< Back

Share |

The Status of Implementation of the e-Privacy Directive in Germany

In Germany, the if and how of a ratification of Art. 5 (3) of the e-Privacy Directive is still highly debated.

April 2012

Up until now, the German government was of the opinion that a change of the existing law is not necessary. Rather, it found that current law – that provides for an opt-in only in case data of an identifiable individual is concerned - would sufficiently reflect the rules required under Art. 5 (3) of the e-Privacy Directive. In November 2010, the German data protection authorities issued a joint statement confirming that they found a change in the law inevitable as the Directive’s wording would now require an opt-in in any case. Pressure on German government increased once the Bundesrat (Upper House of Parliament) (in June 2011 as well as the opposition in February 2012) proposed a draft law changing the current wording to opt-in language. The German government did not officially deliver an opinion to these drafts (both proposed the same text). However, it explained that further developments on a European level as well as concepts for self-regulation should be awaited. In between, various drafts of an the German government’s own draft law were discussed internally, but so far were not published. Still, it is very likely that sooner or later the government will provide a draft despite its “no change necessary” view. It remains to be seen whether this would still permit an opt-out approach or require prior, explicit opt-in as is suggested in so many other Member States.

Current legal situation on cookies

inform users

The Telemedia Act (Telemediengesetz) states that users shall be informed in case service providers use methods that can potentially identify the user ex post. Therefore, today it is considered best practice for website owners to inform on the use of cookies in their privacy policies. Besides, the law provides that users shall be offered a right to refuse the use of their user data for generating user profiles based on pseudonyms for marketing purposes. It is this “user profile exemption” that is largely used for targeting and online behavioural advertising. In the past, the major issue discussed in this context was whether this would still apply in case the IP address was collected e.g. used for geo-locating purposes. In 2009, the German data protection authorities issued a joint statement according to which the IP address would not qualify as a pseudonym and hence any user analysis that would use the full IP address would require prior consent. As a consequence some targeting and online behavioural services changed their service offering in a way that would ensure that the last octet of the IP address is deleted before any analysis of the user’s behaviour. Also Google, in negotiation with the data protection authority in Hamburg, in 2011 issued a Google Analytics version that would ensure that the last octet of any user IP address – upon request of the website owner – was deleted before any storage.

What is to come?

terminal equipmentThe issue is that the e-Privacy Directive already requires consent once “information” is stored in the terminal equipment of the user. Most likely this does not require that the information stored is “personal data”, i.e. information that can be traced back to an individual. To this end, the e-Privacy Directive seems to be stricter than current German law. However, recital 66 of the ePrivacy Directive distinguishes between legitimate use of cookies and unwanted intrusion into the privacy sphere (such as spyware or viruses). It then speaks of a “right to refuse” and that user consent may be expressed by browser settings. From Alexander Alvaro, member of EU Parliament and Rapporteur for the e-Privacy Directive, we also know that parliament intentionally did not adopt a language that would require “prior” or “explicit” consent. Rather, the right to refuse was considered as a means to express consent, in particular in case of “normal” cookies that can be deleted after each browser session. We would therefore find that German government is right that the current legal situation already reflects this opt-out mechanism for “normal” cookies because transparent information on cookies is already a requirement today. In other cases where a cookie collects information that can be traced back to an identifiable natural person, e.g. because the website owner combines cookie information with log-in information on the user, explicit consent might be required. Also, it is possible that additional rules for spyware and malware may be necessary. However, here an amendment of the criminal code seems more logical than additional consent requirements.

If you have any questions on this article please contact us.

e-Privacy Directive in Germany
Sibylle Gierschmann

 

Any new law on "consent" for cookies should reflect that opt-out can suffice, in particular, in the case of "normal" cookies that can be declined by changed browser settings

"The e-Privacy Directive seems to be stricter than current German law. However, recital 66 of the ePrivacy Directive distinguishes between legitimate use of cookies and unwanted intrusion into the privacy sphere (such as spyware or viruses)."