Over the past two years, European regulators and the EU Court of Justice (CJEU) have set their sights on America, and in particular, big tech.
For example, in July 2020, the CJEU in Schrems II, nullified the EU-US Privacy Shield (which made data transfers to the US lawful), and imposed rigorous legal, technical and organizational measures on controllers wishing to share data legally outside of “adequate” countries.
Since then, we’ve seen decisions by regulators and courts in Austria, Belgium, Germany & Portugal scrutinizing data transfers under the GDPR, particularly transfers made to big tech firms like Google, Facebook, Stripe and Cloudflare. Unfortunately, while the regulatory ire is directed squarely at Silicon Valley, it’s mostly the smaller EU controllers (and their users) who are left shouldering the burden of these decisions.
Personally, I’m quite sympathetic to the regulators’ efforts. I’m no Google or Facebook apologist. And the Schrems II decision was an appropriate response to a legal framework that wasn’t really worth the paper it was printed on. But as of late, the EU authorities have gone down a path that, if left unchecked, will fundamentally wreck the internet as we know it.
Two recent decisions, one in Austria, and the other in Germany, both against the use of various Google services, have exposed where high-minded regulatory aims and privacy absolutism run up against technical reality.
Strolling Through the Breyer Patch
Before we get into all of that, I first need to discuss the Patrick Breyer decision in 2016. Mr. Breyer brought an action before the German administrative courts seeking an order restraining the Federal Republic of Germany from storing, or arranging for third parties to store his IP address. After a few appeals, it wound up before the CJEU.
The CJEU found that a dynamic IP address alone did not constitute ‘personal data’ under Article 2(1)(a) of the Data Protection Directive 96/45. However, an IP address can identify a natural person (and thus is personal data) if the controller has a legal or practical means to obtain additional identifying data, either directly or indirectly through a third party, such as an internet service provider (ISP).
In this case, German law allowed website operators to obtain additional details from the ISP in order to bring criminal proceedings after a cyber attack. (Breyer, paras. 48-49)
The Breyer case struck a reasonable balance between protecting data protection rights at all costs (sometimes known as ‘privacy absolutism’) and the practical realities of how the internet works.
Rather than holding that IP addresses were always personal data, it looked at the risk and likelihood that a data subject could actually be identified.
When Is an IP Address Like an Apartment?
IP addresses sit in a middle space from a data protection perspective. They are both private (and identifying) and public. That’s because everything that we do on the internet, every connection we make from our machines to other machines, involves IP addresses. Let me explain with a very, very high-level view which will necessarily skip over a lot.
IP addresses serve two functions – first, as a means to identify a network or device (e.g., an individual machine, router, Google, your ISP, etc), and second, as a way to identify the path to get to that device. So, my (current) IP address is 18.104.22.168. If I want to connect to Google.com (22.214.171.124), I can run a command that shows me the exact path data takes to get from my computer to Google. It looks something like this:
An IP address can be static (fixed) or dynamic (meaning it changes from time to time). There are also public and private IP addresses. My ISP assigns me a single dynamic public IP address to the main device connecting my home network to the internet (typically a router).
My router then assigns individual private IP addresses (which don’t get shared to the internet), to each device connected to it – for example, my laptop, mobile phone, and robotic vacuum. All my devices talk to other machines on the internet through that single public IP address supplied by my ISP.
In many ways, an IP address is a lot like an apartment address. If you live in a shared house or apartment, multiple individuals may share the same public address (123 Cherry Lane, Dublin, Ireland) with each individual having a private address (Apartment #1, #2, #3, etc.).
If you don’t share your public apartment address, it’s nearly impossible to invite a friend to visit, receive a delivery, or get your mail. But it’s still possible to share the public part of your apartment address, without necessarily sharing your private apartment number.
It’s a Mad Max World
With that out of the way, let’s discuss two recent decisions that I mentioned earlier, the first in Austria, and the second in Germany.
In August 2020, less than a month after the CJEU invalidated the EU-US Privacy Shield, Noyb filed 101 complaints with regulators in 30 EEA member states, challenging the use of Google Analytics and Facebook Connect by EU websites. The Austrian decision (DSB Austria - 2021-0.586.257 (D155.027)) is the first ruling in this line of complaints, but it’s unlikely to be the last.
The specific facts of the case concerned an Austrian health website’s use of Google Analytics for tracking user interactions on their site. While Google Analytics has some features that can mask IP addresses, the Austrian site had not configured these features, so it was sending IP addresses of its users directly to Google in the US.
In the second case (LG München: 3 O 17493/20 vom 20.01.2022), brought by an unidentified plaintiff, a Munich state court found that a website owner’s use of Google Fonts violated the plaintiff’s “general right of personality” and right of “informational self-determination” of their IP address under § 823 of the German Civil Code. Like the Austrian decision, the only personal data submitted to Google was the user’s IP address.
Both decisions have shared elements. First, is that an IP address alone is personal data under Article 4(1) GDPR if anyone “by legally permissible means and reasonable effort” could identify a data subject or even have the “abstract” possibility of doing so. The Austrian decision noted that this was in line with Recital 26 GDPR and general EDPB guidance.
This represents a shift from the earlier decision in Breyer that the data controller needed a “legal means” to connect IP address information to other personal data, rather than anyone.
The second point was that Google’s use of standard contractual clauses (SCCs) could not overcome the risk of US government surveillance, and thus did not provide an appropriate level of protection as required under Art. 44 GDPR. Both Austria and Germany reasoned that Google, as an electronic communications service provider (ECSP), would always be subject to US surveillance laws (DSB page 30, LG Munich Para 12).
Finally, both decisions take a decidedly privacy-absolutist view. Google, and by extension, the US government, will always have the means to identify a data subject. That the US government is highly unlikely to ever seek a user’s IP address based on their specific interaction with an EEA website’s analytics tooling or font library, is immaterial.
In fact, it’s reasonable to extend this argument further: Any IP address shared, for any reason, in any context, with any US entity subject to US surveillance laws likely also exposes personal data.
And the same holdings have since spread – on 10 February, 2022, CNIL issued a similar ruling barring a website operator from using Google Analytics.
It’s Not About Analytics or Fonts
Every time a website is accessed, an email is sent, or one machine talks with another, IP address information is shared and frequently stored – sometimes at many different points along the line.
If regulators and courts continue to go down this absolutist path, it means that any data exporter who shares an EU data subject’s IP address with any entity not based in the EEA (or the handful of countries deemed adequate by the EU), will run afoul of Schrems II and Chapter V GDPR.
It also means that the obligations laid out in Schrems II, including establishing technical and organizational measures, using standard contract clauses, and conducting time-consuming and costly transfer impact assessments, also apply. By ignoring relative risk and expanding the field to include anyone with ‘legally permissible means,’ these decisions do nothing to protect data subjects, and simply give EEA controllers another headache.
Remember how I mentioned that IP addresses were a lot like apartment addresses? Imagine applying these decisions to a physical address. Say I (an Irish resident) want to buy a shirt.
I make the purchase on an Irish clothing site, who processes my order, and sends my address information to FedEx to complete the shipment. Since US law interprets an ECSP very broadly, FedEx, as a US company, is almost certainly an ECSP, subject to the same surveillance laws that Google, Facebook, Amazon, and Microsoft are.
By the logic of the Austrian DSB and the Munich court, this data sharing should be just as unlawful as processing my IP address since FedEx, and by extension, the US government, can easily (and legally) identify me. I don’t think a single court or regulator would find this reasonable, if applied to physical addresses. But that’s exactly what’s happened to address information on the internet.
Crucially, neither decision actually addresses Europe’s primary grievances: the lack of adequate data protection controls in the US, and the unchecked power of data vampires like Google, Amazon and Facebook. These decisions don’t fix the US surveillance state. Nor do they reign in big tech. At most, these rulings target symptoms but not the disease.
As it stands, I see an uncertain future ahead. There are many that will continue praying for a political solution, which may come in some form, or not. Others may be inspired to fund and develop privacy-preserving technologies that can actually compete.
Right now, it’s trivial to implement a better solution than Google Analytics or Google Fonts, which is why these decisions aren’t receiving greater scrutiny, but this isn’t always the case.
There are no real alternatives to say, AWS, Azure, GCP or IBM Cloud, for example. Everything from hosting sites to payment gateways to security logging tools, process IP addresses, and most of the biggest players are global, not local.
That leads me to my greatest fear – a balkanized internet. Dozens of small, fragmented systems (EEANet, USANet, RussiaNet, ChinaNet), none of whom are able to share data with the others because their regional laws are in endless conflict. Sure, it may be better in some sense from a privacy perspective, and will certainly make complying with the GDPR easier, but at what cost?
The options shouldn’t be an unworkable process or sharded, disconnected networks. We need something grounded in actual risk and the reality we live in, not privacy absolutism and ideals.
About The Author:
Carey Lening, CIPP-E, CIPP-US works for Castlebridge as a data protection and information security consultant. She has over 20 years of progressive experience assessing risks and enabling top-tier data security and data protection for industry leaders like Facebook, Palantir and numerous Fortune 500 companies.
Carey focuses on the legal and policy issues surrounding computer & data security and privacy law. She has written and lectured extensively on best practices in cybersecurity and data protection, with a particular interest on emerging threats, risk mitigation, and how to make sense of it all.