Data Privacy Knowledge

Google has been ordered by Hamburg, Germany

Data Protection and Freedom of Information (HmbBfDI) issued an order to Google

by M. Schröder

The Hamburg Officer for Data Protection and Freedom of Information (HmbBfDI) issued an order on 26.09.2014 that commits Google to make changes with regard to handling users’ personal information. This applies in particular with regard to the merging of data from various Google services.

Following the press release on 30.09.2014, 2B Advice now possesses the full text.

  1. In the view of the Data Protection Office, based on the legal practice of the ECJ, German data protection law must also apply to international companies if service providers and responsible bodies “whose headquarters are not in Germany” “nevertheless use a national office to attempt to promote the use of their services on the German market through marketing and sales measures” (order para. 46).
    The justification is that “Google Germany GmbH assumes a bridge function within the meaning of § 1, para. 5, clause 1 of the Federal Data Protection Act (BDSG) for Google’s activity on the German market and with regard to German users” (order para. 52).
  2. According to the HmbBfDI, the question of whether dynamic IP addresses are personal data or not is irrelevant because these IP addresses are stored along with extensive additional usage data, meaning that – also according to the so-called relative point of view – each IP address can lead to a personal reference in connection with the additional data. However, as Google does not distinguish between static and dynamic IP addresses, and a personal reference is generally assumed for static IP addresses, Google would have to acknowledge that the IP addresses and the data saved with them or linked to them represent personal data (order para. 70 – 80). In this respect, it does not matter if there is a corresponding intention to exploit the data. In terms of whether personal data exists, the possibility of making a personal reference is sufficient – and that possibility exists here (order para. 78).
  3. The data protection statement in accordance with § 13, para. 1 of the German Telemedia Act (TMG) has no legal effect on its own and cannot replace consent. Any data processing or use beyond the degree permitted by law must be covered by valid consent. It is therefore not sufficient that the user agrees to the Terms of Use by adding a tick and confirming that they have ‘read’ the data protection statement (order para. 146).
    In addition to requiring that users are enabled to withdraw their consent at any time (order no. 4c), the HmbBfDI demands the following:
    The consent procedure “must ensure that the respective user undertakes a clear consent action […]. The mere further use of the service or services does not represent a consent action […].” (order no. 4a).
    Furthermore, the user must, “with regard to obtaining consent, be informed separately and specifically about the pursued objectives and about the data that will be collected upon the granting of consent […]. A mere link to the data protection statement is not sufficient” (order no. 4b).
  4. The linking of several services that serve different purposes (such as YouTube, Google Books, Blogger, Google Maps) via a central authentication and user data administration service (order para. 97) does not lead to a “uniform global purpose of service provision” (order para. 100) and thus also not to a single uniform service. “In this context, what determines the processing purpose is not the entrepreneurial decision, but rather the purpose to be fulfilled by the service” (order para. 100).
  5. The linking of data from one service with data from another service constitutes a change to personal data and thus a phase in data processing. If, by way of exception, no content-related change is involved in the linking, this results in the use of obtained data for other purposes. Insofar as such changes or use are not necessary for the provision of the respective other service, no permission for the processing of this data has been granted. The changes or use are then only permitted with the consent of the user, albeit Google has not obtained this consent in an effective manner and is not in the process of obtaining it.
  6. Interestingly, Google offers methods for Google Analytics to effectively implement the objection to the use of usage data for the purposes of usage analyses, although it does not employ these methods itself, as the HmbBfDI claims to have ascertained. He thus calls on Google to notify users clearly of their right to object to the use of this data for web analyses and marketing purposes and to offer methods that ensure the implementation of the objection.

In his order, the HmbBfDI has already stipulated the highest possible fine according to relevant administrative law in the amount of EUR 1,000,000 if Google does not implement the order before the deadline. The order is not legally binding, and can still be contested by Google in court. The complete text of the order is here available.

Regardless of the specific order procedure, the process should enable Internet companies to draw some important conclusions:

  1. Caution should be exercised when storing usage data such as IP addresses, browser information, localization data, IMEI numbers or comparable information. The more usage data that exists, the more likely it is to assume that there is a personal reference, with all the associated consequences.
  2. The current ECJ case law on the application of national law as part of the decision “on the right to be forgotten” is being adopted by the supervisory bodies and, in many cases that used to be unclearly defined until now, this leads to a responsibility for the supervisory bodies. In this regard, the ‘bridge function’ of an office within a country is sufficient if the office has acquired promotional materials and money that are part of operating the service. A shifting of responsibilities – including within Europe – has thus become significantly more difficult. Any existing configurations should be inspected for their resilience. Companies working throughout Europe must thus expect to not only be confronted with one supervisory body but by all supervisory bodies in the European member states in which they operate branches and subsidiaries.
  3. If the data processing associated with the use of a service goes beyond the legally permitted extent, high demands on the content and technical design of the declaration of consent apply. The existence of a data protection statement does not equate to consent when the affected person uses a service. The topic of ‘consent’ should thus already be taken into account in the planning phase of a service and should be integrated conceptually into the development process.

Whether the considerations of the HmbBfDI will also stand in a court of law remains to be seen, although his considerations do not appear to be completely wide of the mark. As emphasized in his press release, this opinion is shared by supervisory bodies throughout Europe. Providers of ‘linked’ telemedia services should therefore not wait for the situation to progress, but instead take a close look at the criticized points.



Similar Blog Posts

10th Enterprise User Meeting of 2B Advice was a complete success! 10th Enterprise User Meeting of 2B Advice was a complete success!

2B Advice invited to a personal group user meeting of the data protection management solution 2B Advice PrIME for the first time in three years on October 13, 2022.

New EuroPriSe Experts New EuroPriSe Experts

2B Advice proudly announces that 15 experienced legal and technical privacy professionals have been admitted as EuroPriSe Experts recently.

Children's Data Protection Children's Data Protection

California is safeguarding children's online information from exploitation by corporations by introducing the Age Appropriate Design Code Act requesting a Privacy Impact Assessment.


Blog Categories