Update Data Protection No. 83
Solution to the cookie chaos? – Planned overhaul of data protection regulations in the telemedia and telecommunications sector
In July, the German Federal Ministry for Economic Affairs and Energy (BMWi) compiled a draft law on data protection and the protection of privacy in the context of electronic communication and telemedia (the “Telecommunications and Telemedia Data Protection Act” [Telekommunikations-Telemedien-Datenschutz-Gesetz], “TTDSG”) – which has not yet been officially published. Topics covered by the draft legislation include new regulations on the use of cookies, more far-reaching potential sanctions in the event of breaches against the provisions of the TTDSG, and amended regulations on the remits of the supervisory authorities.
Central provisions of the draft law
The aim of the draft law is to unite the data protection provisions concerning the telecommunications and telemedia sector that were previously spread across the German Telecommunications Act [Telekommunikationsgesetz] (“TKG”) and Telemedia Act [Telemediengesetz] (“TMG”) in one statute. An additional aim is to bring the statutory provisions of the TKG and TMG in line with technical developments and to resolve various legal ambiguities.
Individual substantive provisions of the new draft law will be considered in greater detail below:
Provisions on the use of cookies and similar technologies
“Recognizing” users on the Internet (tracking) is predicated on cookies and other data that are stored or scanned on a user’s end device. Various legal and regulatory disputes have long grappled with the question as to whether and to what extent this requires a declaration of consent and what requirements should apply to such consent. The applicability and interpretation of section 15 (3) TMG has been a particular issue in Germany: unlike the provisions in Art. 5 (3) ePrivacy Directive, this section did not require explicit consent for the use of cookies and similar technologies, but instead envisaged a solution based on an opt-out. Over recent months, the European Court of Justice (ECJ) and the German Federal Court (BGH) have both specified further conditions for the use of cookies, including requirements for effective consent and on the interpretation of section 15 (3) TMG (see Update Data Protection no. 76 and Update Data Protection no. 66).
Following on from that, section 9 of the draft TTDSG now seeks to clarify this legal position and at the same time aims to provide companies with new options for organizing the process. For instance, section 9 (1) TTDSG states that it should only be permissible for cookies to be placed or read on an end device if the user has been notified accordingly and given his or her consent. Notification and consent are intended to be governed by the requirements under GDPR (Art. 4 (11), Art. 7). Section 9 (3) TTDSG contains more specific information on notification and consent, particularly in the context of the use of telemedia: the service provider needs to notify the user which information is stored on the user’s end device for what purpose, for how long, and whether third parties are granted access to this information. In order to provide valid consent, the end user must further actively confirm the information by performing a given operation and then use the telemedium. The BMWi here reflects the provisions of Art. 5 (3) ePrivacy Directive and the case law of the ECJ.
Section 9 (2) TTDSG, on the other hand, provides a range of exceptions in which no consent to the placing or reading of cookies or similar technologies is required. Under section 9 (2) no. 1 TTDSG, no user consent is required if the cookie needs to be placed or read for technical reasons in order to send communications or provide a telemedium for use as requested by the end user. This also corresponds to the existing regulations in Art. 5 (3) ePrivacy Directive. Section 9 (2) TTDSG further covers other exceptional circumstances that go beyond the provisions in Art. 5 (3) ePrivacy Directive. For instance, under section 9 (2) no. 2, no consent is required if the end user has expressly agreed to the placement or reading of cookies on a contractual basis. This should be music to the ears of services that have contractual agreements in place with their users. Ultimately, no consent is required under section 9 (2) no. 3 TTDSG if the placement or reading of a cookie is necessary to satisfy a statutory obligation. In its explanatory statement, the draft law uses the example of smart meters that are subject to obligations under the German Operation of Measuring Stations Act (Messstellenbetriebsgesetz).
Section 9 (4) TTDSG is also worth highlighting here. This section also deems consent to have been given if the user selects a corresponding setting in his or her browser or other application. According to the explanatory statement, the purpose of this is to ensure that small and mid-sized companies as well as start-ups are not disadvantaged against providers with greater market dominance. This would ultimately mean that the user no longer needs to grant his or her consent via a special cookie-consent banner, but can also actively do so via their personal browser settings.
Similar to section 15 (3) TMG and Art. 5 (3) ePrivacy Directive previously, the provision is technology-neutral, meaning that the process is not specific to “cookies” or other concrete methods, but rather that it focuses on the storage of information on end devices (e.g. computers, smartphones or smart TVs) or access to information that is already stored on the end devices. This is significant because e.g. tracking within smartphone apps is rarely done via cookies, but instead via “device IDs” or similar identifiers.
Data protection in the telecommunications field
The changes to existing data protection provisions in the telecommunications field are less spectacular. Here, the German lawmakers seemed to be chiefly concerned with ensuring that any regulations that can be implemented in Germany alongside the GPDR are as legally watertight as possible. The only room for maneuver available to German lawmakers is the implementation of the ePrivacy Directive given that the GDPR has primacy of application over national law in all other regards. The previous sections 91 et seq. TKG went beyond the ePrivacy Directive in a number of respects, meaning that it was unclear in many individual cases whether a specific provision of the TKG or a general provision of the GDPR had primacy of application. To that extent, it is to be hoped that the lawmakers can establish legal certainty.
Additionally, a provision that only came into its own a few years ago will be transposed from the old TKG to the new TTDSG, despite not strictly having anything to do with personal data: the ban on “spying devices”. Like its predecessor in section 90 TKG which was essentially worded identically, the corresponding section 7 TTDSG is worded relatively broadly such that many networked smart devices that (also) feature a microphone and/or a camera risk being caught by the new law. The more “concealed” a camera or microphone is on a device, the more applicable section 7 TTDSG will be to that device. In the past, this fate befell, for instance, the talking doll “Kayla”, which required an integrated microphone – one example clearly showing that many manufacturers of smart devices will need to consider the new section 7 TTDSG.
Fines
The draft act carries over the familiar fines system from the GDPR (Art. 83 GDPR) into the TTDSG. For example, section 25 (3) no. 1 TTDSG states that breaches of the provisions under section 9 TTDSG will be covered by Art. 83 (4) GDPR. Accordingly, fines of up to EUR 10,000,000 or, in the case of a company, up to 2% of the total worldwide annual turnover of the previous financial year could be imposed in the case of a breach. This thus represents a significant departure from the relatively low penalties (up to just €50,000) possible under the current TMG.
Remits of the supervisory authorities
The draft law also redefines the remits of the supervisory authorities. To date, the German Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the German Federal Network Agency (BNetzA) had joint responsibility for data protection law in the telecommunications sector. Now the BfDI will have sole supervisory responsibility where personal data is processed in the telecommunications sector. The Commissioner will also be responsible for data protection in a telemedia context, which thus affects sections 9-12, 16 TTDSG and in particular consent regarding cookies. This is a relevant amendment for companies because previously it was the relevant commissioner of the individual federal states (Länder) who was responsible for telemedia. The BNetzA remains responsible for telecommunications-related aspects of the TTDSG that do not involve personal data (sections 4-8, 13-15, 19 TTDSG).
Evaluation and outlook
The proposed regulation changes should be largely welcomed given that they would centralize previously fragmented data protection regulations. Additionally, the draft law now contains a clear regulation on the use of cookies. At the same time, companies are being offered new (contractual) scope to avoid obtaining consent. However, this poses the question as to what extent the contractual scope can actually be used in practice and where the limits of permissibility should be drawn.
According to the current timetable, the new TTDSG is to take effect as early as December 21, 2020. That is an ambitious schedule given that before then, the German lawmakers still need to implement Directive 2018/1972 on the European Electronic Communications Code, to which the TTDSG is linked according to the draft law. It therefore remains to be seen whether the lawmakers will be able to complete this implementation this year. It is also worth noting that the draft law may still be subject to further amendments. As such, it is worth keeping an eye on ongoing developments around the TTDSG. At the same time, developments in connection with the ePrivacy Regulation, which is still at the planning stage and is intended to supersede the previous ePrivacy Directive in future, should be monitored at European level. These would in turn replace the new provisions of the TTDSG.