On 26 April 2018, the Conference of German Data Protection Authorities (German DPAs) released a highly criticised position paper on the applicability of the German Telemedia Act (TMA) after 25 May 2018 (Position Paper, available in German here). The Position Paper clearly states that tracking and profiling cookies now require informed prior opt-in consent.

Position Paper

Webtracking is governed by the General Data Protection Regulation (GDPR) as well as the ePrivacy Directive. The ePrivacy Directive is currently being revised. A new ePrivacy Regulation was supposed to enter into force in tandem with the GDPR on 25 May 2018, but it is delayed and we do not expect it to enter into force before the end of 2019. The German legislator has not updated the TMA due to the upcoming ePrivacy Regulation.

The Position Paper outlines the German DPAs’ view on the relationship of the GDPR and the TMA and its consequences on the use of cookies. The Position Paper states that the GDPR shall take precedent unless national law prevails because of an opening clause or conflict of law rule. Article 95 of the GDPR is such a conflict of law rule. It provides that the GDPR shall not impose additional obligations regarding processing data in connection with the provision of publicly available electronic communications services in public communication networks in relation to matters for which they are subject to specific obligations with the same objective set out in the ePrivacy Directive. However, the German DPAs explain that Article 95 of the GDPR does not apply with regard to the provisions in the TMA that govern tracking and reach measurement.

Next, the Position Paper notes that the use of cookies requires a legal justification under the GDPR, in particular in Article 6(1) GDPR, and then differentiates between:

  • Strictly necessary cookies may be justified by Article 6(1)(b) of the GDPR (performance of a contract) or Article 6(1)(f) of the GDPR (legitimate interests); and
  • Tracking and profiling cookies require informed prior opt-in consent (Article 6(1)(a) of the GDPR). Cookies may not be dropped before such consent has been obtained.

Implementation of the requirements set out by the German DPAs

In order to implement the requirements set out in the Position Paper, organisations would have to use cookies as follows:

  • Only strictly necessary cookies can be dropped when a user visits a website. Other tracking and profiling cookies cannot be dropped immediately when a user visits a website.
  • Opt-in consent must be obtained on a website, for example, by using a cookie banner that includes an “Accept” button. Only after the user clicks the “Accept” button can tracking and profiling cookies be dropped.
  • The user must be able to get information about how cookies are used on a website, for example, in a cookie policy.

Criticism of the Position Paper

The Position Paper has received a great deal of criticism. For example, Bitkom, the Association for Information Technology, Telecommunications and New Media, has released an opinion (available here) and states that the Position Paper merely sets out a politically desired result. It is incomprehensible why the TMA will no longer applies and why the Position Paper only takes consent into consideration as legal basis for tracking and profiling cookies.

In its analysis of the Position Paper (available here), the German Advertising Association is critical that the German DPAs require consent for all tracking and profiling cookies in an undifferentiated and abstract manner. Instead, the German Advertising Association suggests that legitimate interest might also be a legal basis, taking into consideration the categories of personal data, technologies used, technical and organisational security measures, purposes of processing, use cases, pseudonymisation of data and transparency for each specific cookie.

Reaction to the Position Paper by other supervisory authorities and organisations

Other supervisory authorities have not yet provided (updated) guidance on the legal justifications for the use of cookies. The Information Commissioner’s Office, the UK data protection authority, for example, has implemented an opt-out solution on its own website, together with a cookie tool.

Not many organisations have yet implemented the guidance set out in the Position Paper –possibly because of the short time since the publication of the Position Paper and the many concerns and criticism that have been raised regarding the Position Paper. Opt-out consent still seems to be the best practice that most organisations apply.

Comment

The intention of the German DPAs in publishing the Position Paper less than a month before the GDPR date and the reason for acting as a “substitute legislator” is not really clear. We also understand that it was not a unanimous decision by the German DPAs to issue the Position Paper.

The Position Paper is vague in many parts. The German DPAs only provide brief legal reasoning for their views. While they state that tracking and profiling cookies require opt-in consent and do not provide room for a case-by-case analysis, the German DPAs do not define tracking and profiling cookies. They also do not provide any guidance how consent may be obtained. However, the time for cookie banners stating “By continuing to surf on our website, you accept the use of cookies” will be over.

Further, this Position Paper will force the German view to be applied on an international level. Organisations will likely not provide different solutions on their websites for German users and for users from other countries.

The German DPAs have now reacted to the criticism of many stakeholders and started a consultation with stakeholders on the implementation of the Position Paper (see the German DPAs’ press release here). The consultation period will end on 29 June 2018.