Google challenged the order by means of an administrative appeal, which had suspensive effect. Today, the Hamburg DPA rejected the appeal after several months of deliberation and upheld the order, just subject to slight modifications.
The case is noteworthy for several reasons:
- The Hamburg DPA held that the US company Google Inc was subject to German data protection law, applying the criteria established by the Court of Justice of the EU with respect to the applicable law rules in its famous Google Spain ruling (for a summary of that ruling, see here).
- The Hamburg DPA’s order is an example for the increased efforts of European data protection authorities to show their teeth and to enforce data protection law against non-EU companies.
- The Hamburg DPA’s order sets rather high standards (specific affirmative consent) for various data combination scenarios which, if applied broadly, could have repercussions for the use of big data analytics.
It is now in the hands of Google to implement the Hamburg DPA order or to bring the case before the administrative court which it can do within a one month period. Pursuant to the press release, Google has apparently signaled that it intends to make substantial changes to its services to meet the data protection law requirements and reportedly presented its plans at the end of March to the Google Task Force set up by the Article 29 Working Party. It remains to be seen whether this is really the end of the Google saga in Germany.