Cookies, TTDSG and ePrivacy Regulation: What can we expect in 2022 in terms of data protection in the online sector?

Authors: Thanos Rammos and Max Harttrumpf

The year has only just begun, but a clear trend in data protection is already emerging for 2022: it is likely to be the year of ePrivacy. So far, the online sector has not been uniformly regulated. The General Data Protection Regulation has left a gap in this respect. The so-called ePrivacy Regulation should close this gap. It has been discussed for a very long time. Now there is a draft, but it has to be finally negotiated. In addition, there have been many judgements and developments on cookies & co. There is still a lot of uncertainty. A new law in Germany does not make it easier.

The current situation

Supervisory authorities now regularly check cookie banners. Consumer protection organisations are not idle either and seem to be issuing series of warnings to companies because of cookie banners. Whether they are legitimised to do so at all must be decided by the European Court of Justice („ECJ“, C-319/20) in 2022. The Federal Court of Justice („BGH“, „App Centre“ – I ZR 186/17) has referred this question to it. The ECJ must therefore examine whether consumer protection organisations are authorised to prosecute violations of data protection law or whether the General Data Protection Regulation conclusively regulates supervision by data protection authorities. On 2 December 2021, the Advocate General of the ECJ gave his opinion on this matter. He comes to the conclusion that consumer protectors can become active. If the ECJ follows his lead, there is likely to be an even greater wave of warnings with regard to so-called tracking tools. On 1 December 2021, the new Telecommunications and Telemedia Data Protection Act („TTDSG“) came into force. Among other things, it will oblige website operators to comply with new regulations and give visitors more control over the personal data they collect. In any case, it carries new risks of fines. Will it mean the end of cookie banners?

Looking ahead to 2022

Will the ePrivacy Regulation also be adopted in 2022, so that there could be a clearer line across the EU in the future? A lot of time has passed since the first draft of the ePrivacy Regulation was published in January 2017. Originally, a joint entry into force with the GDPR was planned. While the latter has been in force since May 2018, negotiations on the ePrivacy Regulation have been tough so far. Most recently, there has been progress: The EU Council of Ministers agreed on a version on 10 February 2021. This marked the beginning of the so-called trilogue, the informal negotiation between representatives of the three bodies involved in the EU legislative process: EU Commission, Parliament and Council of Ministers.

Key points of the ePrivacy Regulation

The draft ePrivacy Regulation is intended to newly regulate data protection in the online context. The main points:

Scope and relationship to the GDPR

From a material point of view, the ePrivacy Regulation aims to regulate the processing of electronic communications data arising from the provision and use of electronic communications services. Electronic communications services include internet access services, interpersonal communications services and services that consist wholly or mainly in the transmission of signals. M2M, VoIP and the IoT are therefore also generally subject to the ePrivacy Regulation.

In addition, the ePrivacy Regulation also contains provisions concerning

• Information on and about users‘ end devices (especially cookies),
• the provision of publicly accessible directories of users of electronic communications services, and
• the sending of direct marketing communications to end-users by means of electronic communications.

As a special law, the ePrivacy Regulation takes precedence over the GDPR. Its provisions supplement and clarify the GDPR with more specific regulations.

Legal bases for data processing

The ePrivacy Regulation is based on the principle of confidentiality of electronic communications data: any interference (e.g. listening, tapping, storing, monitoring, scanning or other kinds of interception, surveillance and processing) with communications data by a person other than the end user is prohibited, unless one of the exceptions provided for in the ePrivacy Regulation applies (so-called prohibition with reservation of permission).

The central element of permission is likely to be consent. For this, reference is essentially made to the provisions of the GDPR. In addition, general conditions of permission for the processing of electronic communication data are included (Art. 6):

• Such processing is permissible, for example, if it is necessary for the provision of the communication service, for maintaining or restoring the security of electronic communication networks, for detecting and preventing security risks or attacks on users‘ terminal equipment, or for complying with legal obligations in the context of criminal offences or threats to public security.
• There is also a distinction between electronic communications content data and communications metadata. Communication content data is data that is exchanged using electronic communication services (e.g. text, voice, video, images, sound). In contrast, communication metadata is data that is processed for the purpose of transmitting, distributing or exchanging electronic communication content. Data used to track and identify the source and destination of the communication (e.g. device location data, date, time, duration and type of communication) are also included.
• With regard to communications content data, consent is likely to be required on a regular basis. In contrast, a number of other permissions could apply to communications metadata, such as for the purposes of network management and optimisation, performance of a contract or protection of vital interests.

It is remarkable that the current draft does not contain a provision comparable to the GDPR on data processing on the basis of a balancing of interests.

Processing for another purpose and mass data retention

Two provisions that are likely to cause discussion in the trilogue negotiations:

• Processing of communication metadata for other purposes compatible with the original purpose is possible without the consent of the end user, provided certain security measures (e.g. encryption or pseudonymisation) are taken. The European Data Protection Board’s (EDPB) criticism was not long in coming: in its statement 03/2021 of 9 March 2021, the EDPB considered that the possibility of further processing for compatible purposes could undermine the level of protection of the Regulation.
• For communications metadata in the context of EU or Member State law for the prevention, investigation, detection or prosecution of criminal offences and for the safeguarding against and the prevention of threats to public security, there is an exception to the principle that such data must be erased or made anonymous when it is no longer needed. This in effect opens up the possibility of mass data retention. The EDPB strongly noted that such a provision would be contrary to recent ECJ case law.

Before the publication of the Council’s draft, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) had already argued to the Federal Ministry for Economic Affairs and Climate Action (BMWi) for the deletion of both regulations. However, the provisions were reinserted into the text of the regulation and adopted by the Council.

Cookie walls, consent through browser settings, audience measurement

The provisions on cookies have been one of the major points of friction so far. It was discussed for a long time how – in addition to consent – a suitable legal basis could look like. The recitals show that so-called cookie walls are also permissible, provided that the user has a real choice, i.e. can choose between different services on the basis of clear, precise and user-friendly information about the purposes of cookies or similar techniques. As alternative services, for example, a paid, cookie-free version of the same provider or a comparable, cookie-free service of another provider can be considered.

Cookie consent can also be given by means of browser settings (e.g. using a configurable positive list for one or more providers). However, according to the current draft, a directly declared consent of the end user shall prevail over a consent by means of software settings.

In addition, so-called first-party cookies, which are necessary for audience measurement, can be used by the provider (or its processor or a joint controller) without requiring the consent of the end users.

Unsolicited direct marketing

The use of electronic communications services for the purpose of direct marketing is generally prohibited unless the end users have given their prior consent. However, an exception applies if the provider has contact data of the end user due to an existing customer relationship and in a DSGVO-compliant manner. In this case, the user may be contacted about similar products or services if he or she has been clearly and unambiguously given the opportunity to object to such use free of charge and by simple means. The regulations thus essentially correspond to the idea and the current requirements of German case law on the opt-out regulation in competition law (Section 7 (3) UWG).

No One Stop Shop

In line with the provisions on supervision in the GDPR, Member States shall provide that independent public authorities (fulfilling the requirements of Art. 51-54 GDPR) are responsible for monitoring the application of the ePrivacy Regulation.

However, the monitoring of the provisions on end-user control rights can be transferred to the aforementioned supervisory authorities as well as to other supervisory authorities with corresponding expertise. This contradicts the EDPB’s recommendation that only data protection supervisory authorities should be responsible for enforcing the ePrivacy Regulation.

Contrary to the provisions on supervision in the GDPR, the draft ePrivacy Regulation does not contain a mechanism comparable to the one stop shop principle. Companies could therefore be confronted with measures by supervisory authorities of different member states.

ePrivacy Regulation and TTDSG

In Germany, the TTDSG has been in force since 1 December 2021. Among other things, it contains regulations that serve to harmonise the implementation of the ePrivacy Directive from 2002 (details here). With this, the German legislator is catching up on what many had already demanded. As soon as the directly applicable ePrivacy Regulation comes into force, the provisions of the TTDSG will also become obsolete, because it implemented the old ePrivacy Directive. With regard to cookies, for example, the regulation on the „protection of privacy in terminal equipment“ (§ 25 TTDSG) would be superseded by the above-mentioned provisions of the ePrivacy Regulation (Art. 8).

What’s next in terms of ePrivacy?

The current draft of the ePrivacy Regulation will probably provide a lot of material for discussion in the trilogue negotiations. In particular, the EDPB’s criticism, which has already been mentioned, is not limited to the possibilities for further processing for compatible purposes and for mass data retention. Rather, the EDPB also complains that cookie walls are not compatible with the provisions of the GDPR to be applied in the context of consent. The exception for cookies for audience measurement is too broad. Fragmentation of enforcement and application of the Regulation is to be feared due to the lack of rules on the procedure for cooperation and consistency.

In view of the various potential points of conflict, tough trilogue negotiations are to be expected. It is therefore unlikely that the ePrivacy Regulation will enter into force before 2023. This would mean that it would apply from 2025, as the current draft provides for a transition period of 24 months.

For German companies, this means that the provisions of the TTDSG implementing the ePrivacy Directive are therefore relevant for the time being. Nevertheless, companies should keep up to date with the ePrivacy Regulation. After the regulation comes into force, implementation measures must be taken promptly, because often software or product development will be affected. The risk in the event of inadequate implementation is immense. As with the GDPR, fines of up to 20 million euros or, in the case of a company, up to 4% of the total annual turnover achieved worldwide in the preceding financial year can be imposed. In comparison, the current risk is still quite manageable, as the fines within the scope of application of the TTDSG are limited to a maximum of 300,000 euros according to its Section 28 (2).