Peter Hense //
Dresden Regional Court on Google Analytics1
Irrespective of the GDPR, claims for injunctive relief against the disclosure of personal data can also be based on German tort law according to a decision of the Regional Court of Dresden.2 The unauthorised disclosure of the plaintiff’s personal data by the defendant constitutes a violation of the plaintiff’s general individual right to privacy, in particular the right to “informational self-determination“. Unless the plaintiff has actively consented, no valid consent exists. Visiting a website cannot in itself be regarded as the (implied) granting of consent. The fact that the plaintiff visits a website that uses Google Analytics without “anonymizeIp” cannot be construed as improper conduct on the part of the plaintiff which, according to Section 242 BGB (German Civil Code), would preclude him from exercising his rights. This conduct is legitimised by the general freedom of information.3 High requirements must be placed on the presumption of improper conduct of proceedings. There is no improper interest on the part of the plaintiff with regard to obtaining a fee, as the plaintiff initially contacted the defendant privately by email without claiming any costs.
1 The facts of the case
The subject of the proceedings before Dresden Regional Court was a claim for injunctive relief against unauthorised data processing by the defendant.
The plaintiff is a natural person and alleges that his rights were infringed when he visited the defendant’s website. The website used Google Analytics in the source code and transmitted his personal data – in particular the IP address – to Google (US), as third party, without his consent. The defendant did not use the “anonymizeIp” feature to mask the visitor’s IP address in Google Analytics. The plaintiff seeks injunctive relief in respect of the conduct complained of, information as to the extent of the data processing, and reimbursement of pre-litigation legal fees.
The Dresden Regional Court fully upheld the action and ordered the defendant, among other things, to cease and desist and to provide the information requested.
2 The reasons
The court considers a claim based on tort law in connection with the plaintiff’s general individual right to privacy to be justified. The scope of protection of the general individual right to privacy also extends to personal data, which generally even includes dynamic IP addresses. In the absence of a legal basis, and especially in the absence of the plaintiff’s consent, the court also found that the defendant unlawfully disclosed that data to Google and thereby illegally infringed the plaintiff’s general individual right to privacy.
There was no improper conduct on the part of the plaintiff. Deliberately visiting websites that use Google Analytics without “anonymizeIp” was not in itself objectionable. In the opinion of the court it is not the responsibility of the plaintiff to take technical precautions (VPN, private browsing mode, ad blocker, TOR, etc.) in order to protect himself against potential infringements of the Right to Privacy.
3.1 Data protection law does not end with the GDPR
The court solves the case at the level of German tort law, which despite centuries of tradition proves its flexibility and long-term viability even in the age of invasive information technologies.
The court readily assumes that the IP address transmitted to Google can be classified as the plaintiff’s personal data. When it comes to legal defence, for tactical reasons it is advisable that anyone who receives such a warning dispute this classification. In view of the circumstances (the sending of cease-and-desist letters, albeit “free” ones, on a huge scale), there is nothing to say that the plaintiff is necessarily able to furnish proof of this classification of the IP address as personal data, and thus proof of his or her capacity to bring an action, in compliance with the procedural obligation to tell the truth.4
3.2 “AnonymizeIp” is not all it’s cracked up to be
The very term “anonymisation”, used by Google itself ad nauseam, is misleading. In the best case, masking the final octet of IP addresses for users of Google Analytics results in a weak form of pseudonymisation – one that is thus worthless under the GDPR.5 It certainly does not result in anonymisation within the meaning of the GDPR. This can only exist if any personal relation is objectively eliminated.6 In addition, the processing operation which effects pseudonymisation is carried out by a third party, namely Google itself. Thanks to the chosen parameterization and the shared technical resources, Google and the website operator act as joint controllers in the sense of Art. 26 GDPR for the entire processing operation.
3.3 Indispensability of informed consent when using Google Analytics
Considered objectively, it is not possible to use Google Analytics in a manner compliant with data protection law without informed consent under the GDPR. Accordingly, privacy experts have a lot of work to do. Consultants should focus primarily on the liability risk when designing consent forms or consent management systems, taking into account how the various layers of information are designed. Given the complexity of the processing operations, informed consent seems difficult to achieve. A look at the list of the other processors behind Google Analytics and Google Ads – considered as they are as (joint?) controllers under the GDPR – raises more questions than it does answers when it comes to compliance with the principles of good faith and transparency. The sheer volume of recipients of personal data is an unpleasant prospect, especially considering all the potential data information and erasure requests from data subjects. Challenges also remain, however, with the unresolved problems of age verification in cases subject to Art. 8 GDPR, which is intended to exclude illegal data processing in the event of the invalid consent of minors, but also the further processing of analysis data in Google’s numerous AI projects. From an attacker’s point of view, Google Analytics is a gift, as this case proves. Last but not least, Art. 5(2) GDPR will ensure a few long faces in judicial practice, because a decision based on the burden of proof is also an efficient way for courts to arrive at a judgment.
3.4 Possible damages
Claims for damages were not the subject of the proceedings. However, these could be asserted under Art. 82(1) GDPR for material and non-material damages. There is currently no fail-safe basis for calculating the amount of such damages, let alone any reliable court decision. However, when assessing non-material damages, consideration must in any case be given to a) the type of data, whereby illegal processing of sensitive data in accordance with Art. 9 GDPR should be given significantly more weight than that of ordinary data; b) the personal loss of control that occurs when data is passed on to unknown persons and third parties; and c) the abstractly heightened risk to privacy as well as to private and family life that may go hand in hand with processing by large data aggregators such as Google. In the case of material damages, the actual costs of investigating the facts of the case and prosecution, including the costs of technical experts and lawyers, must be reimbursed to an appropriate extent. This is clear from an analysis of the causality that gives rise to liability: In any event, the costs incurred by a data subject in eliminating an information deficit (damages) caused by the fault of the controller constitute the minimum damages which can be liquidated. In addition to claims under the GDPR, the claimant is also assisted by competing claims under national law, including claims under tort law and quasi-contractual claims based on negotiorum gestio, which also cover further voluntary expenses of the data subject in the interest of the injuring party, which is objectified by the legal system.
4 Practical implications
In the light of these observations, the operative provisions of this judgment are however technically and legally contradictory. As noted, the “anonymizeIp” feature does not prevent the plaintiff’s personal data from being transmitted to Google. An action that is directed against a transfer of data without consent but accepts “anonymizeIp” as an (unsuitable) means of anonymisation, is already inherently inconclusive.
Both plaintiffs and defendants alike can make use of the arguments published by the High Administrative Court (VGH) in Munich on 26 September 2018 on the issue of legally compliant anonymisation.7 In that case, the court ruled quite rightly that, when email addresses are “hashed” – i.e. converted from personal data into a new string of characters, or “hash value” – it follows that there can be no anonymisation if it is the recipient of the email address who triggers this processing operation.
In addition, Germany’s Data Protection Conference (DSK) takes the view that, in the present case, to comply with the GDPR, informed consent pursuant to Art. 6(1) sentence 1(a) GDPR is required – especially because, after balancing the parties’ interests in the case of opaque third-party tracking, the application of Art. 6(1) sentence 1(f) GDPR does not constitute a valid legal basis.8
1 Dresden Regional Court, 1a O 1582/18, 11 January 2019
2 Section 823(1) in conjunction with Section 1004 of the German Civil Code (BGB) (analog)
3 Art. 5(1) GG (Grundgesetz, German Constitution)
4 Section 138(1) of the Code of Civil Procedure (ZPO)
5 See LG Frankfurt/Main, judgment of 18 February 2014, ref.: 3-10 O 86/12, Piwik; and the DSK’s guidance from regulatory authorities for telemedia providers (Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien) of March 2019, p. 15)
6 See Recital 26 GDPR
7 High Administrative Court (VGH) in Munich, 5 CS 18.1157, 26 September 2018
8 See the DSK’s guidance from regulatory authorities for telemedia providers (Orientierungshilfe der Aufsichtsbehörden für Anbieter von Telemedien) of March 2019, pp. 11 ff.