The Telecommunication Telemedia Data Protection Act – a new “cookie law” for Germany
The provisions covering cookies and similar technologies are set forth in paragraphs 25 and 26 of the new Act. They apply to any storage of information on the end equipment (terminal equipment) of users as well as any access to such information. As a general rule, paragraph 25 (1) states that such storage or access is only permitted if the end user gave consent on the basis of clear and comprehensive information. For such consent and the information provided, GDPR shall apply.
Exceptions to that rule are set forth in Section 25 (2). According to that section, consent is not required if
- the sole purpose of the storage or access is “the execution of the transmission of a message via a public telecommunications network”, or
- the storage or access is “strictly necessary” to enable the provider of a telemedia service to provide to the end user a telemedia service the end user “explicitly requested”.
Now, what is “end equipment”? This seems rather clear. End equipment is defined as “any equipment connected directly or indirectly to the interface of a public telecommunications network for the purpose of transmitting, processing or receiving messages; in the case of both direct and indirect connections, the connection may be made by wire, optical fibre or electromagnetically (…)”. This is a very wide definition and as a consequence the rules does not only apply to mobile phones or computers with internet access but also, for example, connected cars and connected household devices.
However, when is the storage of or access to information on the user’s end equipment “strictly necessary” to enable the provision of a telemedia service? If, for example, a cookie is placed to capture the user’s region in order to provide the cookie consent tool in the language applicable to that region: is this a “strictly necessary” cookie? Or if the access to information in end equipment is necessary for updating software and such updates are required under statutory law (cf. European Directive on certain aspects concerning contracts for the supply of digital content and digital services): is this “strictly necessary”? Also, what makes a telemedia service a service the end user “explicitly requested”? If, for example, the user simply surfs websites: is the provision of these websites a service “explicitly requested”?
And last but not least: the rules apply regardless of whether the storage of or access to information on end equipment involves processing of personal data or not. How should businesses obtain consent(s) according to GDPR, if the end equipment is used by several users (such as cars or household devices) and/or unknown users?
These and further questions are raised by the new Act. It remains to be seen how German authorities and courts will answer these questions and if the ePrivacy Regulation will be more precise when it comes.
Article provided by INPLP member: Kirsten Wolgast (Pinsent Masons, Germany)
Dr. Tobias Höllwarth (Managing Director INPLP)