LG Cologne: Google Analytics not legal

Successful lawsuit by NRW consumer association before Cologne Regional Court

• Telekom Deutschland GmbH is prohibited from transferring personal data to the USA for analysis and marketing purposes when using the “www.telekom.de” website.
• Specifically, this involves the IP address, information about the browser used and the terminal device used.

When the “www.telekom.de” website is called up, TelekomDeutschland GmbH transmitted personal data to Google LLC in the USA in order to use its Google Ad Services analysis and marketing services.

This has now been prohibited by the Regional Court of Cologne in a ruling obtained by the NRW consumer association (33 O 376/22). “Companies must ensure that our data protection standards are also complied with across national borders. If they do not meet the special requirements for this, valuable consumer data may not be transferred,” notes Wolfgang Schuldzinski, Executive Director of Verbraucherzentrale NRW.

The Cologne Regional Court is one of the first courts to find a violation of the principles of the “Schrems II” decision of the European Court of Justice (ECJ). In 2020, the report came to the conclusion that the U.S. does not have an adequate level of data protection and that data transfers are therefore subject to particularly high hurdles. The Cologne Regional Court referred to the ECJ and ruled that Telekom did not comply with the strict requirements of the General Data Protection Regulation (GDPR) when transferring data to the United States. It had not taken sufficient measures to ensure that personal data would be
DSGVO-compliant transfer to the USA. A simple consent in the cookie banner via the button “Accept all” was not sufficient for an explicit consent for the third country transfer to the USA. This would require more extensive education of consumers.

The judgment is not yet final.

In the “Schrems II” decision (C-311/18), the ECJ finds that U.S. laws regulating access to personal data by security authorities violate the EU Charter of Fundamental Rights. First, access to the personal data of non-Americans would not be restricted.

Second, non-Americans are not granted enforceable rights against these accesses. In these cases, the GDPR sets a high standard for the legally compliant transfer of personal data of EU citizens, and the ruling effectively prohibited the practice of companies that had been common until then.

However, the review of Telekom’s data traffic revealed that data such as the IP address, information about the browser used and the terminal device used continued to be transmitted to the U.S. for the use of the “Google Ads” ad service.

Since the introduction of the GDPR, data protection in the online sector has been a highly topical issue. More and more users are blocking different tracking technologies, which makes it difficult to collect and analyze data. One solution to this is server-side tracking, which allows website operators to again collect data more comprehensively and accurately.

With server-side tracking, the data is still collected from the client (user), but then transferred to a separate server. There, anonymization, processing and forwarding to tracking systems takes place. This means that the user’s identity is never revealed and the data is much harder to block. Server-side tracking is thus a more privacy-friendly and accurate method of data collection.