Authors: Thanos Rammos and Max Harttrumpf
The year has only just begun, but a clear trend in data protection is already emerging for 2022: it is likely to be the year of ePrivacy. So far, the online sector has not been uniformly regulated. The General Data Protection Regulation has left a gap in this respect. The so-called ePrivacy Regulation should close this gap. It has been discussed for a very long time. Now there is a draft, but it has to be finally negotiated. In addition, there have been many judgements and developments on cookies & co. There is still a lot of uncertainty. A new law in Germany does not make it easier.
Supervisory authorities now regularly check cookie banners. Consumer protection organisations are not idle either and seem to be issuing series of warnings to companies because of cookie banners. Whether they are legitimised to do so at all must be decided by the European Court of Justice („ECJ“, C-319/20) in 2022. The Federal Court of Justice („BGH“, „App Centre“ – I ZR 186/17) has referred this question to it. The ECJ must therefore examine whether consumer protection organisations are authorised to prosecute violations of data protection law or whether the General Data Protection Regulation conclusively regulates supervision by data protection authorities. On 2 December 2021, the Advocate General of the ECJ gave his opinion on this matter. He comes to the conclusion that consumer protectors can become active. If the ECJ follows his lead, there is likely to be an even greater wave of warnings with regard to so-called tracking tools. On 1 December 2021, the new Telecommunications and Telemedia Data Protection Act („TTDSG“) came into force. Among other things, it will oblige website operators to comply with new regulations and give visitors more control over the personal data they collect. In any case, it carries new risks of fines. Will it mean the end of cookie banners?
Will the ePrivacy Regulation also be adopted in 2022, so that there could be a clearer line across the EU in the future? A lot of time has passed since the first draft of the ePrivacy Regulation was published in January 2017. Originally, a joint entry into force with the GDPR was planned. While the latter has been in force since May 2018, negotiations on the ePrivacy Regulation have been tough so far. Most recently, there has been progress: The EU Council of Ministers agreed on a version on 10 February 2021. This marked the beginning of the so-called trilogue, the informal negotiation between representatives of the three bodies involved in the EU legislative process: EU Commission, Parliament and Council of Ministers.
The draft ePrivacy Regulation is intended to newly regulate data protection in the online context. The main points:
From a material point of view, the ePrivacy Regulation aims to regulate the processing of electronic communications data arising from the provision and use of electronic communications services. Electronic communications services include internet access services, interpersonal communications services and services that consist wholly or mainly in the transmission of signals. M2M, VoIP and the IoT are therefore also generally subject to the ePrivacy Regulation.
In addition, the ePrivacy Regulation also contains provisions concerning
As a special law, the ePrivacy Regulation takes precedence over the GDPR. Its provisions supplement and clarify the GDPR with more specific regulations.
The ePrivacy Regulation is based on the principle of confidentiality of electronic communications data: any interference (e.g. listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing) with communications data by a person other than the end user is prohibited, unless one of the exceptions provided for in the ePrivacy Regulation applies (so-called prohibition with reservation of permission).
The central element of permission is likely to be consent. For this, reference is essentially made to the provisions of the GDPR. In addition, general conditions of permission for the processing of electronic communication data are included (Art. 6):
It is remarkable that the current draft does not contain a provision comparable to the GDPR on data processing on the basis of a balancing of interests.
Two provisions that are likely to cause discussion in the trilogue negotiations:
Before the publication of the Council’s draft, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) had already argued to the Federal Ministry for Economic Affairs and Climate Action (BMWi) for the deletion of both regulations. However, the provisions were reinserted into the text of the regulation and adopted by the Council.
The provisions on cookies have been one of the major points of friction so far. It was discussed for a long time how – in addition to consent – a suitable legal basis could look like. The recitals show that so-called cookie walls are also permissible, provided that the user has a real choice, i.e. can choose between different services on the basis of clear, precise and user-friendly information about the purposes of cookies or similar techniques. As alternative services, for example, a paid, cookie-free version of the same provider or a comparable, cookie-free service of another provider can be considered.
Cookie consent can also be given by means of browser settings (e.g. using a configurable positive list for one or more providers). However, according to the current draft, a directly declared consent of the end user shall prevail over a consent by means of software settings.
In addition, so-called first-party cookies, which are necessary for audience measurement, can be used by the provider (or its processor or a joint controller) without requiring the consent of the end users.
The use of electronic communications services for the purpose of direct marketing is generally prohibited unless the end users have given their prior consent. However, an exception applies if the provider has contact data of the end user due to an existing customer relationship and in a DSGVO-compliant manner. In this case, the user may be contacted about similar products or services if he or she has been clearly and unambiguously given the opportunity to object to such use free of charge and by simple means. The regulations thus essentially correspond to the idea and the current requirements of German case law on the opt-out regulation in competition law (Section 7 (3) UWG).
In line with the provisions on supervision in the GDPR, Member States shall provide that independent public authorities (fulfilling the requirements of Art. 51-54 GDPR) are responsible for monitoring the application of the ePrivacy Regulation.
However, the monitoring of the provisions on end-user control rights can be transferred to the aforementioned supervisory authorities as well as to other supervisory authorities with corresponding expertise. This contradicts the EDPB’s recommendation that only data protection supervisory authorities should be responsible for enforcing the ePrivacy Regulation.
Contrary to the provisions on supervision in the GDPR, the draft ePrivacy Regulation does not contain a mechanism comparable to the one stop shop principle. Companies could therefore be confronted with measures by supervisory authorities of different member states.
In Germany, the TTDSG has been in force since 1 December 2021. Among other things, it contains regulations that serve to harmonise the implementation of the ePrivacy Directive from 2002 (details here). With this, the German legislator is catching up on what many had already demanded. As soon as the directly applicable ePrivacy Regulation comes into force, the provisions of the TTDSG will also become obsolete, because it implemented the old ePrivacy Directive. With regard to cookies, for example, the regulation on the „protection of privacy in terminal equipment“ (§ 25 TTDSG) would be superseded by the above-mentioned provisions of the ePrivacy Regulation (Art. 8).
The current draft of the ePrivacy Regulation will probably provide a lot of material for discussion in the trilogue negotiations. In particular, the EDPB’s criticism, which has already been mentioned, is not limited to the possibilities for further processing for compatible purposes and for mass data retention. Rather, the EDPB also complains that cookie walls are not compatible with the provisions of the GDPR to be applied in the context of consent. The exception for cookies for audience measurement is too broad. Fragmentation of enforcement and application of the Regulation is to be feared due to the lack of rules on the procedure for cooperation and consistency.
In view of the various potential points of conflict, tough trilogue negotiations are to be expected. It is therefore unlikely that the ePrivacy Regulation will enter into force before 2023. This would mean that it would apply from 2025, as the current draft provides for a transition period of 24 months.
For German companies, this means that the provisions of the TTDSG implementing the ePrivacy Directive are therefore relevant for the time being. Nevertheless, companies should keep up to date with the ePrivacy Regulation. After the regulation comes into force, implementation measures must be taken promptly, because often software or product development will be affected. The risk in the event of inadequate implementation is immense. As with the GDPR, fines of up to 20 million euros or, in the case of a company, up to 4% of the total annual turnover achieved worldwide in the preceding financial year can be imposed. In comparison, the current risk is still quite manageable, as the fines within the scope of application of the TTDSG are limited to a maximum of 300,000 euros according to its Section 28 (2).
Data protection compliance: These five topics should not be lost sight of.
1 of 4 Insights
According to a draft directive of the European Commission, software updates will become another building block for product safety.
2 of 4 Insights
The EU Whistleblower Directive is not yet legally valid in Germany - Recommendations for action on the current status.
4 of 4 Insights