Germany: The New Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia
The Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia ('TTDSG') will enter into force on the 1 December 2021. The TTDSG centralises the previously separately-regulated Telemedia Act 2007 and Telecommunications Act 1996 into one law. Dr. Carlo Piltz, Salary Partner at reuschlaw Legal Consultants, provides his insight on the scope of the TTDSG, how the TTDSG implements the ePrivacy Directive, as well as information on enforcement of the TTDSG.
The TTDSG is considered to be the result of the reaction to the Federal Court of Justice's ('Bundesgerichtshof') decision on the validity of consent for placing cookies on users' end devices when pre-ticked checkboxes were used as part of an online lottery in 20131 ('the Cookie Case'). This decision was delivered taking into account the Court of Justice of the European Union's ('CJEU') ruling in case of Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (C-673/17), which was triggered by questions submitted by the Bundesgerichtshof for this exact case. In its judgment, the Bundesgerichtshof found, among other things, that the German legislator did not transfer the amendments made to Article 5(3) of Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into German law.
Scope of the TTDSG
The TTDSG will apply to the processing of personal and non-personal data. Besides ensuring the right to data protection, the law aims to protect privacy in accordance with the ePrivacy Directive which covers personal and non-personal data. Therefore, it is self-explanatory as to why the TTDSG also covers non-personal data too.
The geographic scope of the TTDSG seems remarkably wide. Section 1(3) of the TTDSG regulates the following:
"All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act".
For the TTDSG to apply, it is already sufficient that a company has an establishment in Germany. It is not necessary that this establishment is somehow actively involved in processing activities that, for example, include tracking with the help of cookies. The mere existence of an establishment in Germany is sufficient for the TTDSG to apply to a company. This is a very broad scope of application and even goes beyond Article 3(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which at least requires that data processing is carried out 'in the context of the activities of an establishment of a controller or processor in the Union'.
However, having an establishment is only one of three different possible criteria triggering the applicability of the TTDSG. It is also sufficient if a company 'participates in the provision of services' that are provided in Germany. This reminds the reader of the provision of Article 3(2) of the GDPR which establishes a market location principle, which was intended by the German legislator as the legislative explanatory note for the TTDSG. However, it remains unclear how high or low the bar for 'participating' in the provision of a service is. To be able to assess if a company is in scope of the TTDSG, it will also have to look at services the company does not provide itself but which it is only involved in some way.
In practice, this means that a company from India that participates in the provision of services that are provided in Germany is subject to the provisions of the TTDSG. Besides the fact that it is unclear in what kind of cases a company 'participates' in the provision of a service, there is no obligation in the TTDSG that is similar to Article 27 of the GDPR (designation of a representative) and that could ensure that the competent supervisory authority could enforce the TTDSG in countries outside Germany. When it comes to the criterion 'making available goods on the market' the question arises what 'making available' means compared to 'providing' goods in the market. Overall, it seems as if the German legislator did not think through how the immense scope could work effectively in practice.
Implementation of the ePrivacy Directive
However, the legislator did not use its chance to further define in the TTDSG in which cases it is 'strictly necessary' to store data on a user's device or to gain access to data stored on a user's device for the provision of an information society service explicitly requested by a subscriber or user. Therefore, Section 25 of the TTDSG does not give companies more legal certainty in practice. The main question remains, 'what is strictly necessary?', and the new German law does not provide any answers to this question or other hints companies could make use of. In this context the legislative explanatory note states that there needs to be an assessment on a case-by-case basis. Unfortunately, Section 25 of the TTDSG does not introduce other legal basis known out of Article 6(1) of the GDPR. The TTDSG only differentiates between consent and 'strictly necessary' without referencing, for example, to a contractual relationship or a legal obligation, which is of course in line with Article 5(3) of the ePrivacy Directive.
Section 25(1) of the TTDSG regulates that information to be provided to users and consent to be gained from users must both be done in accordance with the provisions of the GDPR. As the legislative explanatory note shows, however, the question of the lawfulness of the following use of personal data obtained and processed in this way is subject to the requirements of data protection law, i.e. in particular the GDPR (which leads to different supervisory authorities being competent as explained further below).
One general topic that was and will be discussed a lot will be the interplay between the TTDSG (as a law implementing the ePrivacy Directive into German law) and the GDPR (as the law applicable directly to any processing of personal data). Article 95 of the GDPR regulates that the GDPR does not impose additional obligations for companies as long as specific obligations arising out of the ePrivacy Directive have 'the same objective'. At least when it comes to subsequent processing of personal data, the GDPR will have to apply as its objectives are way broader and different compared to the ones of the ePrivacy Directive.
Enforcement of the TTDSG
Germany has (at least) one data protection supervisory authority per state and one Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). When it comes to supervisory powers regarding compliance of companies with the provisions of the TTDSG, the competent authority is the BfDI. However, only for providers of telecommunications services or federal public agencies. In all other respects, either the relevant data protection supervisory authorities in the federal states or other authorities (according to their specifications) remain competent.
As mentioned before, enforcement of the provisions of the TTDSG is quite unclear when it comes to companies located outside of Germany. This, however, does not only count for the examples previously provided on the Hawaiian and Indian companies, but also for companies located in other Member States of the EU. There is a lack of cooperation and consistency mechanisms for cases in which service providers provide their services from or in several Member States. This lack is caused by missing provisions in the ePrivacy Directive. Nevertheless, it will be interesting to see how the competent German authorities will enforce the TTDSG in cross-border cases.
Dr. Carlo Piltz Salary Partner
reuschlaw Legal Consultants, Berlin