On April 5, 2019, the association of German Supervisory Authorities for data protection (‘Datenschutzkonferenz’ or ‘DSK’) published a guideline regarding the applicability of the German Telemedia Act (‘TMG’) to telemedia services – including, for example, the use of website cookies for targeted advertising post-GDPR. The guideline aims to “clarify and concretize” a previous statement on the topic released by the DSK in April 2018 and to serve as guidance for the implementation of data protection requirements when processing users’ data through telemedia services. This guideline is the result of a stakeholder consultation carried out by the different German Supervisory Authorities last year.
In line with its previous paper, the DSK confirmed in its opinion that Sections 12, 15(1) and 15(3) TMG ceased to be applicable when the GDPR came into effect. Hence, in the absence of a lex specialis, the provisions of the GDPR apply by default. The main difference between the two laws is that the TMG provides for a specific legal basis under which online tracking may be lawfully carried out by a website operator. According to Section 15(3) TMG, so long as the website operator uses pseudonyms, it may create user profiles for purposes of advertising, market research or for the demand-oriented design of telemedia services, provided that the user does not object to this (typically through an opt-out solution like unticking a pre-selected checkbox on a cookie banner).
The DSK argues that Sections 12, 15(1) and 15(3) of the TMG do not implement the ePrivacy-Directive’s[1] ‘cookie requirements’ and therefore are not covered by Art. 95 GDPR, which leaves (national) laws like the TMG unaffected if they constitute an implementation of the ePrivacy Directive. With regard to Section 15(3) the DSK also rejects an interpretation in line of the GDPR. Finally, the DSK points out that the ePrivacy-Directive is not directly applicable. Hence, according to the DSK, online tracking must be based on one of the legal bases listed in Article 6 GDPR (or Article 9 for sensitive data) and if consent is sought, this it must comply with the requirements for consent under Article 4(11) GDPR.
The DSK then sets out the various legal bases in Art. 6(1) GDPR that a website operator may rely on for processing personal data collected via website cookies. According to the DSK, in most use cases online tracking requires the user’s prior consent in the form of an opt-in solution whereby the user must actively demonstrate consent (typically by ticking a checkbox on a cookie banner). When the collection of sensitive data is involved, consent shall always be required.
With regards to consent, the DSK clarified that if personal data collected from the user is combined and evaluated by the website operator across websites, the user must be informed in advance of all processing activities and of all recipients of the data. Furthermore, the user must be given the opportunity to give his/her specific consent to the various forms of data processing. In cases where multiple data controllers wish to rely on the same consent (either as joint controllers or because of a transfer between co-controllers), all controllers must be named and their different processing activities must be sufficiently described. In these cases, all data controllers must check whether there is effective consent for their processing activities and whether this can be proven by them. With reference to Recital 32 GDPR the DSK points out that an opt-out procedure does not comply with the consent requirements of the GDPR.
Notably, the DSK also said that it must be possible to view a website without consenting to non-essential cookies – this appears to be a prohibition on the use of cookie walls. Obtaining consent through an “OK” button is also not GDPR compliant in the eyes of the DSK if users are not given an opportunity to refuse the cookies.
The guidance sets out a three-step balancing process that website operators should carry out if they intend to rely on legitimate interest as their legal basis for using cookies. Here, the DSK describes what it considers to be acceptable and unacceptable examples of (overriding) legitimate interests. For the DSK, it would be acceptable for a website operator to collect information about (i) the number of website visitors over a specific period of time, (ii) the devices they used to access the website, and (iii) their language preferences, in furtherance of the website operator’s legitimate interest to maximize the website’s reach. However, it would not be acceptable for the website operator to use an analysis tool for this purpose that passes on the browsing behaviors of website visitors to third parties (e.g., social networks or other services which merge usage data with data from other sources). According to the DSK, a user does not reasonably expect that user history is shared with third parties or that web browsing behavior (e.g., the manner in which one touches a screen or types on the keyboard) is recorded. The DSK recommends alternatives such as collecting less data and/or utilizing an in-house software solution for certain website analytics purposes.
The DSK expressly highlights that this guidance is subject to the interpretation of the European Data Protection Board and any changes that may result from the finalization of the long-awaited ePrivacy Regulation.
[1] Directive 2002/58/EG as amended by the Directive 2009/136/EG.