On 5 April 2019, the Conference of the Data Protection Authorities in Germany (DSK) published new Guidelines for Telemedia Providers (Guidelines). An English translation of the Guidelines can be found here. The Guidelines supplement the DSK position paper on the applicability of the TMG for non-public entities, which was published on 26 April 2018. The core statement of the position paper was the requirement of consent within the meaning of Article 6(1)(a) of the General Data Protection Regulation (GDPR) if web analytics tools are used to track the behaviour of data subjects on the internet.
The DSK took the controversial view that the provisions of the TMG are not applicable in this context. The TMG regulates the activity of internet service providers and contains special data protection provisions. These provisions, for example, allow under certain conditions and on the basis of a right to refuse (opt-out) the creation of user profiles for the purpose of website personalisation or advertising.
It is generally assumed that the data protection provisions of the TMG qualify as the implementation of the ePrivacy Directive. The ePrivacy Directive is set to be replaced by the ePrivacy Regulation (still in negotiation) that is supposed to support and complement the GDPR. Article 95 of the GDPR stipulates that no additional obligations are to result from it within the scope of the ePrivacy Directive. It is therefore widely assumed that the provisions of the TMG – as the implementation of the ePrivacy Directive – continue to apply.
In its recently published Guidelines, however, the DSK maintains its position that the provisions of the GDPR take precedence over the TMG. With the GDPR in force, the sections 11 et seq. TMG – often quoted as legal basis for the use of web analytics tools (tracking) – are no longer applicable. "Tracking" is defined by the DSK as "(...) any data processing for the purpose of tracing the individual behaviour of users, usually across websites (...)". This requires one of the legal grounds for processing under Article 6(1) GDPR.
For so-called telemedia providers, "consent", "the performance of the contract" and the "legitimate interests" in particular can be considered as grounds for permission. With regard to "performance of contract", the DSK refers to a still outstanding statement by the European Data Protection Board (EDPB). The EDPB is currently discussing a draft guideline on the processing of personal data in the context of the provision of online services, dated 12 April 2019. which is open to consultaiton until 24 May 2019.
With regard to the other legal grounds for processing, the DSK makes the following key statements:
- If the data subject is not informed in advance of all forms of processing and of all recipients in a detailed, transparent and comprehensible manner, and if he/she cannot consent separately to individual forms of data processing, the consent shall be invalid.
- Silence, pre-ticked boxes or inactivity on the part of the data subject do not qualify as consent.
- Cookie banners in the form of an HTML element can be used to obtain consent; however, the collection of potential user data must be blocked during the display of the banner. A sole "Okay" button is not sufficient; the user must have the option to reject and select individual cookies.
Data protection authorities are of the opinion that legitimate interests may justify the processing of personal data. However, a diligent assessment must be carried out.
- The legitimate interests of the controller or a third party may, for example, lie in processing personal data to provide a user-friendly online experience. This also includes so-called audience measurement.
- To assess the necessity of a specific processing operation, one must consider whether there is an equally effective, less intrusive alternative to achieve the legitimate interest identified in the first step. According to the DSK, the necessity of processing is questionable if it involves passing on personal data to third parties or if usage data is merged across several websites.
- Finally, the interests of the data subject and the controller are to be weighed against each other on a case-by-case basis. The interest of the controller prevails if it serves not only the controller but also the general public (eg research activities). However, when balancing the interests, existing obligations under the GDPR, such as to comprehensibly inform data subjects and pseudonymise their data, do not count in favour of the controller.
The DSK expressly states that the Guidelines' validity is subject to a divergent interpretation of the relevant provisions by the EDPB, as well as to any legislative change resulting from the entry into force of the ePrivacy Regulation.
The supervisory authorities’ view on the inapplicability of the TMG is highly questionable. The Guidelines deals with this topic in great detail. Both a harmonious interpretation of the TMG provisions relevant to the use of web analytics tools, and the direct effect of the ePrivacy Directive are discussed and subsequently rejected.
The Guidelines therefore arrive at the general applicability of the provisions of the GDPR. However, by deciding on the inapplicability of valid legal provisions, the supervisory authorities, as part of the executive, exceed their competencies.
The detailed requirements set out in the Guidelines with regard to cookie banners and consent tools appear somewhat unwise. The supervisory authorities are making recommendations to and requirements of German internet service providers that could lead to inconsistent practices across the EU and a fragmented legal situation.
This contradicts the concept of EU-wide harmonisation, which the European legislator is aiming at with the GDPR and the ePrivacy Regulation. It would have been highly preferable to leave the formulation of requirements on the use of cookie banners etc. to a coordinated position statement of all European supervisory authorities, eg on the EDPB-level.
Finally, the DSK’s statements on the balancing of interests are sometimes unclear. For example, the supervisory authorities assume that the pseudonymisation of data or the fulfilment of information obligations do not play any role in the context of the balancing of interests between the data controller and the data subject.
Such sweeping statements create further legal uncertainty. Elsewhere, the Guidelines state that additional protective measures may count in favour of the controller – unfortunately, the statement does not go into detail in that regard, although more specific recommendations would have been helpful to the providers of internet services.
Overall, German data protection supervisory authorities and consumer associations hold a very restrictive view on the lawfulness of the business practices of the online advertising industry. This is demonstrated not least by their numerous statements and proceedings against Facebook.
In another statement dated 1 April 2019, the supervisory authorities give their view on Facebook fan pages: The agreement published by Facebook in response to a CJEU ruling (so-called "Page Insights Controller Addendum") does not meet the requirements of a joint controller agreement pursuant to Article 26 GDPR; Facebook, the DSK demands, should amend it.