The data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG), including the provisions on the protection of telecommunications secrecy, have been combined in a new law, the Telecommunications Telemedia Data Protection Act (TTDSG).
At the same time, the necessary adjustments to the GDPR are to be made, as well as legal clarity and effective protection of the privacy of end users with terminal equipment (computers, smartphones, TVs, etc. basically also all other objects connected to the Internet). An end user is any user who uses a public telecommunications service for private or business purposes, i.e., by implication, all companies that operate a web presence, send advertising emails, offer apps or/and offer video on demand (list not exhaustive) must comply with the provisions of the TTDSG.
The setting of cookies is an important connecting factor of this regulation. In principle, third parties may only store information such as cookies on terminal equipment if the end user concerned has given his consent. This consent is given according to the standards of the GDPR, i.e. voluntarily, on the basis of clear information and revocable at any time.
According to Section 25 (2) TTDSG, consent is now only not required in two exceptions:
- if the sole purpose of storing information in the terminal equipment or the sole purpose of accessing information already stored in the terminal
equipment is to carry out the transmission of a message via a public telecommunications network, or
- if the storage of information or access to information already stored is absolutely necessary in order for the provider of a telemedia service to
provide a telemedia service expressly requested by the user.
Nevertheless, there are still ambiguities regarding the clear categorization of necessary cookies.
In particular, the question arises whether cookies for website optimization, so-called first-party analysis cookies, may still be considered „absolutely necessary“ within the meaning of Section 25 (2) no. 2 TTDSG. The latter can at least be assumed for shopping cart and session cookies, as well as identifiers for storing user preferences, such as language and screen settings, or for ensuring the technical security and integrity of the website. That the use of self-hosted analysis tools such as Matomo can continue to be based on legitimate interest (coverage measurement), we see with the entry into force of the TTDSG, as questionable or rather as no longer possible.
The TTDSG also paves the way for consent management services known as PIMS (Personal Information Management Systems) (Section 26 TTDSG). The idea behind this is that Internet users can indicate once to appropriately recognized services whether, where and under what conditions they give their consent or refusal to the setting of cookies. The service provider then automatically forwards the information to the websites in the background. This should make annoying cookie banners unnecessary. Before such services can apply for recognition, however, the German government must first specify the recognition procedure and the interaction between the various parties involved (consent management service, telemedia provider, browser provider) in the form of a legal ordinance.
So it remains to be seen – so far, such services do not yet exist.
Pursuant to Section 3 (1) of the Telecommunications Data Protection Act (TTDSG), the content of telecommunications and the circumstances surrounding them, in particular the fact as to whether a person is or was involved in a telecommunications process, are subject to telecommunications secrecy. Section 3 (2) TTDSG regulates who is obligated to respect the secrecy of telecommunications pursuant to (1). In addition to providers of publicly available telecommunications services (Section 3 (2) sentence 1 no. 1 TTDSG), this also includes providers of telecommunications services offered wholly or partly on a business basis (Section 3 (2) sentence 1 no. 2 TTDSG). Within the framework of the previous legal situation, the prevailing opinion also classifies the employer as such a business-like provider, insofar as the employer permits the private use of the company communication means and thus makes these available to its employees on a sustained basis for private purposes. A corresponding provider-user relationship is even assumed in the case of mere toleration on the part of the employer, insofar as the employer is obviously aware of the naturalized private use by the employees and accepts it over a longer period of time without objections. In this circumstance, however, there is also an interaction of further regulations (GDPR, ePrivacy Directive, StGB, etc.). Which data protection law applies to employers who allow the private use of company communication media is disputed. From a practical point of view, it is particularly important not simply to tolerate the private use of company communications, but rather, if such use is to be permitted, to do so explicitly and at the same time to establish clear „rules of the game“ and control mechanisms, e.g., by means of a company/service agreement and the consent of the individual employees referring to this.
Due to existing ambiguities and also high requirements, Bugl & Kollegen continues to recommend a strict separation of private and business use. Furthermore, the TTDSG contains a regulation on telecommunications secrecy with regard to the heirs of a protected end user (keyword: digital estate). Telecommunications secrecy is not intended to prevent heirs of the end user and other persons with a comparable legal position from exercising the end user’s rights vis-à-vis his telecommunications provider.
In the area of telemedia, the TTDSG regulates data protection with regard to provisions not already covered by the GDPR. This also includes the regulations on inventory data disclosure. Inventory data is all data that may be collected and permanently stored by telemedia providers for contractual purposes in accordance with the GDPR. On January 28, 2021, the Bundestag passed the law on the disclosure of inventory data in the Act on the Adaptation of the Regulations on the Disclosure of Inventory Data to the Requirements of the Decision of the Federal Constitutional Court of May 27, 2020. These regulations have been taken into account in the TTDSG.
Section 26 of the TTDSG contains provisions on administrative offenses, whereby the amount of the fine is not based on the GDPR but on the fine framework of the previous TKG and is therefore relatively low.
However, providers of telemedia services must be aware that a violation of Section 26 TTDSG does not block the higher fine framework of the GDPR, but that the regulations are applicable side by side. In the event of a violation of the consent requirement, the provider of telemedia services could be asked to pay twice.
The TTDSG must also be taken into account with regard to technical and organizational measures. Section 19 (1) of the TTDSG states that „telemedia providers must take technical and organizational precautions to ensure that the user of telemedia can terminate the use of the service at any time and that the user can access telemedia protected from third parties. One precaution in this regard is an appropriate encryption procedure.
Your steps to do:
- Amendment of documents regarding the secrecy of telecommunications, i.e. guidelines containing a reference to §88 TKG, administrator obligations regarding confidentiality (data secrecy), etc. ⇒ §88 TKG becomes §3 TTDSG
- Review of website tools, even for self-hosted reach measurement tools, consent must be requested from the user (e.g.: Matomo), subsequent changes to the legal basis of these tools in the privacy statements ⇒ Art. 6 para. 1 f becomes Art. 6 para. 1 a GDPR and objection becomes revocation
- Inclusion of the new tools requiring consent in the cookie banner, no longer under the category of „essential“ or „technically necessary“
- Review of TOMs, appropriate encryption procedures in place, etc.
- Strict separation of private and business use of company terminal equipment, software, etc. (urgent recommendation
from Bugl & Kollegen)