Germans are famous for their baking tradition and known for their punctuality. That is why it could be regarded as surprising that the 2009 EU e-privacy directive (also known as the cookie directive) was never implemented into German national law even though the deadline for such implementation expired in May 2011.

EU “Cookie Directive”

One of the core scopes of the EU e-privacy directive (2002/58/EC amended by 2009/136/EC) was the regulation of national consent requirements for cookies installed through commercial websites.

Article 5.3 of the e-privacy directive therefore requested that the EU member states implement into national law a requirement for informed consent before cookies are stored on a user’s device or before information stored in the user’s computer is accessed.

An exemption to the informed consent requirement shall apply only if the cookie is:

  • used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” (Criterion A); or
  • “strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service” (Criterion B).

A detailed analysis of the exemption requirements with practical examples was provided by the EU Commission’s Data Protection Working Party and can be accessed here.

Where the directive is fairly precise as to when informed consent is required for cookies it is not precise at all when it comes to determining what form of informed consent (e.g. opt-in, opt-out, implied consent) is expected to be given.

Resulting from this uncertainty, there are different legal approaches throughout the EU as all member states interpret the EU regulation in their own way. Where some states require an opt-in others accept an opt-out and even others provide no precise terms at all. There is, however, a tendency towards an opt-in / implied consent regime.

This patch-work reality brings businesses wanting to establish or to ensure an EU wide compliant online strategy in a very uncertain position and this applies in particular to Germany.

Developments in Germany

After several failed attempts to draft implementing legislation for Germany, the German legislator has now taken the controversial view that there is actually no need to implement the e-privacy directive because the existing German law already complies with the EU requirements.

The current German law regulation for the usage of cookies is mainly the Telemedia Act (“Telemediengesetz- TMG”), which generally follows an opt-in strategy but also accepts opt-out structures for cookies, e.g. used for certain profile marketing purposes. Explicit opt-in is only required when the cookie is used in connection with personal data identifying an individual user.

The German government therefore interprets the EU e-privacy directive in a way that allows for opt-out consent rather than requesting explicit opt-in consent or forms of implied consent for all cookies. This is a controversial approach especially because the independent German data protection authorities have jointly stated that they see a general strict opt-in requirement for cookies set out by the EU e-privacy directive.

Also, the current German law seems to mirror the EU directive established prior to the implementation of the amended e-privacy directive in 2009, which then for cookies in general required only the notification about the usage of cookies and the right to object to such usage, but did not yet determine a general informed consent requirement.

The purely legal question whether or not the current German law is compliant with the EU eprivacy directive is highly discussed in Germany with good arguments on both sides. Where the EU directive expands its cookie regulation to information not necessarily identifying an individual, Germany’s approach is more restrictive and focuses on the protection of personal data, i.e. information that leads to an identifiable individual.

Best practice for businesses

Given the various different interpretation forms of consent that have been established in the EU member states based on the e-privacy directive, there is no one size fits all solution for all jurisdictions.

Instead, companies operating EU wide are forced to either follow the national route in each concerned jurisdiction or find a common strategy taking into account the different levels of consent requirements by accepting to possibly lose the benefit of more liberal national approaches like Germany or risk lack of compliance in very strict jurisdictions.