German Supreme Court rules on Cookie-Law – also relevant for Austria!

One of the most significant issues with regard to online marketing concerns the dissemination of targeted advertising (especially via online advertising networks), i.e. the retargeting of users beyond the advertiser’s own website, and this even applies if such targeted advertising does not rely personal data. The crucial legal question lies within the technologies used for accessing information that is stored on the users’ devices. Article 5 of the so-called “European Cookie Directive” provides that the storage of or the access to information that is already stored on a user’s device is only permitted if the concerned user has consented thereto whilst his/her consent must be based on corresponding clear and comprehensive prior information that he/she, according the former Data Protection Directive, inter alia receives with a view to the purpose of the data processing. This does not exclude a technical storage or an access thereto if such storage/access is absolutely required for providing the user with a service of the information society that the user explicitly requested.

Austrian Warning Letters and a German Judgment

Until now, neither the Austrian telecom authorities nor the Austrian Data Protection Authority (“ADPA”) have shown interest in the Cookie-issue. In mid-2019, however, an attorney based in beautiful Salzburg commenced sending warning letters to customers of online advertising networks requesting damages in the amount of EUR 1.000,00 per (allegedly unlawful) Cookie. In the meantime, his client has instituted several proceedings at the ADPA.

A few years ago, however, the German National Association of Consumer Advice Centers has already sued Planet49, a German company that organized a raffle on its website. In the German Federal Supreme Court’s (GFSC) corresponding judgment of 28 May 2020 (I ZR 7/16 – Cookie-Consent II [hereinafter „GFSC-Planet49-Judgment“]), the GFSC naturally and primarily assessed the situation under German laws (i.e. under the German Telemedia Act [“GTA”]) – however, this judgment is also relevant beyond Germany’s borders and especially for Austria even though the wording of the Austrian Telecoms Act (“ATA”) is quite different.

The facts underlying the GFSC-Planet49-Judgment were as follows: After the user had entered his/her zip code, he/she was directed to a page where he/she had to enter his/her name and address. Below the respective input fields, inter alia the following consent declaration was shown whilst the corresponding checkbox was already ticked: “I agree that the advertising analysis service Remintrex is being used. From this, it follows that the organizer of the sweepstake [Planet49] places Cookies after my registration for the sweepstake which evaluate my browsing- and user-behavior on websites of advertising partners which enables targeted advertising by Remintrex. I can delete these Cookies anytime. See here for details.” In the explanations hyperlinked at the word “here”, it was pointed out that the Cookies contained a randomly generated specific number (“ID”) assigned to the user’s registration data who has entered his/her name and address into the provided webform.

In case the user visits the website of one of Remintrex’ registered advertising partners with the stored ID, the visit as such, the products in which the user was interested and also the information whether or not a contract was concluded was collected. The user was able to remove the tick from the checkbox. In this case, however, the user could not participate in the sweepstake.

The German National Association of Consumer Advice Centers requested to prohibit Planet49 from further using such consent declarations in the course of sweepstake arrangements or from further relying on such consent declarations. In addition to that, the German National Association of Consumer Advice Centers also requested a reimbursement of the warning letters’ costs.

Now, the GFSC has granted the claim and particularly argued as follows:

  • The consent declaration used by Planet49 in the form of a „general term and condition” allowing for the access of information stored on the user’s device via Cookies by way of a pre-ticked checkbox inappropriately disadvantages the user and this applies not only under the former but also under the current laws.
  • Obtaining consent via a pre-ticked checkbox was already inadmissible prior to the General Data Protection Regulation (“GDPR”): the objected use of Cookies by Planet49 as a service provider aims at creating user profiles for advertising purposes while the user’s behavior on the Internet is tracked and the results of such tracking are used for disseminating corresponding targeted advertising. The randomly generated number (ID) in question, which is assigned to the user’s registration data, is a pseudonym under this regulation. The GFSC must interpret the GTA’s provisions in compliance with the (former) directive and the result of this interpretation is that the user’s consent is required for using Cookies for the creation of user profiles for advertising or market survey purposes.
  • According to the CJEU and now also according to the GFSC, it is irrelevant whether these pieces of information are personal data. From an Austrian perspective, it must be noted that the GTA did not make any corresponding differentiation anyway as it specifically covers the “storage of information or access to information” and thus, in contrast to the ATA, information irrespective of any relation to an identifiable person (for details on the Austrian situation, please see below).
  • This German law’s interpretation in compliance with the directive does not exclude that the German legislator has not yet adopted the directive. Rather, it is to be assumed that the German legislator has deemed the German laws to already be compliant with that directive, and this interpretation is still compatible to the GTA’s wording.

Austrian „Cookie Solution“ and Impact of the CJEU and GFSC Judgments

The Austrian legislator has tried to adopt the Cookie Directive in § 96 para 3 of the ATA, particularly by its amendment that entered into force on 1 December 2018 and that also considered the GDPR’s wording: Providers of services of the information society are obliged to inform the user about which personal data are processed, on which legal foundation that processing is based upon, for which purposes the personal data is processed and for how long the personal data is stored. Collection of such data is only permissible upon the user’s consent, except for cases where it is absolutely required to store or access such data in order to provide the user with a service that the user explicitly requested.

Therefore, and in contrast to the GFSC’s interpretation of the GTA, the ATA (which adopted the Cookie Directive) specifically only applies to Cookies containing personal data. From the CJEU’s judgment in the Planet49 case dated 1 October 2019, it already clearly followed that the Austrian provision is contravening European law, and this has now been indirectly confirmed by the GFSC. Consequently, § 96 para 3 ATA should not only apply to personal data, but also to information that does not relate to an identifiable person. According to the clear wording of § 96 para 3 ATA, however, this is not the case.

Extending the administrative penalty provision laid down in § 96 para 3 ATA to non-personal data by way of an interpretation complying with the directive is, in contrast to the GTA, out of the question from a constitutional perspective in our view because the constitutional principle is “no penalty without a legal foundation”. Furthermore, a direct application of the directive to Austrian cases equally seems impossible since the Austrian legislator has tried to adopt the directive and such a direct application would be to the disadvantage of the people/companies.

In Austria, we therefore arguably still have the “regulated field” of personal data and the “non-regulated field” of non-personal data with a view to Cookies, respectively tracking tools in terms of the Cookie Directive.

Significant Non-Personal Tracking in Practice

The question however is whether the above differentiation only is for academic jobsworths anyway, because the broad definition of “personal data” purports that personal data is always used in the context of online tracking tools? In our opinion, the differentiation between personal data and anonymous data (which is not subject to the data protection laws) is one of the paramount questions of the data protection law as such. The answer to that question is essential for survival of numerous business models if not of entire industrial sectors. Unfortunately, however, it often remains reflexively undoubted whether personal data is used.

On the basis of Austrian case law, we believe that the crucial question for this differentiation is whether establishing a direct link between the data and a person is only possible when expending disproportional efforts whereas this has to be assessed on the basis of reasonable common expectations. In our view, and upon reliance on the criteria mentioned in Article 32 of the GDPR regarding data security, this crucial differentiation may be further substantiated via an ex ante analysis from a data protection law point of view by way of the following “moving system”:

  • Means which are presumably used for establishing a link to a person on the basis of reasonable common expectations and, in this context:
    • nature, scope, circumstances and purposes of the processing;
    • likelihood and gravity of the risks for the rights and freedoms of the data subjects;
    • costs for the identification; and
    • required time investment,
    • whereas the technology and the technological developments in the point of time of the processing are to be considered.
  • If the conclusion is that establishing a link to a person is not to be expected without disproportionate efforts, the data should be qualified as anonymous.

In terms of online tracking, especially via Cookies, this admittedly leads to the answer that is quite popular with lawyers, namely “it depends on the individual circumstances”. In the context of online advertising networks and re-targeting measures, however, it is to be assumed in most of the cases that the advertising networks and especially the advertisers themselves are not interested in establishing such a direct link and they thus do not expend any corresponding efforts. The players involved rather are exclusively interested in regularly showing targeted advertisings on the users’ devices which they use for expressing their interest in certain offers, such as by visiting certain websites in particular, especially in order to remind them of such offers whereas this does not require the user’s true identity to be actually known. Hence, and to the extent no personal data is processed, e.g. by not establishing a link to log in or other data, it is to be assumed that such data is anonymous in terms of the above differentiation and the GDPR thus does not apply.

Even though the Cookie Directive also provides for information obligations and the obligation to obtain prior consent, these obligations have not been incorporated into the ATA. Therefore, such obligations (currently) do not exist under Austrian law.

Anticipatory: also in Austria, the sole Solution only is a Solution that has been evaluated form a technological and legal Point of View

In light of the CJEU and GFSC judgments, it is to be expected that the Austrian legislator will adapt the ATA’s Cookie regulations in compliance with the Cookie Directive and the CJEU’s interpretation thereof shortly – this is also to be expected in light of the ePrivacy Regulation’s rather slow legislative procedure. With this, it will finally be necessary in Austria also to obtain the user’s consent for even using anonymous Cookies to the extent they are not absolutely required for providing the user with a service he/she has specifically requested.

The strict requirements for detailed information, consent and especially also for the consent’s revocability at any time presumably can only be fulfilled via technological support in terms of Cookie tools or equivalents.

In our opinion, securing the survival of the multi-million online advertising market requires creative solutions which put all of the involved players into a legally sound win-win situation. This will require technicians, businesspeople (especially marketing departments) and lawyers to cooperate very closely. Hence, a corresponding teambuilding must be achieved, just as this already was necessary when implementing the GDPR.