The New Telecommunications Telemedia Data Protection Act (TTDSG)
The new Telecommunications Telemedia Data Protection Act (TTDSG) (link in German) is the result of a clean-up campaign in German data protection law. The TTDSG, which became effective 1 December 2021, merges the data protection regulations in telemedia and telecommunications law that were previously scattered across a wide array of German laws. Among other things, the TTDSG regulates the protection of confidentiality and privacy when using internet-ready terminal infrastructure such as websites, messenger services, or smart home devices. To this end, the data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG) are repealed and combined in the new TTDSG. Furthermore, the TTDSG regulates the responsibilities of the Federal Network Agency and the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For website and app operators, however, the TTDSG does not impose any new obligations. Rather, the TTDSG provides them with clarification and more legal certainty when processing (personal) data, e.g. in connection with cookies.
New regulations for cookies and cookie banners?
In addition, Section 26 TTDSG sets standards for services that administer end user consent, so-called "Personal Information Management Services" (PIMS) or single sign-on solutions. This applies to services that are intended to enable end users to make their own decision on consenting to or refusing cookies. Section 26 TTDSG provides that such services require to be certified by an independent body. However, no such services are yet on the market.
Extended scope: Internet of Things
Increasingly popular among consumers are products that can be connected to the Internet, e.g. connected cars and smart living. While the ePrivacy Directive does not generally cover the entire structure behind the Internet-of-Things (IoT), the TTDSG does: Section 25 regulates the storage of information in "terminal infrastructures". In contrast to the "terminal equipment" of the ePrivacy Directive, the infrastructure that connects the IoT devices and which is usually stored in the cloud, is now also covered (and not only the IoT hardware itself).
Section 4 TTDSG introduces rights of heirs of telecommunications users and thus creates practicable regulations: In the event of death, electronic communications such as emails etc. are to be made accessible to the heirs.
The regulations on location data are consolidated in one place (Section 13 TTDSG).
The extensive Sections 22 to 24 TTDSG newly regulate information rights in relation to inventory and usage data and implement the requirements from the decision of the Federal Constitutional Court of 27. Mai 2020 (1 BvR 1873/13, 1 BvR 2618/13 - Inventory Data Information II), which also declared Section 113 TKG unconstitutional.
Section 9 TTDSG regulates the rights to process (including certain obligations to delete) traffic data. It corresponds to the previous provision in Section 96 TKG.
The German Data Protection Conference (DSK) recently published a new guidance document (link in German) for telemedia providers on the application of the TTDSG. Among other things, the guidance deals with when and how consent must be obtained in accordance with Section 25 TTDSG, and replaces the existing DSK guidance document of 2019 on telemedia and Art. 5 para 3 ePrivacy Directive (OH Telemedien 2019). At the same time, the European Commission continues to work on a European ePrivacy Regulation, which would, for example, replace Section 25 of the TTDSG again (but would not come into force for at least two years).