Recent decisions from the European Union (EU) have placed renewed focus on the use of common cookies used on ecommerce and other websites used by consumers and employees and transfers of personal data collected through cookies to the United States. The EU Data Protection Authorities (DPAs) found that the use of widely used website technologies (i.e., cookies and java script) to automatically collect identifiers from the users’ devices or through their use of internet protocols (e.g., IP addresses) resulted in the collection of personal data. The DPAs further found that the subsequent transfer of this data to Google servers located in the United States violated EU cross-border data transfer requirements because there were inadequate safeguards under the Schrems II decision invalidating the EU-US Privacy Shield. One notable impact of the decisions is to dismiss the adequacy of encryption technologies where the service provider (such as Google) has access to the cryptographic key and can be compelled to surrender it in order for the data to be decrypted and read by U.S. surveillance authorities. Consideration of the impact of these decisions is critically important for ecommerce and other websites operating in the EU, as well as more generally for organizations that transfer personal data of consumers and employees to the U.S.

In a decision dated January 5, 2022, the European Data Protection Supervisor (“EDPS”) concluded that the European Parliament (the “Parliament”) violated the Regulation 2018/1725 applicable to Union institutions and agencies in connection with its use of cookies on a Parliament website that was used by the Parliament’s staff to register for COVID-19 PCR tests. The private company with which the Parliament contracted to administer and run the website for employee testing, included a cookie from Stripe (used for online payments) and also included a cookie for Google Analytics (used for website optimization and to minimize spoofing). The EDPS found that these cookies collected personal device identifiers from visitors to the website, and resulted in the transfer of this personal data to the United States, where Stripe and Google servers are located. The EDPS noted that according to Google’s terms of use, Google Analytics cookies are designed to process ‘online identifiers, including cookie identifiers, internet protocol addresses and device identifiers’ as well as “client identifiers.” Notably, the EDPS explained that “[t]racking cookies, such as the Stripe and the Google analytics cookies, are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection.”

The EDPS found that the Parliament provided no evidence regarding the contractual, technical or organizational measures in place to ensure an essentially equivalent level of protection to the personal data transferred to the U.S. in the context of the use of cookies on the website. It further noted that such safeguards may be provided by the newly issued Standard Contractual Clauses (SCCs) or another transfer tool. The EDPS emphasized, however, “[t]he transfer tool relied on must ensure that data subjects, whose personal data are transferred to a third country pursuant to that transfer tool, are afforded a level of protection in that third country that is essentially equivalent to that guaranteed within the EU by EU data protection law, read in the light of the Charter.” As a result, the EDPS concluded that the Parliament violated the cross border data transfer restrictions under the Schrems II decision by transferring employee data to the United States. Our previous blog discussed the considerations relevant to these types of cross border data transfers to the United States and impact of SCCs and technical measures.

In another decision dated December 22, 2021, the Austrian Data Protection Authority similarly concluded that Google Analytics cookies transmit personal data as defined by the General Data Protection Regulation. The Austrian DPA explained that cookies, which collect unique user identification numbers, IP address and browser parameters contain information making it possible to differentiate between website visitors and draw conclusions about the browser used, browser settings, language selection, website visited, screen resolution and other information related to the website visitor. The Austrian DPA concluded that this “digital footprint” satisfied the definition of personal data, which, under Article 4 of the GDPR, includes “any information that relates to an identified or identifiable natural person.” The DPA further concluded that Standard Contract Clauses offered an insufficient level of protection here because the data stored by Google was subject to surveillance by U.S. intelligence agencies. The DPA found that encryption technologies controlled by Google are insufficient because Google “is subject to 50 U.S.C. § 1881a (“FISA 702) [and] has a direct obligation with regard to the imported data that is in [its] possession, custody or control to grant access to or release them. This obligation can expressly also apply to the cryptographic key without which the data cannot be read.” The DPA concluded, “In the opinion of the data protection authority, the Google Analytics tool (at least in the version dated August 14, 2020) cannot be used with the requirement of Chapter V of the GDPR.”

Not long after the EDPS and Austrian DPA decisions, the French Data Protection Authority, CNIL, on February 10, 2022, followed suit, issuing a statement cautioning that transfers to the United States of unique identifiers collected through Google Analytics cookies are not sufficiently supervised, and indicated that CNIL was initiating formal notice procedures for website managers using Google Analytics.[1] The CNIL stated that it considers these transfers to be illegal because there are insufficient measures to exclude the possibility of access by American intelligence services to this data. The CNIL statement requires a manager of a French website to comply with the GDPR, and, if necessary, to no longer use this tool under the current conditions.

In the wake of these developments and the scrutiny on the use of third-party cookies and cross-border data transfers, businesses operating in the European Union must pay particular attention to the cookies and other technologies used on their websites or other systems, and the resulting transfer of any personal data to the United States including by its service providers or processors, and consider the impact of these recent decisions. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management Group.

Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is a Certified Information Privacy Profession (CIPP)/US and an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.

***************************

[1] Discussions herein of the Austrian DPA decision and CNIL statement rely on machine translations of these documents.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.