An extract from The Technology, Media and Telecommunications Review, 12th Edition

Telecommunications and internet access

i internet and internet protocol regulation

All IP-based services are regulated under the TMG and, as regards data protection (as of 1 December 2021), under the TTDSG. Commercial rules for telemedia are covered in the TMG, while aspects relating to (journalistic) content are regulated in the MStV and the JMStV. Telemedia services are permission-free and generally do not need to be registered.30

Telecommunications services and telemedia services are mutually exclusive; therefore, telecommunications are excluded from the scope of the TMG. In practice, the distinction is often difficult to make. When granting access to the internet, a distinction must be made according to the services and functions offered by the provider. If the provider restricts itself to the exclusive data transmission of third-party content from the internet to the user and does not prepare any content, this constitutes a telecommunications service and thus not a telemedium.

ii Universal service

Broadband availability continues to increase steadily throughout Germany.31 At the end of 2020, about 94.5 per cent of households were connected with broadband connections of at least 50Mbit/s. Over 59 per cent of households have gigabit (1,000Mbit/s) connections (2019: 43.2 per cent). Bandwidths of at least 200Mbit/s are available for about 78.5 per cent of households. While the increasing use of super-vectoring technology has contributed to increased availability in the bandwidth classes up to 200Mbit/s (available to 52 per cent of all households), the expansion of cable TV networks (CATV) based on the new DOCSIS 3.1 technology and the expansion of fibre to the building/fibre to the home (FTTB/H) fibre optic networks are driving growth in the higher bandwidth classes: CATV with 1.000MBit/s is available in 53.3 per cent and FTTB/H in 14.5 per cent of all households. However, Long Term Evolution (LTE) coverage can still be improved in Germany. In each federal state, 4G coverage had to be at least 97 per cent. According to an evaluation by the BNetzA from April 2021, LTE coverage is at 96 per cent.32 However, there is a 7.19 per cent quota of gray spots in which only one (of three) mobile network operators provides LTE coverage.

The federal government intends to give a further boost to the development of the broadband network by, for example, capitalising on synergies in the construction of infrastructure, using the digital dividend33 and formulating regulations that foster investments. Moreover, the federal government encourages projects to pursue industry solutions. For example, small and medium-sized telecommunications companies can borrow funds on privileged terms and with adequate risk pricing through the corporate financing programme of Germany's state-owned development bank.34

In any event, the existing federal and state loan guarantee scheme is generally available to companies in the telecommunications sector to prevent economically desirable broadband projects from failing as a result of the lack of suitable financing.

Since 2015, the government has been providing massive funding for the expansion of broadband connections in underserved areas. While the broadband guideline was aimed at reducing white spots,35 the introduction of the gigabit guideline of 2021 is aimed at improving coverage of grey spots.36 The aim of the expansion is to build networks that enable bandwidths of at least 1 gigabit/s symmetrically. The federal government is providing a total of around €12 billion to promote fibre-optic connections. The federal states are also contributing to the costs of gigabit expansion.

The revised TKG is expected to make a further contribution to broadband expansion. In particular, Section 156 TKG et seq. implement a right to fast internet access based on criteria defined by the BNetzA. In addition, certain sanctions will be laid down in the event that a network operator fails to deliver the guaranteed transmission rates.37

iii Restrictions on the provision of service

An amendment of the TKG in 2012 initially introduced the concept of net neutrality. The federal government was authorised to draft a regulation that sets out, inter alia, the requirements for non-discriminatory data transmissions.38 However, with the entry into force of the European Net Neutrality Regulation,39 a national regulation was no longer pursued and the TKG provision was repealed. Article 3 of the Net Neutrality Regulation provides, inter alia, that providers of internet access shall treat all traffic equally, but permits reasonable traffic management measures provided these are transparent, non-discriminatory and proportionate, and are not founded on commercial considerations. The Body of European Regulators for Electronic Communications published guidelines for the implementation of the obligations of national regulatory authorities.

An example of controversial restrictions on network provisioning is the reduction of the internet speed on mobile phone plans. In Germany, mobile phone plans usually only offer a few gigabytes40 of traffic with full speed. Having exceeded this data amount, the internet speed will be reduced to 32 or 64kbit/s. For some years, mobile network carriers offered 'passes', which exclude certain music streaming services or social media services from this amount of data.41 In 2018, the BNetzA prohibited certain conditions of a zero-rating mobile tariff option, which has been challenged by the provider. The Administrative Court of Cologne as well as the Düsseldorf Higher Regional Court referred questions to the European Court of Justice (CJEU), which have not been answered yet.42 In another case regarding the reduction of internet speed by a provider, the Administrative Court of Cologne also referred a question to the CJEU concerning the conformity with Article 3 of the Roaming Directive.43 In a recent ruling, the CJEU states:

the requirements to protect internet users' rights and to treat traffic in a non-discriminatory manner preclude an internet access provider from favouring certain applications and services by means of packages enabling those applications and services to benefit from a “zero tariff” and making the use of the other applications and services subject to measures blocking or slowing down traffic.44

Finally, the Act against Unfair Competition (UWG) provides restrictive provisions regarding unsolicited calls, emails and text messages.45 Making first contact with consumers by such measures requires, as a general principle, the explicit approval of the consumers.46

iv Privacy and data security Privacy

The protection of personal data in the ICT area is governed by the EU General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) as well as sector-specific telecommunications and telemedia laws (now the TTDSG). The regulation is supervised by the BfDI, data protection authorities on the federal state level, and partly the BNetzA.

The GDPR is a uniform framework laying down principles for legitimate data processing in the EU and the EEA. Compared to the predecessor Data Protection Directive (95/46/EC), the GDPR entails significantly stricter requirements for data protection. The GDPR introduced substantial sanctions for non-compliance and, depending on the nature of the infringed provision, may consist of civil liabilities, criminal sanctions or administrative fines. Administrative fines can amount to €20 million or up to 4 per cent of the total worldwide annual revenue, whichever is higher, for each violation. With the enactment of the GDPR further strengthening individual rights and meeting the challenges of globalisation and new technologies, the BDSG was also heavily amended and revised with effect from 25 May 2018.

In addition, both the TKG and the TMG provide sector-specific privacy rules that will apply until the end of November 2021. With effect from December 2021, the sector-specific rules will be consolidated in the TTDSG. Among other things, this new act contains rules about telecommunication secrecy, traffic and location data as well as youth protection. Infringements can be sanctioned with administrative fines of up to €300,000 or even imprisonment up to two years.

Data security

Data security is governed by the Law on the Federal Office for Information Security (BSIG), and sector-specific regulations in the TKG, TMG, TTDSG and, on the EU level, GDPR. An amendment of the BSIG was made in 2015, aiming at an improvement in the IT security of critical infrastructure,47 including ICT infrastructure. Parts of the BSIG govern the position of the Federal Office for Information Security (BSI) while other sections impose obligations on private entities maintaining critical infrastructure or providing digital services (e.g., cloud computing).

The BSI is a superior federal authority with wide-ranging tasks of threat prevention in IT systems. The BSI tasks include developing criteria, procedures and tools to test and evaluate the security of information technology systems. Therefore, the BSI is the central reporting office for disruptions and attacks on IT systems.

The BSIG especially imposes obligations on private enterprises to safeguard IT security, such as the duty to report disturbances in IT systems to the BSI. Private enterprises that are subject to these obligations are, in particular, operators of critical infrastructure, like the telecommunication sectors. Within two years of the BSIG coming into force, the operators had to upgrade their IT systems to make them state of the art, and from then on must prove their compliance once every two years through security audits or certificates.48

Operators of telecommunication services have the duty to inform their customers of any IT security risk, and to provide information on solutions for these problems.49 Telemedia services operators must ensure that their users are protected from attacks on IT security through state-of-the-art technical and organisational means.50

The European Commission has adopted several measures to prepare Europe against cyber incidents. In particular, the Directive on Security of Network and Information Systems (NIS Directive) was the first EU-wide legislation on cybersecurity.51 It includes measures to ensure a high common level of network and information security across the EU. The NIS Directive was implemented into German law (BSIG) on 29 June 2017.52

On 28 May 2021, the new IT-SiG 2.0 came into force. It includes adjustments to the protection mechanisms and defence strategies in the area of IT security, mainly through amendments to the BSIG.53 Mainly, the position of the BSI is strengthened by declaring it the independent and neutral advisory body for consumers on IT security issues as well as the National Cybersecurity Certification Authority.54 The revised BSIG also implemented the obligation for operators of critical infrastructures to use systems for detecting attacks from 1 May 2023. Infringement can now be fined up to an amount of €2 million.

The BNetzA has published a revised catalogue of security requirements for the operation of telecommunications and data processing systems and for the processing of personal data (Version 2.0). According to the new TKG, telecommunications companies have to comply with the new requirement one year after its enactment.

Data retention for the purpose of inner security

Since the BVerfG rendered data retention of traffic data as intended under the TKG of 2007 to be unlawful,55 the question of whether and to what extent data retention is in line with national and European law has been discussed widely. The CJEU decided similarly that European Directive 2006/24/EC setting out the framework for data retention is invalid.56 After two drafts of a German data retention act in 2011 and 2013 were not adopted, a new law came into force on 18 December 2016.57 However, further legal proceedings prevented the retention of traffic data. In proceedings for interim relief before the Higher Administrative Court of Münster, a telecommunications service provider obtained a temporary exemption from the retention obligation.58 In response to this decision of 22 June 2017, the BNetzA declared that until final clarification in the main proceedings, telecommunications providers who do not comply with the retention obligation as of 1 July 2017 will not be held responsible under supervisory law. In its ruling of 20 April 2018, the Cologne Administrative Court followed the Higher Administrative Court. The Court found that the plaintiff – a telecommunications service provider – is not obliged to retain the telecommunications connection data of its customers in the context of data retention because the statutory provisions are not compatible with EU law. On 25 September 2019, the Federal Administrative Court (BVerwG) decided to refer the final interpretation of the Data Protection Directive for Electronic Communications (Directive 2002/58/EC) to the CJEU.59 Pending final clarification in Luxembourg, data retention in Germany remains suspended. In addition, several constitutional complaints against the 2015 law are currently pending before the BVerfG in Germany.

In another case, the CJEU confirmed that European data protection law precludes legislation that provides for the general and undifferentiated retention of traffic and location data as a preventive measure for the purposes specified in Article 15 Directive 2002/58/EC. In addition, however, the CJEU also stated that data retention legislation may not conflict with European data protection law when it is a matter of protecting national security, combating serious crime or preventing serious threats to public security.60

Enforcement of law in social networks

With effect from 1 January 2018, the Network Enforcement Act (NetzDG) was implemented to secure and improve the enforceability of penalties against unlawful contact on significant social media platforms. Social network providers are obliged to combat fake news and hate speech by blocking, and to remove unlawful content. Furthermore, it is required that a transparent, accessible and effective procedure for users to report unlawful content has to be established under which social network providers have to report biannually.61

The NetzDG has been the subject of considerable criticism from the outset. In 2021, it was supplemented and reformed in parts after being evaluated in 202062 – as was already planned when the law was enacted. One new element, for example, is the obligation for providers of the major social networks to report criminal acts to the Federal Criminal Police Office, which will come into force on 1 February 2022. This obligation is highly controversial and has already led to elaborations by the Scientific Service of the Bundestag63 and to court proceedings.64 Other noteworthy changes include a regulated appeal procedure against decisions by online platform operators and the implementation of the content-related requirements65 of the (revised66) AMS Directive 2010/13/EU.

Protection of children

Youth protection provisions applicable to the media can primarily be found in the Law for the Protection of the Youth (JuSchG) and the JMStV.

The Federal Agency for the Protection of Children and Young People in the Media (BzKJ) is the authority responsible for protecting children and adolescents from media67 that might contain harmful or dangerous content under the JuSchG. The BzKJ can act only at the request of other administrative institutions. Once an official request has been filed, the BzKJ is obliged to process the complaint. Possible measures in the event of a violation are a prohibition on publication, blocking the provider and fines of up to €5 million.

In 2021 the JuSchG was reformed in particular to respond to new dangers for young people in telemedia. Until now, corresponding obligations mainly affected providers of carrier media. With the new JuSchG, dangers within online games (via chat function or paid additional services) are now meant to be responded to as well (e.g. Section 10b(3) JuSchG). Furthermore, providers of platforms for films and video games must ensure that all content distributed via their digital distribution platform has undergone an official age rating procedure (Section 14a JuSchG).

The JMStV forms the legal basis for assessing content distributed in broadcast or media services. The compliance of broadcast and media services with the JMStV is controlled by the Commission for the Protection of Minors in the Media (KJM). The JMStV distinguishes between illegal content and content that impairs the development of minors: illegal content must not be distributed via broadcasting or media services. Content that is rated as impairing the development of minors (e.g., a severe depiction of violence) is subject to access restrictions. In the event of a breach of the provisions of the JMStV, the KJM decides on the sanctions to be imposed against the respective media content provider.68