On 5 April 2019, the Conference of the Data Protection Authorities in Germany (DSK) published new Guidelines for Telemedia Providers (Guidelines). An English translation of the Guidelines can be found here. The Guidelines supplement the DSK position paper on the applicability of the TMG for non-public entities, which was published on 26 April 2018. The core statement of the position paper was the requirement of consent within the meaning of Article 6(1)(a) of the General Data Protection Regulation (GDPR) if web analytics tools are used to track the behaviour of data subjects on the internet.
The DSK took the controversial view that the provisions of the TMG are not applicable in this context. The TMG regulates the activity of internet service providers and contains special data protection provisions. These provisions, for example, allow under certain conditions and on the basis of a right to refuse (opt-out) the creation of user profiles for the purpose of website personalisation or advertising.
It is generally assumed that the data protection provisions of the TMG qualify as the implementation of the ePrivacy Directive. The ePrivacy Directive is set to be replaced by the ePrivacy Regulation (still in negotiation) that is supposed to support and complement the GDPR. Article 95 of the GDPR stipulates that no additional obligations are to result from it within the scope of the ePrivacy Directive. It is therefore widely assumed that the provisions of the TMG – as the implementation of the ePrivacy Directive – continue to apply.
In its recently published Guidelines, however, the DSK maintains its position that the provisions of the GDPR take precedence over the TMG. With the GDPR in force, the sections 11 et seq. TMG – often quoted as legal basis for the use of web analytics tools (tracking) – are no longer applicable. "Tracking" is defined by the DSK as "(...) any data processing for the purpose of tracing the individual behaviour of users, usually across websites (...)". This requires one of the legal grounds for processing under Article 6(1) GDPR.
For so-called telemedia providers, "consent", "the performance of the contract" and the "legitimate interests" in particular can be considered as grounds for permission. With regard to "performance of contract", the DSK refers to a still outstanding statement by the European Data Protection Board (EDPB). The EDPB is currently discussing a draft guideline on the processing of personal data in the context of the provision of online services, dated 12 April 2019. which is open to consultaiton until 24 May 2019.
With regard to the other legal grounds for processing, the DSK makes the following key statements:
Data protection authorities are of the opinion that legitimate interests may justify the processing of personal data. However, a diligent assessment must be carried out.
The DSK expressly states that the Guidelines' validity is subject to a divergent interpretation of the relevant provisions by the EDPB, as well as to any legislative change resulting from the entry into force of the ePrivacy Regulation.
The supervisory authorities’ view on the inapplicability of the TMG is highly questionable. The Guidelines deals with this topic in great detail. Both a harmonious interpretation of the TMG provisions relevant to the use of web analytics tools, and the direct effect of the ePrivacy Directive are discussed and subsequently rejected.
The Guidelines therefore arrive at the general applicability of the provisions of the GDPR. However, by deciding on the inapplicability of valid legal provisions, the supervisory authorities, as part of the executive, exceed their competencies.
The detailed requirements set out in the Guidelines with regard to cookie banners and consent tools appear somewhat unwise. The supervisory authorities are making recommendations to and requirements of German internet service providers that could lead to inconsistent practices across the EU and a fragmented legal situation.
This contradicts the concept of EU-wide harmonisation, which the European legislator is aiming at with the GDPR and the ePrivacy Regulation. It would have been highly preferable to leave the formulation of requirements on the use of cookie banners etc. to a coordinated position statement of all European supervisory authorities, eg on the EDPB-level.
Finally, the DSK’s statements on the balancing of interests are sometimes unclear. For example, the supervisory authorities assume that the pseudonymisation of data or the fulfilment of information obligations do not play any role in the context of the balancing of interests between the data controller and the data subject.
Such sweeping statements create further legal uncertainty. Elsewhere, the Guidelines state that additional protective measures may count in favour of the controller – unfortunately, the statement does not go into detail in that regard, although more specific recommendations would have been helpful to the providers of internet services.
Overall, German data protection supervisory authorities and consumer associations hold a very restrictive view on the lawfulness of the business practices of the online advertising industry. This is demonstrated not least by their numerous statements and proceedings against Facebook.
In another statement dated 1 April 2019, the supervisory authorities give their view on Facebook fan pages: The agreement published by Facebook in response to a CJEU ruling (so-called "Page Insights Controller Addendum") does not meet the requirements of a joint controller agreement pursuant to Article 26 GDPR; Facebook, the DSK demands, should amend it.
Debbie Heywood looks at the issues attracting regulator attention and enforcement in the EU Adtech ecosystem.
1 of 5 Insights
Chris Jeffery suggests practical ways to achieve data privacy compliance in the Adtech ecosystem.
2 of 5 Insights
Chris Jeffery and Debbie Heywood look at the main compliance challenges for Adtech under the GDPR.
3 of 5 Insights
Chris Jeffery looks at the Dutch regulator's view on cookie walls to gather consent to tracking cookies.
4 of 5 Insights