‘No tracking nor profiling without consent’ is the firm statement of the German DPAs[1] in a Working Paper which was published at the end of April 2018.[2] The statement is being published under the non-exiting title ‘Applicability of TMG for non-public bodies since 25th of May 2018’, but the content is explosive.
‘At least a prior consent is necessary regarding tracking tools which store the online behaviour of data subjects in the internet and for user profiles.’[3]
This statement does not only apply to personalised tracking and personalised profiling tools. This statement applies at the same time to tracking and profiling on the basis of pseudonyms, which until now were admissible according to TMG (Telemediengesetz) in Germany.
Since the ECJ rendered the TMG as invalid in the judgement ‘Breyer’[4], the statement of the German DPAs is a binding interpretation of the GDPR for tracking and profiling.
The online business in Germany reacted to the German DPAs with a harsh statement.[5] With the requirement of consent, a realistic click statistic for websites will not be possible in the future, because a significant number of users will not provide a consent, since these will not accept tracking or just are reluctant to answer the consent request.
Facts and legal background
In Germany the TMG specifies the requirements for data processing in online business. The TMG is sector law for online business and implements Directive 95/46. According to Paragraph 15 TMG tracking and profiling is admissible, insofar a pseudonym is being processed and the user is not being identified. The further requirements of Paragraph 15 TMG, like the right to object, are not relevant here.
The European Court of Justice (ECJ) declared in the judgement ‘Breyer’ Paragraph 15 TMG as invalid and not in line with Directive 95/46. In essence the court stated that the requirements of the TMG are too specific in comparison to the legitimate interest of Article 7 Directive 95/46. While the Directive is open to balance the interest of the controller against the interest and the fundamental rights of the data subject, Paragraph 15 TMG regulates in detail which processing is admissible.[6] According to former judgments of the ECJ Article 7 Directive 95/46 has direct effect. As consequence any data protection law of a Member State that is stricter or – in this case – less flexible than Article 7 Directive 95/46 is invalid.
Paragraph 15 TMG will be invalid as of 25th of May, when GDPR is applying, because the rationale of the ECJ in ‘Breyer’ is equally valid to GDPR, because GDPR follows the same principles concerning the concept of legal basis and legitimate interest as does Directive 95/46.
The ECJs opinion about the direct effect of Article 7 Directive 95/46 will not be relevant from 25th May on, because the GDPR as European regulation has a direct effect according to Article 288 TFEU[7].
In this situation the German DPAs provided the statement that not solely Paragraph 15 TMG but the whole section of TMG, which contains data processing requirements for online business, is invalid. At the same time the German DPAs provided a new interpretation of tracking and profiling, which is now referring to the GDPR.
In addition, the ePrivacy-Regulation is being postponed and will not come into force on 25th May. That required a statement of the German DPAs on cookies. While Germany is seen as very strict in terms of data protection, it has regarded an ‘opt out’ as sufficient for cookies, which are not necessary to provide a service. This German interpretation was in contrast to WP29 in the WP 194 on cookies. The German DPAs now have adjusted their views on cookies and share the statement of WP29, which require a consent for cookies.
In addition, the DPAs took the underlying rationale of Article 5 (3) ePrivacy-Directive, which contains the requirements for cookies, and transferred this rationale to its new interpretation of tracking and profiling according to Art. 6 GDPR. As a result the German DPAs require, as default, a consent for tracking and profiling. Only in individual cases a legitimate interest may provide a lawful legal basis.
The statement of the German DPAs with pro and contra
The statement of the German DPAs reads as follows[8]:
- Tracking and profiling, which is strictly necessary to provide the service, may be based on performance of a contract according to Article 6 (1) (b) GDPR or legitimate interest according to Article 6 (1) (b) GDPR.
- At least a prior consent is necessary for tracking tools, which store the online behaviour of data subjects in the internet and for user profiles. A prior and informed consent in form of a declaration or a clear affirmative action according to GDPR is required before e.g. installing cookies or storing information on the user’s device.
- In the single case additional processing may be admissible on the basis of legitimate interest according to Article 6 (1) (f) GDPR.
From a strict legal perspective, one may find arguments for both standpoints, pro and contra the German DPAs.
The first contra argument is a formal one and derives from the relation between the ePrivacy-Directive and the GDPR. Art. 95 GDPR states that GDPR shall not impose additional requirements on issues which are subject to the ePrivacy-Directive. This argument may be used vice-versa that ePrivacy-Directive shall not be used to raise the requirements of the GDPR. The second argument is that – even though ECJ held Paragraph 15 TMG as too specific – Paragraph 15 contained in principle a fair balancing between the interest of the controller and the data subject. While the use of pseudonyms has no significant adverse effect on the rights of data subject a tracking and profiling of pseudonymous data can be regarded as admissible.
The argument in favour of the German DPAs is that tracking, profiling and cookies are similar in a technical way. E.g. see the statement of WP29 in WP 194 on cookies which considers in its significant parts the tracking aspect. In addition, all methods are used to trace the online behaviour of the user for economic reasons, which is mostly marketing. And although the ePrivacy-Directive is a specific law one may adapt a principle and transfer it to the more general GDPR to use it as argument for interpreting legitimate interest.
With the new statement of the German DPAs especially tracking cross websites will not be easy justify.
[1] Data Protection Agencies
[2] DSK (Datenschutzkonferenz), Positionsbestimmung der Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder – Düsseldorf, 26. April 2018, Zur Anwendbarkeit des TMG für nicht-öffentliche Stellen ab dem 25. Mai 2018; https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf
[3] This is not an official translation. The German wording is: „Es bedarf jedenfalls einer vorherigen Einwilligung beim Einsatz von Tracking Mechanismen, die das Verhalten von betroffenen Personen im Internet nachvollziehbar machen und bei der Erstellung von Nutzerprofilen.“
[4] ECJ, judgment of 19 October 2016, Breyer, C‑582/14; http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN
[5] ZAK (Zentralverband der deutschen Werbewirtschaft), Analyse des Positionspapiers der DSK vom 26. April 2018; http://zaw.de/zaw/aktuelles/meldungen/Anlagen/Analyse-ZAW-DSK.pdf
[6] ECJ, judgment of 19 October 2016, Breyer, C‑582/14; http://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN
[7] Treaty on the Functioning of the European Union; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12012E288
[8] This is not an official translation; German version in DSK (Datenschutzkonferenz), Positionsbestimmung der Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder – Düsseldorf, 26. April 2018, Zur Anwendbarkeit des TMG für nicht-öffentliche Stellen ab dem 25. Mai 2018; Seite 3; https://www.ldi.nrw.de/mainmenu_Datenschutz/submenu_Technik/Inhalt/TechnikundOrganisation/Inhalt/Zur-Anwendbarkeit-des-TMG-fuer-nicht-oeffentliche-Stellen-ab-dem-25_-Mai-2018/Positionsbestimmung-TMG.pdf