The TTDSG is considered to be the result of the reaction to the Federal Court of Justice's ('Bundesgerichtshof') decision on the validity of consent for placing cookies on users' end devices when pre-ticked checkboxes were used as part of an online lottery in 2013¹ ('the Cookie Case'). This decision was delivered taking into account the Court of Justice of the European Union's ('CJEU') ruling in case of Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (C-673/17), which was triggered by questions submitted by the Bundesgerichtshof for this exact case. In its judgment, the Bundesgerichtshof found, among other things, that the German legislator did not transfer the amendments made to Article 5(3) of Directive on Privacy and Electronic Communications (Directive 2002/58/EC) ('the ePrivacy Directive') into German law.

Scope of the TTDSG

The TTDSG will apply to the processing of personal and non-personal data. Besides ensuring the right to data protection, the law aims to protect privacy in accordance with the ePrivacy Directive which covers personal and non-personal data. Therefore, it is self-explanatory as to why the TTDSG also covers non-personal data too.

The geographic scope of the TTDSG seems remarkably wide. Section 1(3) of the TTDSG regulates the following:

"All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act".

For the TTDSG to apply, it is already sufficient that a company has an establishment in Germany. It is not necessary that this establishment is somehow actively involved in processing activities that, for example, include tracking with the help of cookies. The mere existence of an establishment in Germany is sufficient for the TTDSG to apply to a company. This is a very broad scope of application and even goes beyond Article 3(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which at least requires that data processing is carried out 'in the context of the activities of an establishment of a controller or processor in the Union'.

To make the problems connected to this wide geographical scope more visible, the following example is provided: company A is located in Hawaii, sells goods in its online shops in Hawaii only but has an establishment in Germany that only provides invoicing services to the company A in Hawaii. The use of cookies of the company from Hawaii on its website is in scope of the TTDSG, because of the mere fact that company A also has an establishment in Germany.

However, having an establishment is only one of three different possible criteria triggering the applicability of the TTDSG. It is also sufficient if a company 'participates in the provision of services' that are provided in Germany. This reminds the reader of the provision of Article 3(2) of the GDPR which establishes a market location principle, which was intended by the German legislator as the legislative explanatory note for the TTDSG. However, it remains unclear how high or low the bar for 'participating' in the provision of a service is. To be able to assess if a company is in scope of the TTDSG, it will also have to look at services the company does not provide itself but which it is only involved in some way.

In practice, this means that a company from India that participates in the provision of services that are provided in Germany is subject to the provisions of the TTDSG. Besides the fact that it is unclear in what kind of cases a company 'participates' in the provision of a service, there is no obligation in the TTDSG that is similar to Article 27 of the GDPR (designation of a representative) and that could ensure that the competent supervisory authority could enforce the TTDSG in countries outside Germany. When it comes to the criterion 'making available goods on the market' the question arises what 'making available' means compared to 'providing' goods in the market. Overall, it seems as if the German legislator did not think through how the immense scope could work effectively in practice.

Implementation of the ePrivacy Directive

As mentioned previously, one goal of the TTDSG is to achieve legal certainty with regard to the use of cookies. In Section 25 of the TTDSG, the legislator almost copy and pasted the wording of Article 5(3) of the ePrivacy Directive, and thereby seems to want to avoid new conflicts in the wording of the German provision and the one of the ePrivacy Directive, as this was previously an issue in the Cookie Case regarding the old relevant provision.

However, the legislator did not use its chance to further define in the TTDSG in which cases it is 'strictly necessary' to store data on a user's device or to gain access to data stored on a user's device for the provision of an information society service explicitly requested by a subscriber or user. Therefore, Section 25 of the TTDSG does not give companies more legal certainty in practice. The main question remains, 'what is strictly necessary?', and the new German law does not provide any answers to this question or other hints companies could make use of. In this context the legislative explanatory note states that there needs to be an assessment on a case-by-case basis. Unfortunately, Section 25 of the TTDSG does not introduce other legal basis known out of Article 6(1) of the GDPR. The TTDSG only differentiates between consent and 'strictly necessary' without referencing, for example, to a contractual relationship or a legal obligation, which is of course in line with Article 5(3) of the ePrivacy Directive.

Section 25(1) of the TTDSG regulates that information to be provided to users and consent to be gained from users must both be done in accordance with the provisions of the GDPR. As the legislative explanatory note shows, however, the question of the lawfulness of the following use of personal data obtained and processed in this way is subject to the requirements of data protection law, i.e. in particular the GDPR (which leads to different supervisory authorities being competent as explained further below).

One general topic that was and will be discussed a lot will be the interplay between the TTDSG (as a law implementing the ePrivacy Directive into German law) and the GDPR (as the law applicable directly to any processing of personal data). Article 95 of the GDPR regulates that the GDPR does not impose additional obligations for companies as long as specific obligations arising out of the ePrivacy Directive have 'the same objective'. At least when it comes to subsequent processing of personal data, the GDPR will have to apply as its objectives are way broader and different compared to the ones of the ePrivacy Directive.

Enforcement of the TTDSG

Germany has (at least) one data protection supervisory authority per state and one Federal Commissioner for Data Protection and Freedom of Information ('BfDI'). When it comes to supervisory powers regarding compliance of companies with the provisions of the TTDSG, the competent authority is the BfDI. However, only for providers of telecommunications services or federal public agencies. In all other respects, either the relevant data protection supervisory authorities in the federal states or other authorities (according to their specifications) remain competent.

There are some parts of the TTDSG for which the Federal Network Agency ('Bundesnetzagentur') is competent, but parts dealing with the use of cookies and similar technologies are not covered by that. In contrast to that, oversight over companies' compliance with the GDPR is still a competence of the 16 state supervisory authorities.

As mentioned before, enforcement of the provisions of the TTDSG is quite unclear when it comes to companies located outside of Germany. This, however, does not only count for the examples previously provided on the Hawaiian and Indian companies, but also for companies located in other Member States of the EU. There is a lack of cooperation and consistency mechanisms for cases in which service providers provide their services from or in several Member States. This lack is caused by missing provisions in the ePrivacy Directive. Nevertheless, it will be interesting to see how the competent German authorities will enforce the TTDSG in cross-border cases.

Concluding remarks

Overall, companies should not hope to receive more legal certainty from the TTDSG. In particular, Section 25 of the TTDSG, which deals with the use of cookies and similar technologies, is unfortunately not helping companies assess for which situations consent is needed and in which cases they can rely on 'strict necessity'. Additionally, the scope of the TTDSG is very broad and the relevant provisions are full of undefined legal terms.

Dr. Carlo Piltz Salary Partner
[email protected]
reuschlaw Legal Consultants, Berlin