I understand your argument and I agree that all of this is excessive and maybe spiraling out of control. However the core of the case is "I'm German, that web site is Danish, my personal data have no reason to be in the reach of the US government." By the way, Germany and Denmark share a land border. I think it's difficult to argue that even with the cloud it's not easy to explain why to access a Danish university from Germany one couldn't use an EU only set of technology providers. Of course using Akamai (a well known company) is easier than researching, assessing and using some relatively unknown European solution. I'm European, I'd have to Google (ironically) for one.
The university is German, their website is therefore "German". They just use a "cookie consent tool" by a Danish company, which in turn processes data using Akamai's infrastructure.
I find it problematic that the university requires any cookie consent whatsoever in the first place. They are a public institution (Körperschaft des öffentlichen Rechts), not even a "company" but state-owned, and they run basically a static website and shouldn't have a need for cookies. Any "member" area (students and faculty) would require an account anyway, where you can and have to ask for all kinds of consent during signup anyway.
I get the Danish company doesn't want to run a CDN (with DDoS mitigations and all that) on their own, and it's a real problem that the EU economy snoozed when it came to creating competitors to Akamai, Cloudflare, AWS/GCP/Azure. There is a sliver of hope that court decisions like this will create a "demand" for such platforms within the EU, and that finally some companies with some "investment" money to spare (we still have plenty "rich" companies) will fund that. Or maybe at least the US providers will find way to create EU "subsidiaries" which are actually legally shielded from US (and other non-EU) law.
> I find it problematic that the university requires any cookie consent whatsoever in the first place.
Totally right, and also
> If someone else is okay with the data transfer, he can opt-in if he wants to. I should not carry the burden of having to opt-out of it.
so much this. If something is spiraling out of hands it is the cookie usage, which is 99% AD tracking.
The current law is badly implemented, or lead to bad implementation. Now almost every site asking your for their necessary or "helping" cookies, most often using dark patterns to trick you into just accepting all - and because you get this stupid cookie prompt on every page now, everybody just wants to click it away as fast as possible, which misses the target totally, too :(
Still, its not data protection spiraling out of hand, but that basically every site, even ones where I don't login to or want to drop off any other data, but just fetch a small information, wants to set cookies is ridiculous. We all should have never accepted that, but too late?
The case is about a German public university, owned by and located in the state of Hessia, that uses a Danish service provider to manage cookies on their website, which in turn uses Akamai. That by the way is the reason this whole thing is tried at the administrative court - the defendant is the state itself.
