New law on data protection

The Bundestag passed a new law in the area of data protection on May 20, 2021: The Telecommunications Telemedia Data Protection Act (TTDSG). What exactly does it change now? An overview:

Cookies and tracking      

The new law is intended to finally close the gaps regarding cookies in German law. At least that is the objective.

In the new law, the legislator has transposed the requirements on cookies and tracking from the EU Privacy Directive into national law. This is intended to create more clarity and be better aligned with the GDPR. After all, cookies are used to store personal data. According to federal law, this is now also to be permitted (as in the model: the DSGVO) only if the data subject has "consented on the basis of clear and comprehensive information".

This should still not be necessary for purely functional cookies. Functional cookies are those that are absolutely necessary for the use of the service.

In contrast, the legislator finds the implementation of cookie banners less than satisfactory. The cookie banners are too often far too opaque and the consumer perceives them only as an annoying message that must be quickly clicked away by consent. This would not meet the requirements for consent.

Personal Information Management Services

A draft in which browser manufacturers are strengthened in cookie management with your already implemented "Do Not Track" procedures to protect the consumer was not implemented.

Instead, cookie managers and opt-in procedures should be promoted. What is needed is the creation of a legal framework that leads to the recognition of "Personal Information Management Services" (PIMS) or single sign-on solutions. This would create the necessary consumer trust.

However, only those who have no economic self-interest in granting consent and are also independent of companies that might have such an interest (Section 26 TTDSG) are then eligible. In addition, of course, a security concept must be in place.

Misuse of telecommunications equipment

At the same time, the misuse of telecommunications equipment is to be punished more severely. The legislator is thinking here primarily of unnoticed eavesdropping or recording of images, especially if this is not clearly recognizable by the user because devices are used for which this is not the intended use. It is becoming increasingly common for everyday products to be misused for eavesdropping.

In the same way, the fine for number suppression or unauthorized advertising calls will increase.

Criticism

Critics note that the new law is just much ado about nothing.

The regulation on cookies is a purely formal adoption from the GDPR or the directive, which the German Federal Court of Justice and the European Court of Justice had long been pushing for. The European Directive of 2009 already stipulates when consent must be requested for cookies.

Auxiliary systems that set or prevent consent are also no protection, since operators who want to tap into data have long since relied on technologies other than cookies.

The law has no effect on the powers of data protection officers vis-à-vis public bodies, but this has long been demanded in practice.

In addition, it would still be possible for operators of online services to deny use of the service if consent to data processing is refused, even though it would be possible without consent and data processing.

Overall, therefore, the demand for change and, above all, improvement remains. The new law is only a step in the right direction.