Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the Hamburg DPA established that Google’s practice of combining personal data across all its services to create “meaningful and nearly comprehensive” personality profiles without users’ express and informed valid consent, and without allowing users to effectively exercise their right to object was in breach of several German law provisions. Consequently, the Hamburg DPA ordered Google to implement several measures that would enable users to better control the use of their personal data and the data combination for profiling purposes. The order set out various processing operations, including the combination of data across different services and of different types of data, for which Google must obtain consent. The order also specified the point in time when such consent should be obtained (e.g., prior to registration) and how it should be obtained, i.e., essentially after prior specific notice through affirmative action and with the possibility to revoke consent at any time. Moreover, Google had to implement a number of measures to ensure respect of the right to object. The Hamburg DPA did not impose a fine on Google, but set a deadline within which to comply, subject to a monetary penalty in case of failure to comply.
Google challenged the order by means of an administrative appeal, which had suspensive effect. Today, the Hamburg DPA rejected the appeal after several months of deliberation and upheld the order, just subject to slight modifications.
The case is noteworthy for several reasons:
- The Hamburg DPA held that the US company Google Inc was subject to German data protection law, applying the criteria established by the Court of Justice of the EU with respect to the applicable law rules in its famous Google Spain ruling (for a summary of that ruling, see here).
- The Hamburg DPA’s order is an example for the increased efforts of European data protection authorities to show their teeth and to enforce data protection law against non-EU companies.
- The Hamburg DPA’s order sets rather high standards (specific affirmative consent) for various data combination scenarios which, if applied broadly, could have repercussions for the use of big data analytics.
It is now in the hands of Google to implement the Hamburg DPA order or to bring the case before the administrative court which it can do within a one month period. Pursuant to the press release, Google has apparently signaled that it intends to make substantial changes to its services to meet the data protection law requirements and reportedly presented its plans at the end of March to the Google Task Force set up by the Article 29 Working Party. It remains to be seen whether this is really the end of the Google saga in Germany.