration of the impact of these decisions is of crucial importance for e-commerce and other websites operating in the EU, as well as more generally for organizations that transfer the personal data of consumers and employees to United States.

In one decision dated 5 January 2022, the European Data Protection Supervisor (“EDPS”) has concluded that the European Parliament (the “Parliament”) has breached the Regulation 2018/1725 applicable to Union institutions and agencies in connection with its use of cookies on a Parliament website used by Parliament staff to register for COVID-19 PCR tests. The private company with which Parliament has contracted to administer and manage the website for employee testing, has included a cookie from Stripe (used for online payments) and has also included a cookie for Google Analytics (used for website optimization and to minimize identity theft). The EDPS found that these cookies collect the personal device identifiers of website visitors and result in the transfer of this personal data to the United States, where the Stripe and Google servers are located. The EDPS noted that according to Google’s terms of service, Google Analytics cookies are designed to process “online identifiers, including cookie identifiers, internet protocol addresses and device identifiers” as well as “customer identifiers”. In particular, the EDPS explained that “[t]Racking cookies, such as Stripe and Google Analytics cookies, are considered personal data, even if the traditional identity parameters of tracked users are unknown or have been deleted by the tracker after collection.

The EDPS found that the Parliament had not provided any evidence regarding the contractual, technical or organizational measures put in place to ensure a substantially equivalent level of protection for the personal data transferred to the United States in the context of the use of cookies on website. He further noted that these safeguards may be provided by the newly published Standard Contractual Clauses (SCCs) or by another transfer tool. However, the EDPS underlined: “[t]The transfer tool used must ensure that the data subjects, whose personal data are transferred to a third country by virtue of this transfer tool, benefit in this third country from a level of protection essentially equivalent to that guaranteed in the within the EU by EU data protection law, read in the light of the Charter. As a result, the EDPS concluded that the Parliament breached the cross-border data transfer restrictions set out in the Schrems II decision by transferring employee data to the United States. Our previous Blog discussed considerations for these types of cross-border data transfers to the United States and the impact of SCCs and technical measures.

In other decision as of December 22, 2021, the Austrian Data Protection Authority has also concluded that Google Analytics cookies transmit personal data as defined by the General Data Protection Regulation. The Austrian DPA explained that cookies, which collect unique user identification numbers, IP address and browser settings, contain information to differentiate visitors to the website and to draw conclusions about the browser used, browser settings, language selection, website visited, screen resolution and other information about the website visitor. The Austrian DPA concluded that this “digital fingerprint” meets the definition of personal data, which under Article 4 of the GDPR includes “any information relating to an identified or identifiable natural person”. The DPA further concluded that the standard contractual clauses offered an insufficient level of protection here because the data stored by Google was subject to surveillance by US intelligence agencies. The DPA found that the encryption technologies controlled by Google are insufficient because Google “is subject to 50 USC § 1881a (“FISA 702) [and] has a direct obligation with respect to the imported data which [its] possession, custody or control to permit access or release. This obligation may expressly also apply to the cryptographic key without which the data cannot be read. The DPA concluded: “In the opinion of the data protection authority, the Google Analytics tool (at least in the version dated August 14, 2020) cannot be used with the requirement of Chapter V of the GDPR “.

Shortly after the decisions of the EDPS and the Austrian DPA, the French Data Protection Authority, the CNIL, followed suit on February 10, 2022 by issuing a declaration warning that transfers to the United States of unique identifiers collected via Google Analytics cookies are not sufficiently supervised, and indicated that the CNIL was initiating formal notice procedures for site managers using Google Analytics.[1] The CNIL has indicated that it considers these transfers to be illegal because there are not sufficient measures to exclude the possibility of access by the American intelligence services to this data. The CNIL declaration requires the manager of a French website to comply with the GDPR, and, if necessary, to no longer use this tool under current conditions.


[1] Discussions of the Austrian DPA decision and CNIL statement are based on machine translations of these documents.

©2022 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XII, Number 59

Source link