The new Telecommunications Telemedia Data Protection Act (TTDSG) (link in German) is the result of a clean-up campaign in German data protection law. The TTDSG, which became effective 1 December 2021, merges the data protection regulations in telemedia and telecommunications law that were previously scattered across a wide array of German laws. Among other things, the TTDSG regulates the protection of confidentiality and privacy when using internet-ready terminal infrastructure such as websites, messenger services, or smart home devices. To this end, the data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG) are repealed and combined in the new TTDSG. Furthermore, the TTDSG regulates the responsibilities of the Federal Network Agency and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For website and app operators, however, the TTDSG does not impose any new obligations. Rather, the TTDSG provides them with clarification and more legal certainty when processing (personal) data, e.g. in connection with cookies.
New regulations for cookies and cookie banners?
Public discourse has focused on Section 25 of the TTDSG, which provision regulates the storage and use of information on so-called “users' terminal infrastructure”, including cookies. First, the good news: Provided that website operators have already implemented the requirements developed by the European Court of Justice (ECJ) with regard to Art. 5 para. 3 of the ePrivacy Directive, Section 25 TTDSG does not bring any new obligations relating to the use of cookies. This is because the provision merely codifies what the ECJ already established in 2019 in its so-called "Planet49" decision: The use of non-mandatory cookies on a website requires consent from the end user in accordance with Art. 5 para. 3 of the ePrivacy Directive. Accordingly, Section 25 TTDSG now states that the end user’s valid consent must be obtained when using cookies and similar technical tools that are not necessary for the operation of the website. For this purpose, the consent must meet the requirements of the GDPR, i.e. it must be freely given, specific, informed, unambiguous, explicit and revocable at any time. No consent is required for technically necessary cookies or cookies used exclusively for the transmission of messages via a public telecommunications network. A violation of the consent requirement of Section 25 para. 1 TTDSG may result in a fine of up to EUR 300,000.
In addition, Section 26 TTDSG sets standards for services that administer end user consent, so-called "Personal Information Management Services" (PIMS) or single sign-on solutions. This applies to services that are intended to enable end users to make their own decision on consenting to or refusing cookies. Section 26 TTDSG provides that such services require to be certified by an independent body. However, no such services are yet on the market.
Extended scope: Internet of Things
Increasingly popular among consumers are products that can be connected to the Internet, e.g. connected cars and smart living. While the ePrivacy Directive does not generally cover the entire structure behind the Internet-of-Things (IoT), the TTDSG does: Section 25 regulates the storage of information in "terminal infrastructures". In contrast to the "terminal equipment" of the ePrivacy Directive, the infrastructure that connects the IoT devices and which is usually stored in the cloud, is now also covered (and not only the IoT hardware itself).
Further regulations
- Section 4 TTDSG introduces rights of heirs of telecommunications users and thus creates practicable regulations: In the event of death, electronic communications such as emails etc. are to be made accessible to the heirs.
- The regulations on location data are consolidated in one place (Section 13 TTDSG).
- The extensive Sections 22 to 24 TTDSG newly regulate information rights in relation to inventory and usage data and implement the requirements from the decision of the Federal Constitutional Court of 27. Mai 2020 (1 BvR 1873/13, 1 BvR 2618/13 - Inventory Data Information II), which also declared Section 113 TKG unconstitutional.
- Section 9 TTDSG regulates the rights to process (including certain obligations to delete) traffic data. It corresponds to the previous provision in Section 96 TKG.
Outlook
The German Data Protection Conference (DSK) recently published a new guidance document (link in German) for telemedia providers on the application of the TTDSG. Among other things, the guidance deals with when and how consent must be obtained in accordance with Section 25 TTDSG, and replaces the existing DSK guidance document of 2019 on telemedia and Art. 5 para 3 ePrivacy Directive (OH Telemedien 2019). At the same time, the European Commission continues to work on a European ePrivacy Regulation, which would, for example, replace Section 25 of the TTDSG again (but would not come into force for at least two years).
About Greenberg Traurig: Greenberg Traurig, LLP (GT) has approximately 2300 attorneys in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East. GT has been recognized for its philanthropic giving, diversity, and innovation, and is consistently among the largest firms in the U.S. on the Law360 400 and among the Top 20 on the Am Law Global 100. The firm is net carbon neutral with respect to its office energy usage and Mansfield Rule 4.0 Plus Certified. Web: www.gtlaw.com