A new law merging the German Telecommunications Act (TKG) as well as the German Telemedia Act (TMG) had been on the table for some time. This new “Telecommunications and Telemedia Data Protection Act” (TTDSG) has now been passed and will come into force in November. The law will not result in significant innovations for the online marketing sector – at least for the time being.
Primarily, the much-discussed new sec. 25 TTDSG implements art. 5(3) ePrivacy Directive, as amended back in 2009(!). Namely, the German Federal Court of Justice decided in the so-called “Planet49” judgment of May 2020 that the previous law, sec. 15(3) of the German Telemedia Act (TMG), incorrectly implemented art. 5(3) of the ePrivacy Directive (as we had reported in our newsletter).
Art. 5(3) ePrivacy Directive reads as follows (omissions for better readability):
“[T]he storing of information, or the gaining of access to information already stored, in the terminal equipment of a […] user is only allowed on condition that the […] user concerned has given his or her consent […]. This shall not prevent any technical storage or access […] as strictly necessary in order for the provider […] to provide the service.”
What’s new (or not)?
The consent requirement of art. 5(3) ePrivacy Directive is now (finally) correctly transposed into German law in sec. 25 TTDSG. The wording is largely identical (omissions for better readability):
“The storage of information in the end-user’s terminal equipment or access to information already stored in the terminal equipment is only permissible if the end-user […] has consented. […] Consent […] is not required […] if the storage of information […] or access to […] stored information is strictly necessary for the provider […] to provide a […] service expressly requested by the user.”
Practically relevant changes (compared to the legal situation before) do not result from this new law. This is because sec. 15(3) of the German Telemedia Act (TMG) has already been interpreted in a way that is compliant with the requirements of art. 5(3) of the ePrivacy Directive since the “Planet49” ruling. The new provision in sec. 25 TTDSG follows this spirit. In particular, it directly transposes the consent requirement from the ePrivacy Directive.
Legal uncertainties remain
The TTDSG also contains no innovations with regard to the extremely relevant exception in art. 5(3)(2) ePrivacy Directive, according to which consent is not required if the information is “strictly necessary” for the provider to provide the service in question. This is because the implementation of the exception in the new German law corresponds almost word-for-word with the Directive.
Therefore, it remains unclear when exactly processing user information is “strictly necessary” for providing a service (this applcation of the exception is being discussed for analytics services, but also for affiliate marketing). This very debate has already been going on since the amendment of the ePrivacy Directive back in 2009. The almost word-for-word implementation of the directive in the TTDSG misses the opportunity to ensure legal clarity in practice.
To clarify, please see the wording of the exeption below (with highlights and omissions for better readability):
|art. 5(3) ePrivacy Directive (2009)|
“The storage of information in the end-user’s terminal equipment or access to information already stored in the terminal equipment is only permissible if the end-user […] has consented, [except where] strictly necessary for the provider […] to provide a […] service expressly requested by the user.”
|sec. 25(2) TTDSG (2021)|
“Consent […] is not required […] if the storage of information in the end-user’s terminal equipment or the access to information already stored in the end-user’s terminal equipment is strictly necessary for the provider […] to provide a […] service requested by the user.”
It becomes clear that the German legislator simply wanted to correct the error pointed out by the ECJ, but in doing so failed to seize this opportunity to clarify the unclear wording of “strict necessity”. The explanatory memorandum of the government draft states (pp. 35 and 40 et seq., emphasis and omissions for better readability):
“Section 2 TTDSG […] closely follows the wording of article 5(3) of the E-Privacy Directive.”
While the law contains no material changes, It is hoped that more practical guidance will be issued by the German Data Protection Conference (DSK) in the near future, similar to the guidance issued by the supervisory authorities in the UK and in France.
Upcoming changes concerning the consent process
A notable innovation, on the other hand, could result from sec. 26 TTDSG. According to this rule, “services for the management of […] consents granted”, i.e. Consent Management Platform services (CMPs), can be recognised by an independent body if they meet certain requirements. Such recognition is intended to lead to increased legal certainty about the manner in which consent is obtained.
The law grants the German federal government the power to further specify the requirements in an ordinance. It is hoped that this will lead to increased legal clarity with regard to (un)lawful “nudging”. (Nudging is a term for interface designs that are intended to persuade website visitors to give their consent.) However, such a regulation is not expected until the beginning of 2022 at the earliest.
Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte
Your Contact to ePrivacy: