New German Telecommunications-Telemedia Data Protection Act

Background

On December 1st 2021 the New German Telecommunications-Telemedia Data Protection Act (abbreviated in German to TTDSG) came into force. The Telemedia Act (TMG) and Telecommunications Act (TKG) were adapted and modernized (accordingly). Adjustments that were necessary due to the EU General Data Protection Regulation (GDPR) and the more extensive, directive-compliant implementation of the ePrivacy EU-Directive were also implemented in the TTDSG.

Overall, the TTDSG can be seen as an interim step on the way towards the EU ePrivacy Regulation, which is still in the legislative process.

Most important regulations

• "Over-the-top" (OTT) services will be covered by telecommunication related data protection. OTT services are services that offer electronic communications networks (e-mail, messaging services, etc.).
  • Provisions on the protection of the secrecy of telecommunication, were transferred from the TKG to the TTDSG.
• The new Section 25 TTDSG now explicitly regulates for the first time in national law that tracking technologies generally require consent, regardless of whether personal data is processed. The requirements for consent are nevertheless based on the GDPR. Consent is only not required for cookies or "tracking technologies" that are solely intended to transmit a message or are absolutely necessary for a telemedia service expressly requested by a user.
• Section 26 of the TTDSG provides the option to use approved services to manage consent. So-called "Personal Information Management Services" (PIMS) are intended to give users the possibility to consent to certain data processing or to reject once and have the information stored centrally. Websites then can access the information stored in the PIMS. The intention is to give users more overview and security over their consent decisions.

Conclusion and recommendation for action

• The TTDSG resolves uncertainties in connection with the directive-compliant implementation of the ePrivacy Directive in the area of cookies in the old TMG. However, important clarifications remain missing, in particular with regard to the question of which cookies are "absolutely necessary". Time will show whether the PIMS services provided for consent management will bring the desired simplifications.
• If they have not already done so, companies should take an inventory of all cookies and technologies used to store information on the terminal device of telemedia users or to access information stored on end devices and check whether their use is lawful.
• It should be critically questioned whether the use of certain cookies or tracking technologies is absolutely necessary within the meaning of Section 25 (2) TTDSG. If this is not the case consent must be obtained in accordance with the GDPR before data is stored in or read from the terminal device.
• Insofar as such consents are obtained by means of cookie banner, companies should not assume that these tools always provide a legally compliant solution. In particular, automatically generated texts should be critically examined for their minimum information content, their graphic arrangement and the overall design. It is also essential to ensure that the person giving consent is not unduly influenced in his or her decision about consent, e.g., by making the process of refusal unnecessarily complicated.