In force as of 1 December 2021: the TTDSG and the "new" cookie rules

Stefan Hessel

The new Telecommunications and Telemedia Data Protection Act (TTDSG) (only in German) combines the data protection provisions of the Telecommunications Act (TKG) (only in German) and the Telemedia Act (TMG) and serves to implement European law requirements, particularly the ePrivacy Directive. The Act is to take effect on 1 December 2021. Are companies facing new legal challenges as a result? We present the changes.

New regulation for the use of cookies?

§ 25 of the TTDSG received the most attention in public discussion. This section contains regulations for the storage and use of data on users' terminal equipment. The requirements for the use of these cookies, for example by operators of Internet sites, has a long history in Germany.

For a long time, it was disputed whether Germany was even adequately implementing the requirements of the ePrivacy Directive in this regard. Article 5(3) thereof clarifies that the storage of and access to information on users' end devices, usually referred to as "cookies", is generally only possible if they give their prior consent or if the cookie is technically absolutely necessary.

However, European directives that impose obligations on private actors are not directly applicable, but require implementation through national law. The relevant provision in German law was found in the previously applicable § 15 III 1 of the German Telemedia Act (only in German). However, this inadequately reflected the requirement of Article 5(3) of the ePrivacy Directive. The Federal Supreme Court (BGH) therefore used an interpretation in conformity with the Directive and interpreted the provision of the Telemedia Act contrary to the wording in the favour of the requirements of European law. § 25 TTDSG now provides clarity here by clearly implementing the requirements of the ePrivacy Directive and also closely following the wording of the Directive. With regard to legal certainty, this is to be welcomed as opposed to an interpretation beyond the limits of the wording.

At the same time, however, this means that the legal situation has remained largely unchanged from the status quo ante on this issue. Rather, the legal situation already established by the so-called "cookie rulings" of the Federal Supreme Court (BGH) was only set out more clearly. The TTDSG also does not specify any further exactly the consent must be structured.

Consent services

However, § 26 TTDSG (only in German) contains a surprising innovation. According to this provision, consent management services are permissible under certain conditions. These personal information management systems (PIMS) allow for prior consent through an independent service. Via this, a user can specify in advance which categories of cookies he or she generally agrees to and under which conditions. The services tell the websites the settings they want. In perspective, this could prove to be an effective tool for stemming the tide of consent banners that many perceive as a burden.

However, according to § 26(2) TTDSG (only in German), the Federal Government would first have to specify more precise requirements in a ordinance with the approval of the Federal Council. In addition, providers would have to be found who have the corresponding certification required by § 26(1) TTDSG (only in German) carried out for their service.

Extended scope of application

One change that should be of interest to product manufacturers concerns the scope of application of the regulations. In a departure from the ePrivacy Directive, § 25 TTDSG (only in German) does not refer to end devices, but to users' terminal equipment. Pursuant to § 2(2)6 TTDSG (only in German), this term is defined as any device connected directly or indirectly to the interface of a public telecommunications network for the purpose of transmitting, processing or receiving messages. The legislative intent of this Act states that this wording is intended to cover a broad scope of application. The requirements of § 25 TTDSG  thus apply not only to Internet communications, but also to the use of networked devices (Internet of Things) such as smart home devices.

Summary

For companies, the introduction of the TTDSG changes little. The regulations on cookies have already been applicable law up to now. It is welcome that legislators want to enable the use of PIMS. However, it is questionable when and whether such services will be used at all on the basis of § 26 TTDSG, especially since the TTDSG will be superseded in the coming years by the European ePrivacy Regulation, which has already been in the works for some time. However, companies that have not yet adequately implemented the requirements of the ePrivacy Directive should do so in a timely fashion.

[November 2021]