Telecommunications

German Telecommunications and Telemedia Data Protection Act

The new Telecommunications and Telemedia Data Protection Act (TTDSG) (link in German) is the result of a campaign to clean up German data protection law. The TTDSG, which entered into force on December 1, 2021, merges data protection regulations in telemedia and telecommunications law that were previously scattered across a wide range of German laws. Among other things, the TTDSG regulates the protection of confidentiality and privacy when using Internet-ready terminal infrastructures such as websites, email services or smart home devices. To this end, the data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG) are repealed and combined in the new TTDSG. In addition, the TTDSG regulates the responsibilities of the Federal Network Agency and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For website and app operators, however, the TTDSG does not impose any new obligations. On the contrary, the TTDSG provides them with clarification and greater legal certainty when processing (personal) data, for example in connection with cookies.

New regulations for cookies and cookie banners?

Public discourse has focused on Article 25 of the TTDSG, the provision of which regulates the storage and use of information on the so-called “user terminal infrastructure”, including cookies. First of all, the good news: provided that the website operators have already implemented the requirements drawn up by the European Court of Justice (ECJ) with regard to Art. 5 par. 3 of the ePrivacy Directive, section 25 TTDSG does not introduce any new obligations relating to the use of cookies. Indeed, the provision only codifies what the CJEU had already established in 2019 in its so-called “Planet49” decision: The use of non-mandatory cookies on a website requires the consent of the end user in accordance with art. . 5 par. 3 of the ePrivacy Directive. Accordingly, Article 25 TTDSG now stipulates that valid end-user consent must be obtained when using cookies and similar technical tools that are not necessary for the operation of the website. To this end, the consent must meet the requirements of the GDPR, i.e. it must be freely given, specific, informed, unambiguous, explicit and revocable at any time. No consent is required for technically necessary cookies or cookies used exclusively for the transmission of messages via a public telecommunications network. A violation of the consent requirement of Article 25 para. 1 TTDSG can result in a fine of up to EUR 300,000.

In addition, Section 26 TTDSG establishes standards for services that administer end-user consent, known as “Personal Information Management Services” (PIMS) or single sign-on solutions. This applies to services intended to allow end users to make their own decision to accept or decline cookies. Article 26 TTDSG provides that these services must be certified by an independent body. However, no such service is yet on the market.

Extended Scope: Internet of Things

Products that can be connected to the Internet, such as connected cars and smart life, are increasingly popular with consumers. Although the ePrivacy Directive generally does not cover the entire structure behind the Internet of Things (IoT), the TTDSG does: Article 25 regulates the storage of information in “terminal infrastructures”. Unlike the “terminal equipment” of the ePrivacy Directive, the infrastructure that connects IoT devices and which is usually stored in the cloud is now also covered (and not just the IoT hardware itself).

Other regulations

  • Section 4 TTDSG introduces the rights of heirs of telecommunications users and thus creates practical regulations: In the event of death, electronic communications such as e-mails, etc. must be made accessible to heirs.

  • Location data regulations are consolidated in one place (Article 13 TTDSG).

  • Extended Articles 22 to 24 of the TTDSG again regulate the information rights regarding inventory and usage data and implement the requirements of the decision of the Federal Constitutional Court of 27 May 2020 (1 BvR 1873/13 , 1 BvR 2618/13 – Inventory Data Information II), which also declared Section 113 TKG unconstitutional.

  • Section 9 TTDSG regulates processing rights (including certain deletion obligations) of traffic data. It corresponds to the former provision of § 96 TKG.

Outlook

The German Data Protection Conference (DSK) has recently published a new guidance document (link in German) for telemedia providers on the TTDSG app. Among other things, the guidance addresses when and how consent should be obtained in accordance with Section 25 TTDSG, and replaces the existing DSK Guidance Document from 2019 on Telemedia and Art. 5 para 3 ePrivacy Directive (OH Telemedien 2019). At the same time, the European Commission continues to work on a European ePrivacy regulation, which would for example replace section 25 of the TTDSG again (but would not come into force for at least two years).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 6