German Telecommunications and Telemedia Data Protection law ( TTDSG) comes into force

On December 1, 2021, the law on data protection and the protection of privacy in telecommunications and telemedia (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG) comes into force. The term telemedia includes, for example, websites and apps. This law is in addition to the scope of the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and is intended to prevent undesired access to information stored on computers, tablets or mobile phones.

What does this mean for the use of cookies and Co.?

In the future, when using technologies such as cookies, web storage, browser fingerprinting, etc. – regardless of the question of whether personal data is processed – the consent of the user must be obtained. A further consent according to the GDPR can be added if the processing of personal data in this context is based on Art. 6 (1) a GDPR. In principle, both consents can be obtained at the same time.

In Section 25 (1) TTDSG, the principle of the need for consent is defined as follows:

(1) The storage of information in the end user’s terminal equipment or access to information that is already stored in the terminal equipment is only permitted if the end user has consented on the basis of clear and comprehensive information. The information of the end user and the consent must be given in accordance with Regulation (EU) 2016/679. In Section 25 (2), the TTDSG formulates narrowly limited exceptions to the consent requirement:

(2) The consent according to paragraph 1 is not required, if the sole purpose of storing information in the end user’s terminal equipment or the sole purpose of accessing information already stored in the end user’s terminal equipment is to transmit a message via a public telecommunications network, or if the storage of information in the end user’s terminal device or access to information already stored in the end user’s terminal device is absolutely necessary so that the provider of a telemedia service can provide a telemedia service expressly requested by the user. Outside of the conditions mentioned, the use of cookies, web storage, browser fingerprinting and similar technologies is only permitted with consent that meets the requirements of the GDPR. The wording of the exceptions is to be interpreted narrowly. In Paragraph 2 No. 2, for example, the phrase “absolutely necessary” can be found, which is to be understood as a technical, but not an economic, necessity against the background of the reasons for the law. Reach measurement, user tracking for advertising purposes, etc. for the provision of a telemedia service are therefore regularly not absolutely necessary and therefore subject to consent under the TTDSG.

Why is a new law on data protection even necessary?

With the TTDSG, European legal requirements are implemented in national law. At the same time as the GDPR, the ePrivacy Regulation was originally supposed to come into force as a special legal regulation for the area of ​​electronic communication. However, this has not happened to date and is unlikely to be implemented in the foreseeable future either. In the past, this has led to considerable legal uncertainty in the telemedia sector. For a long time it was unclear whether and to what extent national data protection regulations could still be applied in this area. The uncertainties with regard to the legal assessment of user tracking and the question of when prior consent from website visitors is required for the use of cookies became particularly clear. The European Court of Justice answered this question with its decision “Planet49” (ECJ, judgment of October 1, 2019 – C-673/17). The Federal Court of Justice (BGH) also came to the conclusion in the case of “Cookie Consent II” (BGH, judgment of May 28, 2020 – I ZR 7/16) that consent must be obtained before cookies are set and read. Nonetheless, the BGH could not rely on Article 5 (3) of the ePrivacy Directive (Directive 2009/136 / EC of the European Parliament and Council) to answer the question of a consent requirement, as the Directive was not implemented in national law in Germany. In order to nevertheless comply with the requirements of the ECJ on the requirement of consent, the BGH finally interpreted Section 15 (3) TMG in the sense of the ePrivacy Directive with great legal effort.

Click here for an overview and FAQ of the TTDSG in German.