A new element – OTT services are covered by the legislation
Most of the regulations in the previously applicable TMG were transferred to the TTDSG, which is aimed at all telemedia providers. By contrast, a new element is the widening of the definition of the terms telecommunication service providers and telecommunication services. The latter category now also includes – via the term ‘interpersonal communications services’ – so-called over-the-top services (OTT services). The legal definition covers those OTT services that are offered over the internet without the involvement of the internet service provider in the process. This means, primarily, apps for e-mail services, instant messengers and internet telephony offerings, but also smart home devices such as, e.g., light bulbs that can be controlled via Alexa and other voice-controlled systems.
Consent under Section 25 TDSSG constitutes the most important regulation
As previously, website operators will need to obtain the consent of users in order to be able to store information in the terminal equipment of an end user, or if they wish to have access to this. This will not apply in the case of cookies whose sole purpose is to carry out the transmission of a communication over a public telecommunications network or ones that are strictly necessary for technical purposes.
What are cookies that are necessary for technical purposes?
Cookies that are necessary for technical purposes are all those without which the website would not function. According to the respective EU Directive (Art. 5(3) sentence 2 of the Directive 2002/58/EC – ePrivacy Directive) the following cookies, for example, are necessary for technical purposes:
- session cookies that store certain settings of a user (e.g., the shopping basket, language settings or login data);
- flash cookies for delivering media content playback features;
- cookies that are used by integrated payment service providers (irrespective of any specific payment) insofar as they do not analyse any particular usage behaviour but, instead, are solely for the purpose of preparing potential payments or checking payment authentications.
The personal information management system (PIMS) and the single sign-on solution
Please note: As a result, users would generally gain more control over their personal data and third-parties’ access to their information.
A possible consequence would then be that cookie banners for giving consent would be rendered superfluous.
However, this may still take some time because these services will have to be approved first. Certain requirements will have to be met in order to obtain approval (e.g., no economic self-interest in consent being given on the part of the provider, the provider’s security concept, etc.). A procedure for approving the services is yet to be established.
An example of such a service is mentioned in the preamble to the TTDSG. Several entities band together and organise a facility. It provides so-called single sign-on solutions for the entities via which users can organise their consent. Specifically, this means that those who log into their computers via the single sign-on service would, at the same time, be able to sign in to several services and applications without having to provide their login data separately for each individual service.
Furthermore, the TTDSG regulates further aspects such as, e.g., in Section 3 TTDSG where a new provision on the secrecy of telecommunications has expanded the target group of those affected by this regulation. Moreover, Section 4 TTDSG is worth mentioning because it means that legal heirs will now be expressly authorised to access the data of the deceased persons.
The TTDSG has provided greater clarity about the data protection requirements for telemedia and telecommunications services. As regards the content of the legislation, there are only a few changes in the TTDSG, so that it is likely that nothing will change for many website operators. The complicated interpretation, in conformity with European law, of Section 15(3) TMG is now not needed any more and the coexistence of regulations in different legislative acts is likewise a thing of the past.
Recommendation: Against the backdrop of a legal situation that is now clear, we would recommend currently not only reviewing the requirements for consent and the up-to-dateness of your data privacy statement, but moreover setting up an ongoing process to ensure that, in the future, all technical changes with respect to consent and also your data privacy statement are taken into account. Furthermore, it should be noted that there are still plans at the EU level for an ePrivacy Regulation; as a result, there could been new changes that would, at least partially, also relate to the TTDSG.