It was already foreseeable that as a consequence of the decisions of the European Court of Justice and the German Federal Court of Justice in the “Planet 49” case (judgment of 28 May 2020, case no. I ZR 7/16), the supervisory authorities would become active in the field of tracking and cookies. Now that time has come: eleven German data protection authorities are taking joint action against major media enterprises (specifically, the supervisory authorities in Baden-Württemberg, Brandenburg, Bremen, Hamburg, Hesse, Lower Saxony, North Rhine-Westphalia, Rhineland-Palatinate, Saxony, Saxony-Anhalt and Schleswig-Holstein). An initial announcement is LfDI Baden-Württemberg’s press release of 19 August.
The supervisory authorities have sent a formal request for information with a comprehensive questionnaire to selected publishers with the widest reach in their area of competence, which the publishers must reply to within a fairly short period of a few weeks.
Both the questionnaire and the accompanying explanations and cover letters have now been published at fragdenstaat.de:
- questionnaire (11 pages)
- explanations (3 pages)
- spreadsheets with examples
- corresponding cover letters from Rhineland-Palatinate and Baden-Württemberg
- note from Rhineland-Palatinate about which publishers were contacted in the state.
There are indications that this will only be the first step for the supervisory authorities. They seem to assume that “the problem with cookies” is particularly pronounced in the media industry, which is why this industry is a good starting point for their own regulatory efforts. It is to be expected that after the conclusion of the procedure, the focus will also shift towards other industries.
Until then, the question arises as to what knowledge can be gained from this procedure for the use of tracking technologies.
What can you learn from the letters?
We start with the letters from the authorities (we currently have versions from Rhineland-Palatinate and Baden-Württemberg). The first thing that stands out here is that these – unlike the questionnaire and the accompanying documents – were not coordinated among the authorities and differ. Not only the wording is different, but also the legal content of the letters.
Both the authorities from Baden-Württemberg and Rhineland-Palatinate state that the use of tracking technologies requires the general consent of the user. However, the legal justification is different. For example, the LfDI Baden-Württemberg only refers to the “Orientierungshilfe Telemedien“, which the supervisory authorities had published last spring and which says:
“The Conference of the Independent Data Protection Authorities of the Federal Government and the Länder (DSK) has set out in various publications what data protection requirements apply to the use of services which serve to create user profiles, particularly for advertising purposes. These were explained in detail, in particular in the March 2019 guidance for telemedia providers (https://www.datenschutzkonferenzonline.de/media/oh/20190405_oh_tmg.pdf). For example, the integration of third-party service providers which trace the behaviour of users on the Internet as well as the creation of user profiles on websites are generally only permitted if the users have expressly consented to them”.
The letter from the LfDI Rhineland-Palatinate seems somewhat more on point. Although it initially deals with the outdated orientation guide, it then turns around and at least mentions the BGH’s ruling. However, the discussion of the judgment is not very differentiated. The general statement reads as follows: “Although the BGH declares sec. 15(3) TMG to be applicable, the result remains the same as in the guideline: “Consent is required for cookies”.
Although the LfDI Rineland-Palatinate in its rather apodictic tone puts the BGH ruling on a par with the ”Orientierungshilfe Telemedien” in terms of its scope and consequences, controllers should not immediately take this at face value. The BGH ruling is currently the subject of very controversial discussion among privacy professionals. It is far from clear whether and how the (short) statements of the BGH on sec. 15(3) TMG are to be understood.
With regard to the competence of the supervisory authorities in particular, the applicability of sec. 15(3) TMG, as decided by the BGH, causes many difficulties, because it is anything but clear that the data protection authorities are responsible for both supervision and the imposition of fines in this matter.
Against this background, it seems courageous that the supervisory authorities are taking such a comprehensive approach to the issue of tracking and cookies in this still rather unclear overall situation, apparently without having a sophisticated legal argumentation at hand.
What does the questionnaire reveal?
The eleven-page questionnaire contains a number of questions, many of which were expected, but the level of detail is surprising.
The next section of the questionnaire deals with the way consent is obtained. The interesting part: Especially the question of how the user can withdraw consent is extremely detailed (changing cookie settings on the website, email, contact form, through the website of the third party service provider, browser settings, other). Apparently, the authorities want to know whether controllers have also given conceptual thought to consent withdrawal once they introduced a tool for obtaining consent.
After consent has been given, the questionnaire addresses the other important legal basis, namely art. 6(1)(f) GDPR (legitimate interests). Here, controllers must prepare themselves to be able to present a documented balancing of interests. Somewhat surprisingly, the authorities also specifically ask about the use of the website by minors in this context. Many controllers will have to find explanations here as to why their service is not directed at under 16 year-olds and how they effectively exclude their use.
There is another interesting section in the questionnaire on Data Protection Impact Assessments (DPIA). The authorities want to know whether controllers using tracking services have carried out such DPIAs. These are usually very comprehensive assessments of the risks of data processing. The authorities demand a justification if a DPIA has not been carried out. However, it is not entirely clear whether this shows that the authorities generally consider such an impact assessment on tracking to be necessary.
What’s in the additional explanations?
Together with the questionnaire, the authorities are also sending explanations to media companies. The section on the voluntary nature of consent is particularly noteworthy. It says:
“In principle, this requires that the user is given a genuine choice, i.e. that he or she can refuse to provide the data or that a comparable alternative is available. Options such as “Understood”, “All clear”, “Yes and continue” or “Agreed” do not normally correspond to consent”.
This reference is particularly interesting for the design of Consent Management Platforms (CMPs). There is an ongoing debate as to whether users only have a “free choice” if they are given the options “Yes / No” in the CMP, or whether designs such as “Yes / advanced settings” are also legally compliant.
Here, the passage quoted above at least allows the assumption that the supervisory authorities also consider other design options other than a clear “Yes / No” to be legitimate, since this means that a “rejection or comparable alternative” must be available for selection and such designs can possibly be regarded as a “comparable alternative”.
Nevertheless, controllers that are not yet affected by the action of the authorities but still operate tracking services on their platforms should take this as an opportunity to take action. important to-dos for businesses are the following:
- In any case, you should carry out a comprehensive review of your own tracking services. The questionnaire presented here can serve as a guide. Clarify for yourself whether you could answer the questions raised there without further problems. As a rule, this is not possible without the help of third-party providers. If you are missing information from third party providers for services used, approach them now and try to obtain the necessary information.
- Clarify your legal basis. Do you rely on consent or do you operate on the basis of legitimate interests?
- If you are working with consent, it is of central importance that it is obtained lawfully and that the user has an effective possibility to withdraw it.
- If you invoke legitimate interests, you should have detailed documentation of the balancing of interests in the drawer. Don’t play for time here: Once such a request for information from the authority arrives, it is difficult to produce the relevant documentation “on the fly” due to the short deadlines.
Written on 3 September 2020 by Dr. Frank Eickmeier, UNVERZAGT Rechtsanwälte