Update Data Protection No. 38
Online tracking - a potential pitfall resulting in fines?
Many companies use so-called tracking tools on their website to analyze the use of the website by their visitors, and possibly also to carry out advertising activities on the basis of user profiles created with the tracking tools. These tracking tools mainly use cookies, i.e. small files that can identify a user of a website and that are deposited on the respective user's computer.
Even in the past, the use of such cookies and tracking tools was the subject of much debate since, in the opinion of many, Germany has not fully and more importantly correctly implemented the so-called Cookie or E-Privacy Directive (Directive 2002/58/EC). As a result, website providers frequently asked themselves the question for example whether there was previously a need to obtain consent (opt-in) from the users in Germany, or whether it was sufficient to add information in the form of a so-called cookie banner, drawing the attention of the website user to the possibility of objecting to the tracking (opt-out).
For many companies, the lack of precision by the German lawmakers will now create additional uncertainties in terms of applying the General Data Protection Regulation ("GDPR") as from May 25, 2018: as the European lawmakers have not succeeded in replacing the E-Privacy Directive with the E-Privacy Regulation in time to take effect on May 25, 2018, major uncertainties exist in terms of whether Sections 12, 13 and 15 Telemedia Act (Telemediengesetz - TMG), previously applied to the use of tracking tools, will now be replaced by the GDPR or not. If they are replaced, the use of tracking mechanisms will have to be judged solely against the standards of the GDPR. The consequence can be - but need not necessarily be, that needs to be assessed from time to time - that companies require express consent for the use of cookies that are not necessary for the purpose of offering users the actual service of the website.
The opinion that tracking requires such express consent - which must satisfy the criteria of Art. 7 GDPR - is now supported by the German supervisory authorities in a position statement of the Conference of Independent Data Protection Authorities of the German Federation and Länder ("DSK") dated April 26, 2018. Specifically, the DSK assumes that the previous regulations of the TMG are replaced by the requirements of the GDPR. Consequently, Art. 6 (1) GDPR is the legal basis for processing of personal data in the online sector. However, the DSK is of the opinion that only consent can be considered as legal basis for the use of tracking mechanisms that make the internet conduct of users traceable and for creating user profiles.
For companies, this means that the use of tracking tools on their websites must be subjected to a thorough check. If tracking is not possible in anonymized form - this is typically not the case if the tracking is for the purpose of planning advertising campaigns - companies must check the specific form of tracking. Generally speaking, the argument that every form of tracking requires consent, as called for by the DSK, appears less than convincing. It is by all means also conceivable that, depending on the nature and scope of the tracking, other legal basis, most importantly Art. 6 (1) lit. f) GDPR, can be used. However, it must be noted that the supervisory authorities object to the use of the tracking tools in their position statement, and might therefore try to impose fines consent not being obtained. Because the question of directive-conform implementation of Directive 2002/58/EC in Germany remains unanswered, the substantial fines possible under the GDPR mean that companies must consider very carefully whether they wish to risk a dispute with the German supervisory authorities.
One can only hope that the European lawmakers will soon conclude the negotiations concerning the E-Privacy Regulation in order to remove this legal uncertainty.