Retail and Consumer GoodsIT Law and Data Protection11.03.2021 Newsletter
New Telecommunications-Telemedia Data Protection Act: Important changes for website operators
On 10 February 2021, the Federal Cabinet agreed on a joint draft of the German Telecommunications-Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutzgesetz, TTDSG-RegE]. The planned Act, which is to be passed shortly (the first reading in the Bundestag took place on 25 March 2021), will adapt data protection provisions from the German Telecommunications Act [Telekommunikationsgesetz, TKG] and the German Telemedia Act [Telemediengesetz, TMG] to the requirements of the General Data Protection Regulation (DSGVO) as well as implement essential parts of Directive 2002/58/EC (ePrivacy Directive).
Of particular practical relevance is § 24 TTDSG-RegE, which, with a delay of almost 10 years, transposes the "cookie provision" of Art. 5 (3) ePrivacy Directive into national law almost word-for-word. The provision finally clarifies what was already apparent from the case law of the Federal Court of Justice: website operators must obtain active and informed consent from each visitor if their website uses cookies or similar tracking tools that are not technically necessary for the website’s operation.
Germany about 10 years behind schedule
At EU level, the requirement has already existed since 2009 that the use of cookies or similar tracking technologies is fundamentally only permissible with the express consent of the end user, which results from Art. 5 (3) of the ePrivacy Directive. The German legislator was actually supposed to have transposed the provision into German law by May 2011. However, § 15 (3) sentence 1 TMG, with which the legislator intended to implement at least parts of Art. 5 (3) ePrivacy Directive, stipulates that telemedia providers may create usage profiles for marketing purposes if the respective user of the telemedia offer does not object tothis. Such usage profiles are regularly created using cookies.
The Federal Court of Justice nevertheless ruled in its decision "Cookie consent II" that § 15 (3) sentence 1 TMG was to be interpreted (ultimately contrary to its wording) in conformity with the Directive to the effect that providers of telemedia had to obtain express consent before triggering the storage of cookies on the end-device of the respective user (FCJ, judgement of 28 May 2020 - I ZR 7/16 margin Nos. 54, 55).
Setting of cookies only permissible with informed and active consent
The Federal Government now wishes to resolve this confused legal situation with the aid of § 24 TTDSG-RegE. The provision corresponds almost word-for-word to Art. 5 (3) ePrivacy Directive. §§ 11 et seqq. TMG (and thus also § 15 (3) sentence 1 TMG) are simultaneously to be repealed.
In this case, what already applied previously via the detour of an interpretation of § 15 (3) sentence 1 TMG in conformity with the Directive will then result directly from the TTDSG: telemedia providers will have to obtain consent (unless an exception applies) before they trigger the storage of cookie files on the end-devices of end-users or read data stored on end-devices. The latter is regularly the case with tracking technologies such as so-called fingerprinting.
Exceptions apply to cookies that are strictly necessary for the functioning of a website called up by the website visitor, based on the reasonable expectations of the average user. This may include, for example, cookies that are necessary to operate a consent management tool or cookies that enable the shopping cart function in an online shop.
If consent is required, this must be actively given by the website visitor in accordance with the relevant regulations of the GDPR (in particular Art. 7 GDPR). It is therefore not sufficient for website operators to imply a user’s tacit consent in such user’s "continued use" of their site despite a reference to the use of cookies. As a rule, consent has to be obtained, for example by the user actively clicking on an appropriately labelled button. In the context of the respective banner/window in which the button is integrated, the use and functionality of cookies must be explained in clear and understandable language, whereby reference can be made to a more detailed policy or the website data protection information for further details. Only to the extent that and as soon as active informed consent has been given may storage on the user's end-device be triggered. In order to ensure the voluntary nature of the consent, it must be possible to use the website without consenting to cookies that are not strictly necessary.
Increased punishment through fines is expected
Website operators who violate the principles described need to take urgent action. Otherwise, there is a risk of fines and cautions from competitors.
It is true that the German supervisory authorities - probably because of the unclear legal situation in Germany for many years - have been reluctant to punish infringements in connection with cookies to date. However, following the announcement of the aforementioned FCJ ruling, they already made public at the end of 2020 a transnational data protection review on tracking technologies on websites of newspaper publishers. We expect that the supervisory authorities will noticeably intensify their sanctions practice once the TTDSG comes into force.
Pursuant to § 26 (1) No. 13 in conjunction with (2) TTDSG-RegE, fines of up to €300,000 may be imposed for violations of § 24 TTDSG-RegE. For the unlawful processing of personal data of website visitors following the storage of a cookie on the respective end-device or the reading of data stored there, the rules of the GDPR are applicable, which means that significantly higher fines can be imposed (cf. Art. 83 (4), (5) GDPR).
In addition, in practice more and more website operators are being cautioned by competitors on the basis of § 3a German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG]. Although the extent to which data protection rules can be regarded as market conduct rules within the meaning of the provision is fiercely disputed, a number of the courts of instance have now affirmed the ability to issue cautions.
European follow-up provisions are taking shape
Even once the above-mentioned principles have been implemented, website operators should keep a close eye on the development of the legal situation at EU level.
Firstly, the long-planned ePrivacy Regulation has cleared an important hurdle. The Council of the EU agreed (on the same day as the Federal Cabinet on the TTDSG) on a text that now forms the basis for the trilogue negotiations between the Council, the Parliament and the Commission of the EU. According to the original plans, the Regulation was supposed to enter into force at the same time as the GDPR and replace the ePrivacy Directive. However, the EU member states wrangled for years over individual articles, with the prerequisites for the use of tracking technologies being one of the topics of dispute.
The recently published draft contains essential amendments to Art. 5 (3) ePrivacy Directive and § 24 TTDSG-RegE. In particular, it should be possible under certain conditions to make access to a website dependent on the consent to cookies that are not necessary for further purposes (so-called cookie wall), for example if, as an alternative, paid access without such cookies remains possible (recital (20aaaa) of the draft). The German supervisory authorities, in particular the Federal Commissioner for Data Protection and Freedom of Information [Bundesbeauftragte für Datenschutz und Informationsfreiheit, BfDI], have strongly opposed this development. It remains to be seen when and in what form the ePrivacy Regulation will ultimately enter into force.
Finally, an important issue is the proposed Data Governance Act, which is also currently available in draft form. Art. 9 of the draft provides for a notification procedure for providers of so-called Personal Information Management Systems (PIMS). In particular, PIMS allow users to give informed consent to the processing of usage data by means of cookies once for a number of specific cases (e.g. for a specific type of cookie). This could permanently change the current procedure, i.e. the constant request for website visitors to provide a declaration of consent, in the future and also make a technical adjustment by website operators necessary.
Practical recommendations
The entry into force of the TTDSG does not change much for website operators at first glance. Ever since the aforementioned ruling of the Federal Court of Justice, it was clear that the use of cookies that were not technically necessary required the explicit and informed consent of the website visitor. However, the supervisory authorities had refrained from imposing numerous fines under the rules of the TMG, possibly because of the unclear legal situation. This grace period will doubtlessly end at the latest when the TTDSG comes into force. Website operators should therefore urgently check whether - depending on the specific use of cookies/tracking tools - consent is necessary and whether this is effectively obtained. In addition, website operators should keep a close eye on the legislative procedures planned at EU level, which could bring about lasting changes to the modalities for obtaining consent.