The German Federal Cabinet adopted the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutzgesetz – TTDSG, available here) on February 10, 2021. The TTDSG, among other things, provides new rules on cookies and similar technologies (Cookies), introducing only two categories of Cookies: (1) strictly necessary Cookies and (2) consent-based Cookies. The legal basis of legitimate interests cannot be relied upon for Cookies anymore. Germany will be the last member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law – almost a decade after the deadline passed, and ignoring the extensive discussions on the Cookie provisions in the ePrivacy Regulation (and particularly the exceptions from the consent requirement).
New rule on Cookies
Section 24 of the TTSDG states that Cookies can be used only if the user has consented. The requirements for how to obtain consent and inform users under GDPR shall be complied with. There are two exceptions from the Cookie consent requirement which are identical to Article 5(3) of the ePrivacy Directive:
- The sole purpose of the Cookie is facilitating the transmission of a communication over a public telecommunications network; or
- The Cookie is strictly necessary in order to provide a telemedia service explicitly requested by the user.
A few comments on Section 24 of the TTDSG:
- There are only two Cookie categories under the TTDSG: (1) Cookies that require consent; and (2) Cookies that are strictly necessary. The legal basis of legitimate interests (Article 6(1)(f) GDPR) cannot be used anymore.
- The TTDSG does not further define the scope of strictly necessary Cookies. Thus, the use cases provided by the Article 29 Working Party in WP194 (for example shopping cart, user authentication, security or multimedia player session Cookies) will likely continue to apply. It is not clear how Cookies that are not strictly necessary, but where consent is simply not a feasible legal basis, shall be used. This is the case, in particular, for affiliate marketing Cookies with the purpose of enabling payment of a commission from an advertiser to a publisher. Further, the TTDSG also does not include exceptions from the Cookie consent requirement that Article 8(1) of the ePrivacy Regulation Council Draft (available here) includes, such as audience measurement, fraud prevention or software updates.
- The scope of Section 24 of the TTDSG is very broad and covers not only Cookies, but the “storage of information of the terminal equipment of an end user.” The German government highlights that Section 24 TTDSG will cover not only communications via phone or internet, but many goods in the internet of things, in particular regarding smart home.
- The new TTDSG shall apply for organizations that have an establishment in Germany, provide services or contribute to the provision of services (Section 1(3) of the TTDSG). The TTDSG does not set forth the requirements for the “provision of services” in Germany. A broad interpretation would mean that the TTDSG would apply to every website that is available in Germany. Further, it is not clear which cases shall be covered by “contributing to the provision of services”, for example, if this also covers data processors.
- Section 26 (2) of the TTDSG provides that the maximum fine for a violation of Section 24 TTDSG is EUR 300,000. This amount is clearly a lot smaller than the maximum fines provided under GDPR. A previous draft of the TTDSG dated July 14, 2020, envisaged a EUR 10 million maximum fine for violations of Cookie provisions (under Article 83(4) GDPR), but this provision was deleted.
Other provisions in the TTDSG
In addition to the provision regarding Cookies, the TTDSG includes other new rules on:
- The rights of inheritors against providers of telecommunication services (Section 3 of the TTDSG – the aim of this provision is not really clear after the German Supreme Court decided on July 12, 2018 – Case III ZR 183/17, that inheritors may claim access to social media accounts of the deceased);
- Obligations regarding technical and organizational measures of providers of telemedia services, in particular options to always discontinue the use of a service or to use the service anonymously or with pseudonym and notification obligation if the user is transferred to the service of another provider of telemedia services (Section 19 of the TTDSG – these rules already exist in the current Section 13 of the Telemedia Act)
- Access to general contractual data processed by providers of telemedia services for the purposes of IP infringement and violations of the Network Enforcement Act (Section 21 of the TTDSG); and
- Access to general contractual data and usage data for law enforcement purposes (Section 22 of the TTDSG).
- In addition, the German government is currently planning to update the seizure proceedings provided in the German Criminal Procedure Act (available here). Under the new Section 95a StPO the information of suspects regarding seizure of objects in third-party custody (in particular data stored in emails, social media accounts or clouds) can be delayed by up to 6 months if the investigation would be significantly hampered otherwise.
The TTDSG still has to be properly adopted by the German parliament. The timing is still surprising. The German Federal Cabinet adopted the TTDSG on the same day that the Council of the European Union agreed on its mandate of the ePrivacy Regulation after four years of negotiation and will now enter into the trilogue negotiations. Maybe the German legislator has doubts about whether the ePrivacy Regulation will actually pass the trilogue negotiations. This parallel legislation process of the TTDSG and the ePrivacy Regulation will clearly not make compliance easier for organizations, in particular as the ePrivacy Regulation Council Draft leaves more room for exceptions from the Cookie consent requirement. Organizations that are active in Germany should get ready for the new TTDSG which does not include a grace period.