It was already foreseeable that as a consequence of the decisions of the European Court of Justice and the German Federal Court of Justice in the “Planet 49” case (judgment of 28 May 2020, case no. I ZR 7/16), the supervisory authorities would become active in the field of tracking and cookies. Now that time has come: eleven German data protection authorities are taking joint action against major media enterprises (specifically, the supervisory authorities in Baden-Württemberg, Brandenburg, Bremen, Hamburg, Hesse, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saxony, Saxony-Anhalt and Schleswig-Holstein). An initial announcement is LfDI Baden-Württemberg’s press release of 19 August.
The supervisory authorities have sent a formal request for information with a comprehensive questionnaire to selected publishers with the widest reach in their area of competence, which the publishers must reply to within a fairly short period of a few weeks.
Both the questionnaire and the accompanying explanations and cover letters have now been published at fragdenstaat.de:
- questionnaire (11 pages)
- explanations (3 pages)
- spreadsheets with examples
- corresponding cover letters from Rhineland-Palatinate and Baden-Württemberg
- note from Rhineland-Palatinate about which publishers were contacted in the state.
There are indications that this will only be the first step for the supervisory authorities. They seem to assume that “the problem with cookies” is particularly pronounced in the media industry, which is why this industry is a good starting point for their own regulatory efforts. It is to be expected that after the conclusion of the procedure, the focus will also shift towards other industries.
Until then, the question arises as to what knowledge can be gained from this procedure for the use of tracking technologies.
What can you learn from the letters?
We start with the letters from the authorities (we currently have versions from Rhineland-Palatinate and Baden-Württemberg). The first thing that stands out here is that these – unlike the questionnaire and the accompanying documents – were not coordinated among the authorities and differ. Not only the wording is different, but also the legal content of the letters.
Both the authorities from Baden-Württemberg and Rhineland-Palatinate state that the use of tracking technologies requires the general consent of the user. However, the legal justification is different. For example, the LfDI Baden-Württemberg only refers to the “Orientierungshilfe Telemedien“, which the supervisory authorities had published last spring and which says:
“The Conference of the Independent Data Protection Authorities of the Federal Government and the Länder (DSK) has set out in various publications what data protection requirements apply to the use of services which serve to create user profiles, particularly for advertising purposes. These were explained in detail, in particular in the March 2019 guidance for telemedia providers (https://www.datenschutzkonferenzonline.de/media/oh/20190405_oh_tmg.pdf). For example, the integration of third-party service providers which trace the behaviour of users on the Internet as well as the creation of user profiles on websites are generally only permitted if the users have expressly consented to them”.
This is questionable insofar as the explanations in the above-mentioned guidance were written long before the ECJ and BGH rulings in the “Planet 49” case (important for the use of cookies) and are virtually useless after these rulings because they are based on the assumption that an interpretation of sec. 15(3)(1) of the German Telemedia Act in conformity with the Directive is not possible and the standard is therefore not applicable (Orientierungshilfe Telemedien, pp. 2-6). Instead, the guidance deals extensively with the application of the legal basis of legitimate interests (art. 6(1)(f) GDPR). However, a recourse to the legal bases of the GDPR is not possible within the scope of sec. 15(3)(1) of the German Telemedia Act, which the BGH has applied to cookies. In short, the legal statements of the LfDI Baden-Württemberg lag worryingly behind the legal developments of the past year. It is almost as if the whole project had already been initiated before the milestone ruling of the BGH and, despite the ruling, was not adapted.
The letter from the LfDI Rhineland-Palatinate seems somewhat more on point. Although it initially deals with the outdated orientation guide, it then turns around and at least mentions the BGH’s ruling. However, the discussion of the judgment is not very differentiated. The general statement reads as follows: “Although the BGH declares sec. 15(3) TMG to be applicable, the result remains the same as in the guideline: “Consent is required for cookies”.
Although the LfDI Rineland-Palatinate in its rather apodictic tone puts the BGH ruling on a par with the ”Orientierungshilfe Telemedien” in terms of its scope and consequences, controllers should not immediately take this at face value. The BGH ruling is currently the subject of very controversial discussion among privacy professionals. It is far from clear whether and how the (short) statements of the BGH on sec. 15(3) TMG are to be understood.
With regard to the competence of the supervisory authorities in particular, the applicability of sec. 15(3) TMG, as decided by the BGH, causes many difficulties, because it is anything but clear that the data protection authorities are responsible for both supervision and the imposition of fines in this matter.
Against this background, it seems courageous that the supervisory authorities are taking such a comprehensive approach to the issue of tracking and cookies in this still rather unclear overall situation, apparently without having a sophisticated legal argumentation at hand.
What does the questionnaire reveal?
The eleven-page questionnaire contains a number of questions, many of which were expected, but the level of detail is surprising.
The questionnaire is divided into six sections. It starts with taking stock. Website operators must specify the services they use and the data they process. This is already a very detailed process: not only does the questionnaire have to be completed, but the services must also be listed in the attached spreadsheets with many technical details. Many controllers are likely to encounter difficulties in doing so. On top of that, the questionnaire also shows that the authorities are obviously not only considering the use of cookies, but that all tracking technologies (such as web storage, flash objects, fingerprinting, tracking via TLS SessionIDs, TLS Session Tickets) are covered by the test. This is also not entirely obvious, as the BGH has so far only clarified that the use of cookies falls under sec. 15(3) TMG. The situation regarding other technologies has not yet been clarified in court. In addition to naming all tracking technologies, the respective legal bases must also be stated along with explanations.
The next section of the questionnaire deals with the way consent is obtained. The interesting part: Especially the question of how the user can withdraw consent is extremely detailed (changing cookie settings on the website, email, contact form, through the website of the third party service provider, browser settings, other). Apparently, the authorities want to know whether controllers have also given conceptual thought to consent withdrawal once they introduced a tool for obtaining consent.
After consent has been given, the questionnaire addresses the other important legal basis, namely art. 6(1)(f) GDPR (legitimate interests). Here, controllers must prepare themselves to be able to present a documented balancing of interests. Somewhat surprisingly, the authorities also specifically ask about the use of the website by minors in this context. Many controllers will have to find explanations here as to why their service is not directed at under 16 year-olds and how they effectively exclude their use.
There is another interesting section in the questionnaire on Data Protection Impact Assessments (DPIA). The authorities want to know whether controllers using tracking services have carried out such DPIAs. These are usually very comprehensive assessments of the risks of data processing. The authorities demand a justification if a DPIA has not been carried out. However, it is not entirely clear whether this shows that the authorities generally consider such an impact assessment on tracking to be necessary.
What’s in the additional explanations?
Together with the questionnaire, the authorities are also sending explanations to media companies. The section on the voluntary nature of consent is particularly noteworthy. It says:
“In principle, this requires that the user is given a genuine choice, i.e. that he or she can refuse to provide the data or that a comparable alternative is available. Options such as “Understood”, “All clear”, “Yes and continue” or “Agreed” do not normally correspond to consent”.
This reference is particularly interesting for the design of Consent Management Platforms (CMPs). There is an ongoing debate as to whether users only have a “free choice” if they are given the options “Yes / No” in the CMP, or whether designs such as “Yes / advanced settings” are also legally compliant.
Here, the passage quoted above at least allows the assumption that the supervisory authorities also consider other design options other than a clear “Yes / No” to be legitimate, since this means that a “rejection or comparable alternative” must be available for selection and such designs can possibly be regarded as a “comparable alternative”.
Conclusion
With this joint initiative, the German regulators are giving rise to the debate on the correct use of cookies and tracking technologies. It should be welcomed that the authorities have the initiative to clarify the legal framework for the use of cookies and tracking technologies. However, the legal positions taken in the letters from the authorities seem as if the legal situation has not really been thought through properly following the BGH ruling in the “Planet 49” case. Rather, it seems like a rather crude attempt to push through the DSK’s old legal opinion at all costs, even under the application of sec. 15(3) TMG. The fact that the questionnaire is all the more detailed on this questionable legal basis seems almost ironic.
Nevertheless, controllers that are not yet affected by the action of the authorities but still operate tracking services on their platforms should take this as an opportunity to take action. important to-dos for businesses are the following:
- In any case, you should carry out a comprehensive review of your own tracking services. The questionnaire presented here can serve as a guide. Clarify for yourself whether you could answer the questions raised there without further problems. As a rule, this is not possible without the help of third-party providers. If you are missing information from third party providers for services used, approach them now and try to obtain the necessary information.
- Clarify your legal basis. Do you rely on consent or do you operate on the basis of legitimate interests?
- If you are working with consent, it is of central importance that it is obtained lawfully and that the user has an effective possibility to withdraw it.
- If you invoke legitimate interests, you should have detailed documentation of the balancing of interests in the drawer. Don’t play for time here: Once such a request for information from the authority arrives, it is difficult to produce the relevant documentation “on the fly” due to the short deadlines.
Written on 3 September 2020 by Dr. Frank Eickmeier, UNVERZAGT Rechtsanwälte