New guidance from the Data Protection Conference (DSK) and upcoming ECJ decision on cookies.
So far, in the German practice, consent has frequently not been obtained with reference to Section 15 (3) of the German Telemedia Act (TMG) and an opt-out solution has been practiced. Alternatively, so-called cookie consent banners are frequently used, which attempt to derive consent from the fact that the person concerned does not actively object.
Dispute before the European Court of Justice
The opinion of the Advocate General is of particular importance since the ECJ - at least so far - generally follows the Opinion of the Advocate General. The consequence of such a decision would be that in any new dispute on the cookie issue the national courts would have to take into account the case law of the ECJ.
Guideline of theGerman Data Protection Conference (DSK)
Against this background, the guideline for providers of telemedia services (in German only) published on 5 April 2019 by the Data Protection Conference (DSK), in which the Conference of the Federal and State Data Protection Supervisory Authorities express their views on the question of consent for cookies, among other things, is particularly relevant. Also from the point of view of the DSK, an opt-out procedure for consent against the background of recital 32 GDPR is not sufficient. The Supervisory Authorities even expressly demand that when the website is opened in the cookie banner, all processing operations requiring consent must be explained and activated via a selection menu, stating the actors involved and their functions. In addition, they make it clear that the selection options must not be “activated” by default. While the banner is displayed, all further scripts of a website or web app that potentially collect user data should be blocked by technical measures. Only with active consent may data processing actually begin.
In its paper, the DSK also commented on and rejected the question of the applicability of the data protection provisions of the TMG since the GDPR came into force. In principle, these provisions could only apply alongside the GDPR if they were transpositions of the ePrivacy Directive (2002/58/EC). DSK does not see the prerequisites for this as given.
In its guideline, DSK makes extensive execution a legitimate interest pursuant to Art. 6 (1) lit. f) GDPR. The Supervisory Authorities do acknowledge that there may be a legitimate interest, for example, in a range measurement or in statistical analyses. In the context of weighing up the rights of the data subjects, however, they attach great importance to the latter. As criteria for weighing interests, the Supervisory Authorities take into account, among other things, reasonable expectations of the persons concerned and transparency, possibilities of intervention by the person concerned, concatenation of data, actors involved, duration of observation, group of persons concerned, data categories and extent of data processing, and emphasise that the respective recitals of the GDPR should be used in this respect.
As a concrete example of range measurement, it is cited that the weighing of interests in favour of the website operator responsible would fail if only statistical data were used for the measurement and no extensive profiling and transfer of data to third parties took place, as this would then be foreseeable for the user. As regards the weighing of interests when using tracking pixels of social networks, DSK explains in detail that the rights of the data subjects outweigh the interests of the website operators, since the average user of social networks is not aware of the profile formation by the operators through the integration of “invisible” pixels, has no possibility to object and usage data is stored over a longer period of time for profile formation.
In our opinion, the views of the Advocate General and the DSK are extremely strict and the implementation of all requirements for the design of the telemedia services is often impractical. However, the implementation brings more clarity to the long-standing discussion, especially with regard to the relationship between the GDPR and the TMG. It is therefore very important for website operators and other providers of telemedia to consider the views of the supervisory authorities and take these into account when designing the website / web app.