Positioning of the German Data Protection Supervisory Authorities
On 26 April 2018, the Conference of the independent Federal and State Data Protection Authorities stated its position in terms of the TMG as from 25.5.2018: https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf
It is hardly surprising that the supervisory authorities concluded that the Data Protection provisions of the German Telemedia Act (§§ 11 et.seq. TMG) will be superseded by the GDPR. The publication of this clear position of the German Data Protection Supervisory Authorities is welcomed, since a “citable”paper is now at hand.
The implication of this positioning of the supervisory authorities will, however, only be evident in practice upon a second glance. An overview:
- The obligation of transparency will pursuant to § 13 Para. 1 TMG (“…at the beginning of the usage process concerning type, extent and purposes of collection and use …”(§ 13 Para. 1 Clause 1 TMG), “…automated processes allowing later user identification and preparing collection or use of personal data, the user shall at the beginning of this process …”(§ 13 Para. 1 Clause 2 TMG)) not apply, but rather Art. 13 and 14 GDPR, which requires information to be provided especially concerning purpose, legal basis and any justified interest at the start of data collection.
- But also § 15 Para. 3 TMG, governing the compilation of online usage profiles (“… for purposes of advertising, market research or configuration of the telemedia usage profiles as needed …”) will not apply, but rather Art. 6 GDPR.
- The conclusion drawn from this by supervisory authorities is likely to cause a fuss: “Prior consent will in any event be required where tracking mechanisms are deployed that render the behaviour of affected persons traceable on the Internet and with the compilation of user profiles. This means that informed consent under the GDPR, in the form of a declaration or other pertinently confirmed action, must be obtained prior to data processing, for instance, before Cookies are placed or stored information on the user’s terminal is collected.”
This position is justified by reference to Art. 5 Para. 3 of the ePrivacy Directive (Directive 2002/58/EC), discussed in Germany under the – not quite appropriate – catchword “Cookie Directive”.
The Data Protection Supervisory Authorities do not in this matter share the hearsay opinion of German legislators holding that the Cookie arrangement has been addressed in the TMG data protection provisions and that these arrangements could in this respect (!) remain in force.
Author: Dr. Jens Eckhardt