On 10 February 2021, the Federal Cabinet agreed on a joint draft of the German Telecommunications-Telemedia Data Protection Act [Telekommunikation-Telemedien-Datenschutzgesetz, TTDSG-RegE]. The planned Act, which is to be passed shortly (the first reading in the Bundestag took place on 25 March 2021), will adapt data protection provisions from the German Telecommunications Act [Telekommunikationsgesetz, TKG] and the German Telemedia Act [Telemediengesetz, TMG] to the requirements of the General Data Protection Regulation (DSGVO) as well as implement essential parts of Directive 2002/58/EC (ePrivacy Directive).
Germany about 10 years behind schedule
The Federal Court of Justice nevertheless ruled in its decision "Cookie consent II" that § 15 (3) sentence 1 TMG was to be interpreted (ultimately contrary to its wording) in conformity with the Directive to the effect that providers of telemedia had to obtain express consent before triggering the storage of cookies on the end-device of the respective user (FCJ, judgement of 28 May 2020 - I ZR 7/16 margin Nos. 54, 55).
Setting of cookies only permissible with informed and active consent
The Federal Government now wishes to resolve this confused legal situation with the aid of § 24 TTDSG-RegE. The provision corresponds almost word-for-word to Art. 5 (3) ePrivacy Directive. §§ 11 et seqq. TMG (and thus also § 15 (3) sentence 1 TMG) are simultaneously to be repealed.
In this case, what already applied previously via the detour of an interpretation of § 15 (3) sentence 1 TMG in conformity with the Directive will then result directly from the TTDSG: telemedia providers will have to obtain consent (unless an exception applies) before they trigger the storage of cookie files on the end-devices of end-users or read data stored on end-devices. The latter is regularly the case with tracking technologies such as so-called fingerprinting.
Exceptions apply to cookies that are strictly necessary for the functioning of a website called up by the website visitor, based on the reasonable expectations of the average user. This may include, for example, cookies that are necessary to operate a consent management tool or cookies that enable the shopping cart function in an online shop.
Increased punishment through fines is expected
Website operators who violate the principles described need to take urgent action. Otherwise, there is a risk of fines and cautions from competitors.
It is true that the German supervisory authorities - probably because of the unclear legal situation in Germany for many years - have been reluctant to punish infringements in connection with cookies to date. However, following the announcement of the aforementioned FCJ ruling, they already made public at the end of 2020 a transnational data protection review on tracking technologies on websites of newspaper publishers. We expect that the supervisory authorities will noticeably intensify their sanctions practice once the TTDSG comes into force.
Pursuant to § 26 (1) No. 13 in conjunction with (2) TTDSG-RegE, fines of up to €300,000 may be imposed for violations of § 24 TTDSG-RegE. For the unlawful processing of personal data of website visitors following the storage of a cookie on the respective end-device or the reading of data stored there, the rules of the GDPR are applicable, which means that significantly higher fines can be imposed (cf. Art. 83 (4), (5) GDPR).
In addition, in practice more and more website operators are being cautioned by competitors on the basis of § 3a German Unfair Competition Act [Gesetz gegen den unlauteren Wettbewerb, UWG]. Although the extent to which data protection rules can be regarded as market conduct rules within the meaning of the provision is fiercely disputed, a number of the courts of instance have now affirmed the ability to issue cautions.
European follow-up provisions are taking shape
Even once the above-mentioned principles have been implemented, website operators should keep a close eye on the development of the legal situation at EU level.
Firstly, the long-planned ePrivacy Regulation has cleared an important hurdle. The Council of the EU agreed (on the same day as the Federal Cabinet on the TTDSG) on a text that now forms the basis for the trilogue negotiations between the Council, the Parliament and the Commission of the EU. According to the original plans, the Regulation was supposed to enter into force at the same time as the GDPR and replace the ePrivacy Directive. However, the EU member states wrangled for years over individual articles, with the prerequisites for the use of tracking technologies being one of the topics of dispute.
The recently published draft contains essential amendments to Art. 5 (3) ePrivacy Directive and § 24 TTDSG-RegE. In particular, it should be possible under certain conditions to make access to a website dependent on the consent to cookies that are not necessary for further purposes (so-called cookie wall), for example if, as an alternative, paid access without such cookies remains possible (recital (20aaaa) of the draft). The German supervisory authorities, in particular the Federal Commissioner for Data Protection and Freedom of Information [Bundesbeauftragte für Datenschutz und Informationsfreiheit, BfDI], have strongly opposed this development. It remains to be seen when and in what form the ePrivacy Regulation will ultimately enter into force.
Finally, an important issue is the proposed Data Governance Act, which is also currently available in draft form. Art. 9 of the draft provides for a notification procedure for providers of so-called Personal Information Management Systems (PIMS). In particular, PIMS allow users to give informed consent to the processing of usage data by means of cookies once for a number of specific cases (e.g. for a specific type of cookie). This could permanently change the current procedure, i.e. the constant request for website visitors to provide a declaration of consent, in the future and also make a technical adjustment by website operators necessary.