A New German Data Protection Act (TTDSG) and the Future of Consent Management
on 13.08.2020 by Dr. Ramona Greiner
tl;dr / Management Summary
The most exciting innovations of the planned German data protection law so far are
- the clear and expressly regulated exceptions to the requirement of consent (over and above the technical necessity according to the 5 para. 3 ePrivacy Directive) for contractual obligations or for the fulfilment of legal obligations
- the possible revival of “Do-Not-Track” browser settings via erwGr. 66 sentence 3
- the new regulation of responsibilities of the BfDI (= Federal Commissioner for Data Protection and Freedom of Information). In the course of the ePrivacy Regulation negotiations, the Federal Government agreed that data protection supervision should in future be based on the GDPR as far as the processing of personal data is concerned.
- fines are based on Art. 83ff GDPR
ePrivacy, GDPR and Co.
At the time, only a few specialists were interested in the “EU Directive on Data Protection in Electronic Communications”, the so-called ePrivacy Directive, which was revised in 2009, presumably also because European directives are initially addressed to the member states and not to individual companies. The GDPR, on the other hand, already cast its shadows in 2016 and caused tense unrest. As a regulation, unlike directives, is directly applicable law and thus was and is to be followed by all companies without any intermediate legislative steps. From large corporations to the local football club – and not least in the digital consulting industry – there was great uncertainty: Can I still collect data at all? Do I really have to pay 4% of my annual turnover for small offences as a penalty? Doesn’t the effort to achieve “real” GDPR compliance resemble a Sisyphus task a.k.a. PDCA cyclus, which due to a lack of guidance is simply associated with a high potential for frustration and possibly in the end is not even in the interest of consumers? And when will there finally be binding statements about what is and what is not allowed?
In retrospect, we know that things weren’t quite as dire as they were made out be. In the end, the wave of warnings and sanctions feared when the GDPR came into force (May 2018) failed to materialise. Nevertheless, it is not only the occasional fines imposed in Germany, but in particular the €50 million fine imposed on Google by the French regulatory authority (CNIL), which has since been confirmed by the courts, that are causing the online industry in particular to take a furtive look at our French neighbours, who are evidently taking much more rigorous action than their counterparts elsewhere in Europe.
Data Protection Remains an exciting Issue.
However, we should not rest on a false sense of security resulting from the apparent goodwill that the German data protection authorities have shown so far. On the one hand, on the practical level, there is still a certain amount of uncertainty for many use cases with regard to data protection issues, e.g: What is the so-called “range measurement” in tracking? This is a not insignificant question in light of the fact that, depending on the differentiation parameters, either consent must be obtained or not. Where does tracking begin and where does the “mere” range measurement end? How much nudging is allowed with the Consent Banner without doubting the voluntary nature of consent? On the other hand, on the legislative, (still) theoretical level, the Damocles sword of the ePrivacy Regulation is hanging over all our heads: Some say it will be even stricter than the DSGVO, others say it will be much more liberal, yet others say that the ePrivacy Regulation will not come anyway, as the directive is already so outdated and has no effect at all on the new digital issues of our time. The issue of artificial intelligence, for example, was not as important at the time it was created (2002 or 2009) as it is today. A compromise on the ePrivacy Regulation is currently being negotiated in the EU, which is intended to close the gap between the reality of digital life and the outdated directives. However, it remains questionable whether the outcome of these negotiations can meet current requirements. At least the ePrivacy Regulation is on the EU Commission’s work programme for 2020. We can only hope that a workable compromise will be reached under the German EU Council Presidency, but Germany itself does not seem to want to wait any longer.
Cookie Leaks – What the New German Data Protection Law is all about
The news hit data protection circles like a bomb! On Friday, 31 July 2020, a document from the German Federal Ministry of Economics and Energy (BMWi) was leaked, which is nothing less than a draft German data protection law with the sexy and very catchy title: “Draft of a law on data protection and privacy in electronic communications and telemedia and amending the Telecommunications Act, the Telemedia Act and other laws”.
At the heart of the draft is the proposal for a genuine, separate, modern, citizen and business-friendly German law on data protection and privacy in electronic communications and telemedia, or “in short”: Telecommunications-Telemedia-Data Protection Act or even shorter: TTDSG or, currently more correct: TTDSG-E, where the “-E” stands for “Entwurf”, the German word for draft. Since the introduction of the GDPR, Germany has postponed adapting the Telemedia Act (TMG) and the Telecommunications Act (TKG) to the framework conditions of the GDPR, especially in the area that interests FELD M and our customers most: The tracking of users. At the same time, the cookie provisions of the ePrivacy Directive are to be finally transposed into German law in coordination with the GDPR.
This jack of all trades device of data protection, planned as TTDSG-E, will probably keep us busy for many months (and years?) from now on. I would like to summarize my first impression about the upcoming innovations:
News from Altmaier – The core Data Protection Innovations from the BMWi
Aim of the Law
In principle, much of what has now been incorporated into the draft legislation could be anticipated, as it takes up and consolidates both the legal requirements of the ePrivacy Directive and the GDPR and the concretisation of the same by the most recent rulings of the ECJ and the Federal Court of Justice.
The draft bill of the new Data Protection Act starts with the intention that “functioning business models will neither be impaired nor will innovations in the digital world be hindered, especially with regard to the Internet of Things and the market position of small and medium-sized enterprises and start-ups in online trade compared to the large companies dominating the market.” Accordingly, the BMWi wants to structure the data protection law in such a way that it is as compatible as possible for end users of online services and for the economy. So far, so good.
Down to Business: Cookies and Consent
It was foreseeable that the TKG and TMG would be amended as a result of the European Court of Justice ruling regarding Planet49 and its confirmation by the Federal Court of Justice, after the German regulatory authorities had already previously clarified §§ 12ff. TMG as not being in conformity with the Directive. The legal subtleties of the interpretation of Section 15 German Telemedia Act, which the BGH apparently considered to be possible, and the reasons given by the supervisory authorities why this should not actually be possible, should not interest us further at this point with regard to the subject matter of this article. The TTDSG-E adopts the results of the above-mentioned verdict with regard to the requirements for effective consent as we already know them and also establishes the requirement of informed consent as a basic rule for the “storage of information on the end user’s device or access to information already stored on the end user’s device”. (cf. Section 9 Paragraph 1 TTDSG-E)
However, the storage of such information that is technically necessary for the provision of the service should be exempt from the basic consent requirement, as is already the case today. Furthermore – and this is new in its clarity – consent is also not required if the storage or access has been contractually expressly agreed with the end user in order to provide certain services or if the processing is necessary to fulfil legal obligations. (see § 9 para. 2 TTDSG-E)
Not entirely new is the suggestion that the end user could also give consent by selecting a designated setting in his browser or another application. (cf. Section 9 (4) TTDSG-E)
This poses various questions.
- Firstly, the question to what extent the contract will or can be used in the future as an additional instrument to establish lawful processing. It is foreseeable that a corresponding regulation will attract data protection experts and lawyers and that new best practices in contract drafting could possibly emerge within a short time.
- On the other hand, the return to browser settings as a means of expressing the autonomous will of the persons concerned is an exciting point, which is already presented by Amendment 66 to the so-called Cookie Directive of 2009 in its third sentence: “If it is technically feasible and effective, the user’s consent to processing may be expressed in accordance with the relevant provisions of Directive 95/46/EC on the handling of the corresponding settings of a browser or other application”. The browser settings could gradually eliminate the cookie banners that are a thorn in the side not only of many website operators, but also of the users themselves. In recent years there have been many proponents of this browser setting, also known as “Do-Not-Track” (DNT) function. In January 2019, the DNT standardization committee at the W3C was closed without achieving W3C standard status. The reasons given for this step were insufficient implementation numbers and lack of evidence of DNT support from browser manufacturers and other stakeholders. Reality has taught the world of web analytics that DNT settings were hardly taken into account, so some browser vendors gradually removed them. Recent developments suggest that browsers are likely to offer the do-not-track functionality again.
A clear argument for the global browser setting is certainly that a differentiation of cookie purposes is not absolutely necessary. It is still irrelevant to the requirements for setting cookies whether the data collected and stored by the cookies are personal. Therefore, this decision can be made without specifying the purpose and nature of the data.
Two central questions remain, however, even after these innovations from the present draft:
- Firstly, the question of the extent to which the providers of free services can “force” their users to allow cookies and thus make their information and services accessible only with their consent and
- secondly, the question of what the future of the Consent Management Platforms (CMP) looks like for us, our customers and CMP partners.
Regarding the first question, a European compromise is still being fought over in the context of ePrivacy. The TTDSG-E, on the other hand, suggests that in the future alternative legal bases such as contracts in the form of terms and conditions of use will be increasingly used. In order to answer the question about the future of CMPs, I would like to present a possibility in the following with my personal assessment.
The CMP is Dead – Long live the CMP!
Most companies have gone through a process of implementing a Consent Management Platform in the last two years. Tool selection, implementation, banner design as well as opt-in optimization and evaluation of the content data have consumed both time and budget. Even now, many companies are still in the middle of the discovery, selection or implementation process.
After the latest developments concerning the TTDSG-E, the following question is now being asked: If the legality of the processing can be established by means of contractual tricks or consent by means of browser settings, and the former presumably means higher opt-in rates for the website operators and the latter frees the users from the obligation to click on a banner, is there a need for content management platforms at all?
The draft law is still fresh and which provisions will ultimately be incorporated into a law or which best practices will then crystallize is still in the stars. However, my assessment is that consent via the banner is still the best solution.
The field of permission marketing has become an increasingly important component of marketing and its march of triumph continues. The supposed compulsion to introduce a banner is not only a necessary evil, but also a good way to communicate directly with the users of the site about what concerns them personally, namely the handling of their own data. Thus, obtaining consent can be seen as a confidence-building measure that pays off on a brand promise with a feel-good character. Transparency, security, individuality and high standards of data protection are values that can be conveyed via such a banner and, last but not least, help the so often sought-after right to informational self-determination and to the confidentiality of (electronic) communication to fully unfold.
In addition to the confidence-building effect, companies can also remove the global “do-not-track” function by placing their own banner on the site, since the consensus on the individual website will always reflect the individual will of the visitors more precisely than the consensus that was probably given or rejected once in the browser settings. Thus, banners can still be used to collect more data, especially if the banner communicates well, shows added value and is a trustworthy brand.
A realistic scenario is also that although the cookie banners could disappear for a short time, the website operators will use a pop-up after checking the browser content status in case of non-consent to inform the website users how to adjust the browser settings and why consent is useful here. The “harassment” of users by banners will thus remain, except that it would mean a further step for users to switch to the browser settings first. This scenario shows that if users do not give their consent in the browser, the previous cookie banner will hardly be replaced if website operators want to collect relevant marketing data.
Since the do-not-track function was also already considered in the ePrivacy Directive and was only briefly taken into account by browser providers and users, it remains to be seen whether a record in German law can now significantly improve the relevance of browser settings and whether the implementation is successful at all. In any case, I would not forego the use of a consensus management platform for the time being and probably not in the long term.
Location data and geo-locations are also included in the TTDSG-E. Their collection should also only be carried out with existing consent, unless the collection is necessary for the execution of a desired service. The TTDSG-E stipulates that geo-information must be made anonymous and that users of mobile devices must be informed in written form on the device when the exact location has been collected. This regulation could mean the end for location-based advertising in Germany.
Redistribution of responsibilities and orientation
A glance at Part 4 of the TTDSG-E shows that the amount of the fine and the handling of administrative offences should essentially be based on the provisions of the GDPR. § Section 27 TTDSG-E provides for a shared official competence with regard to the enforcement of the TTDSG. Thus, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) shall be responsible for supervising compliance with such standards relating to the protection of personal data. The Federal Network Agency (BNetzA) is to be responsible ex negativo for all provisions that do not concern the protection of personal data.
Further contents and outlook
The law will also include regulations on so-called PIMS (= Personal Information Management Systems) (a detailed treatment of these would easily fill a separate article) as well as on devices that can be heard and seen, such as smart speakers, which will in future only be allowed to make audio recordings if users are informed about the start and end times of the recordings.
In principle, the law does not provide for a transitional period. According to Art. 25 TTDSG-E, it is to apply directly on the day after promulgation – the target date is 21 December 2020. This would be a highly ambitious timetable and I would cautiously doubt that this target date will be met. However, the mere possibility of it becoming law in December, should urge us to take the draft seriously, to follow developments closely and to take any decisions that may be necessary.
The draft law is extensive, so in this article I have first concentrated on the points that are most important for FELD M and our customers. Updates and information on further content will be taken up and dealt with on our FELD M blog, depending on how up-to-date it is. Feedback, questions and ideas for further questions, which we should deal with on our blog, are welcome in the comments!