by Camille Vermosen, Alexander Altman, and Jami Mills Vibbert
On December 1, 2021, a Wiesbaden Administrative Court in Germany held that companies may not use a cookie management provider that relies on a US-based service to collect personal data, regardless of whether data leaves the European Economic Area (EEA), without an adequate transfer mechanism. Article 44 of the General Data Protection Regulation (GDPR) prohibits “transfers” of personal data from the EEA to another jurisdiction unless a specific transfer mechanism (set forth in Articles 45 through 48) is in place or a derogation from the prohibition (Article 49) applies. The ruling here assumes that a cross-border “transfer” subject to Article 44 occurs—even if data never actually leaves the EEA—if the recipient of data may formally be subject to data production requests by non-EEA authorities. This reasoning, if adopted outside of the cookie context and by other courts and data protection authorities, could effectively prohibit US-based companies from processing personal data in the EEA without ensuring appropriate transfer mechanisms and additional safeguards are in place.