Tracking according to the ePrivacy Directive and German law
Tracking according to the ePrivacy Directive and German law
There has been some support for the GDPR, the German Federal Data Protection Act (BDSG) and the now no longer applicable German Telemedia Act (TMG) continuing to apply in parallel for the transitional period before the (now failed) ePrivacy Regulation applies. Although Article 95 GDPR expressly governs the relationship with the existing Directive on Privacy and Electronic Communications (2002/58/EC) and leaves its provisions unaffected, there is considerable legal uncertainty as to how the laws interact with each other. As a result, different views were expressed regarding the legality of website tracking, for example. These ranged from a need for consent to the view that it is enough to provide an objection option (section 15 (3) German Telemedia Act (TMG)).
With regard to the legal situation in Germany, there was disagreement as to whether the provisions in sections 11 ff. German Telemedia Act (TMG) relating to online tracking constitute an implementation of the Directive on Privacy and Electronic Communications and therefore continue to apply alongside the GDPR, or whether the GDPR was solely applicable from 25 May 2018.
The Conference of Independent Data Protection Authorities of the German Federal Government and the Federal States published opinions on this matter in April 2018 and in March 2019 (links only available in German). Its view is that the provisions of sections 11 ff. German Telemedia Act (TMG) ceased to be applicable when the GDPR came into effect. This meant that compliance of online tracking had to be judged solely in terms of the GDPR. With regard to tracking mechanisms, in particular for advertising purposes, the authorities take the view that these mechanisms require the consent of the data subjects as set out in Article 6 (1) (a) and Article 7 GDPR.
Since the CJEU ruling of 1 October 2019 (Planet49 – Case C-673/17) in particular, it would be difficult to argue otherwise and support the applicability of sections 11 ff. German Telemedia Act (TMG). The CJEU has also ruled that agreement in the sense of active consent by the user is required for the setting of cookies that are not technically essential for use, in particular with regard to cookies used for advertising purposes. Pre-ticked boxes or similar methods are not sufficient. The CJEU thus rejected the view that providing an objection option is all that is needed in the case of cookies for advertising purposes (section 15 (3) German Telemedia Act (TMG)). In its ruling of 28 May 2020 (Cookie-Einwilligung II – I ZR 7/16 (only available in German)) the German Federal Court of Justice (BGH), which had referred this question in these proceedings to the CJEU for a preliminary ruling, followed the case law of the CJEU and ruled that section 15 (3) German Telemedia Act (TMG) had to be construed in conformity with the Directive in such a way that active consent was required, whereas a box checked by default was not sufficient.
The German Telemedia Act (TMG) has now ceased to apply on account of the German Digital Services Act (DDG) (only available in German). In addition, other laws will be amended by the consolidated law such that the term "telemedia" is changed to "digital services".
The German Telecommunications Digital Services Data Protection Act (TDDDG) (only available in German) is relevant at a federal level for the setting of cookies. The TDDDG (originally called the German Telecommunications-Telemedia Data Protection Act (TTDSG) until 14 May 2024) received the approval of the German Federal Council (Bundesrat) on 28 May 2021 (only available in German) and entered into force on 1 December 2021.
For the storage of information on a user's terminal device, i.e. the use of cookies and similar storage methods, such as local storage, section 25 (1) German Telecommunications-Digital Services Data Protection Act (TDDDG) requires the user's prior consent based on clear and comprehensive information. The requirements for this information and consent are based on the GDPR. There is an exception according to section 25 (2) German Telecommunications Digital Services Data Protection Act (TDDDG) where it is not necessary to obtain consent if the sole purpose of the setting of cookies is to carry out the transmission of a message via a public telecommunications network or if the setting of cookies is absolutely essential for the provider of a digital service to provide a digital service expressly requested by the user. Storing or accessing information in violation of section 25 (1) German Telecommunications-Digital Services Data Protection Act (TDDDG) may, according to section 28 (1) no. 13, (2) German Telecommunications-Digital Services Data Protection Act (TDDDG), result in a fine of up to EUR 300,000.
For independent services to manage consent (Personal Information Management Services, PIMS), section 26 German Telecommunications-Digital Services Data Protection Act (TDDDG) also provides for the possibility of recognition, among other things, to the effect that they fulfil both the technical and organisational legal requirements of the GDPR. Thus, the use of personal information management services that enable user-friendly and competitive procedures for consenting to the processing of traffic and location data or to the storage of information on terminal equipment and to the access to information already stored on terminal equipment is to be encouraged. The Federal Government is responsible for defining the precise requirements, including the end user settings, by means of a statutory instrument, referred to as the consent management ordinance ("EinwVO", only available in German).
Local market knowledge. Global outlook
We provide future-facing legal advice to help your organisation thrive. Combining local market knowledge and a global perspective, and with lawyers in locations worldwide, your organisation benefits from the expertise it needs, even across borders.
About CMS