The German Data Protection Conference (DSK) issued guidance on the Federal Act on the Regulation of Data Protection and Privacy in Telecommunications and Telemedia (‘TTDSG’), which went into effect on December 1, 2021.
Some key takeaways:
- If no personal data is processed, only TTDSG is applicable. If both personal and non-personal data is processed, both TTDSG and GDPR apply. However, for the storage and access of information on/from terminal equipment, TTDSG takes precedence. For the subsequent processing, GDPR applies.
- Storage in or access from terminal equipment requires consent.
- This is not just telephony or VoIP, but also cable, WLAN, and IoT connections (including appliances and smart TVs).
Storage and Access:
- Storage and access includes: access to hardware device identifiers, advertising identification numbers, telephone numbers, SIM card serial numbers (IMSI), contacts, call lists, Bluetooth beacons or SMS communication. For all devices, the reading of the unique identifiers of the network hardware (MAC addresses) and browser fingerprinting.
- An access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed that is transmitted inevitably or due to (browser) settings of the end device when calling up a telemedia service, this is not to be considered “access to information already stored in the end device.” Examples of this are: (1) the public IP address of the terminal device, (2) the address of the called website (URL), (3) the user agent string with browser and operating system version and (4) the set language.
- You can get consent to store and access information and consent for further processing under GDPR 6(1)(a) at the same time if: (a) you inform the users of all purposes (including of the subsequent processing), and that it is clear to the user that several consents are given in a single action (e.g. the pressing of a single button). Consent by approval of a banner is not consent for TTDSG and GDPR, it’s just consent under TTDSG.
Consent for Chas the same requirements as consent for GDPR.
From whom: consent is required from the person who objectively uses the terminal equipment. Ownership of the terminal equipment is basically irrelevant, as is the question of who is the contractual partner in the telecommunications service that is used via the terminal equipment.
Time: before access to the terminal equipment
- All storage and access activities must be transparent and comprehensible.
- Users must be informed, among other things, about who is accessing the respective terminal equipment, in what form and for what purpose, what the functional duration of the cookies is and whether third parties can gain access to them.
- Information must also be provided about the fact that a subsequent revocation no longer has any effect on the lawfulness of the access or storage that took place until the revocation,
- Information provided at different points within a telemedia offering must be consistent
- If processes take place within the scope of the telemedia offering that fall under both the TTDSG and the GDPR, information must be provided separately about the two legal bases.
- Active action on the part of the end user is always required
- Opt-out procedures are always unsuitable for establishing effective consent. The fact that the end user’s browser allows cookies or web storage, e.g., local shared objects (LSOs), cannot constitute consent, regardless of other aspects such as informed consent or certainty.
- The mere further use of a website or app, e.g. through actions such as scrolling down, surfing through website content, clicking on content or similar actions can also not constitute effective consent to access or store information on a terminal device.
- The evaluation takes into account how the buttons for giving consent and other options for action are labeled and designed, and what additional information is provided.
- If consent banners are displayed in telemedia offerings that merely contain an “Okay” button, clicking the button does not constitute an unambiguous declaration. Even the terms “agree,” “I consent,” or “accept” may not be sufficient in individual cases if it is not clear from the accompanying information text what specifically the consent is to be given for.
- In cases where it is not possible to remain inactive because a consent banner blocks access to some or all of the content of the telemedia service, end users must at least be able to express their rejection without additional clicks (compared to consent).
- Button to “Accept all” and on the other hand a button with names such as “Settings”, “Further information” or “Details” is not compliant. You need to give an equivalent option e.g. “reject all”.
- General or blanket consent for various potential subsequent processing operations is not compliant.
- End users must then also be able to consent to or reject the different purposes separately.
- In assessing whether consent for access to end user devices was given freely, it must first be clarified whether there was any compulsion at all for the end user’s to make a declaration or whether they could have remained inactive.
- It can be assumed that such a compulsion exists if a banner or other graphic element for requesting consent obscures access to the website as a whole or parts of the content and the banner cannot simply be closed without a decision
- The argument that no one is forced to visit a website whose content is in principle also offered by others on the market cannot be accepted. As the European Data Protection Board (as well as its predecessor institution) has already made clear, consent cannot be regarded as given voluntarily because there is a choice between a service, which includes consent to the use of personal data for additional purposes, and a comparable service offered by another controller
Possibility to revoke consent:
- It must be as easy to revoke as to give consent.
- If consent is given directly when using a website, it must also be possible to revoke it in this way. Exclusive revocation options via other communication channels such as e-mail, fax or even by letter do not comply with the requirements. It is also not permissible to refer users to a contact form,
CMP’s – legally compliant consent is by no means automatically obtained through the use of the CMP alone. The responsibility for the effectiveness of the consent obtained remains with the respective provider of the telemedia service.
Service specifically requested:
- The basic service is to be regarded as the telemedia service desired by users as soon as they deliberately call up a service. However, this action does not automatically mean that the user wants all additional functions of the basic service. The desired range of functions must be assessed in each individual case from the perspective of average user
- The explicit wish of the users with regard to these additional services and functions must therefore be expressed in further actions. In the context of websites, this means that users do not have to accept every access to their terminal equipment,
- Even for services explicitly requested by end users, only those accesses to the terminal equipment that are technically necessary to provide the requested service are covered by the exception.
- Storage is only absolutely necessary in a few cases, since many functions that are to be implemented by storing information on and reading it from users’ end devices can be implemented without individualization. For example, it is not considered necessary that a cookie with a unique ID is stored long-term and can be retrieved for storing consent or for load balancing
- In the website and app context, the original reach measurement has therefore evolved into a reach analysis with a non-fixed scope, using numerous, often individualized pieces of information, to which any criteria can be added.
- The purpose for which the reach measurement is used is decisive for answering the question of whether a telemedia service expressly desired by the user can be assumed. Even the simple measurement of visitor numbers is therefore not to be classified per se as a component of the basic service, but depends on the specific purpose pursued in each case.
Legal Basis under GDPR
- You need a legal basis for the data processing associated with the integration of third-party content on websites regularly involves the disclosure of personal data to the operators of the respective third-party servers, e.g. advertisements, fonts, scripts, city maps, videos, photos or content from social media services.
- Accountability: data controllers must be able to prove that the processing of personal data is lawful. This means that controllers must check and document in advance on which authorization facts they base the processing.
Requirements for banners:
- Separate HTML element
- Provide full information including all actors involved, which can be activated only if selected
- While the consent banner is displayed, no further scripts of a website or an app that potentially access the end devices of the users are loaded.
- Information may be stored or read only after consent is given
- For every option to give consent (button) you need an option to reject.
- Store the submission of consent so that the banner does not reappear.
- In the context of tracking, the requirements of Article 6 (1) (f) of the GDPR are only met in a few constellations in practice.
- Attention must be paid to whether these service providers also process data of the data subjects for their own purposes (e.g., to improve their own services or to create interest profiles). In this case – and even if the third-party service provider only reserves the right to do so in the abstract – the scope of a commissioned processing pursuant to Art. 28 DS-GVO is exceeded. For the transfer of personal data – even if it is only the IP address – to these third-party service providers, Article 6 (1) (f) of the GDPR can then generally not form an effective legal basis.
- A transfer of personal data to the USA and other third countries without a level of data protection recognized by the EU Commission may therefore only take place subject to suitable guarantees, such as standard data protection clauses, or if an exceptional circumstance exists for certain cases pursuant to Art. 49.
- The mere conclusion of standard data protection clauses such as the standard contractual clauses adopted by the EU Commission is not sufficient. You need to conduct a TIA and see whether supplementary measures are necessary.
- Especially in connection with the integration of third-party content and the use of tracking services, however, it will often not be possible to take sufficient supplementary measures. In this case, the services concerned must not be used, i.e., they must not be integrated into the website
- Personal data processed in connection with the regular tracking of user behavior on websites or in apps cannot, in principle, be transferred to a third country on the basis of consent pursuant to Art. 49 GDPR. The scope and regularity of such transfers regularly contradict the character of Art. 49 GDPR as an exceptional provision