September 7, 2022

Germany's New Data Protection Law - TTDPA / TTDSG

Germany's New Data Protection Law - TTDPA / TTDSG

Germany's Telecommunications and Telemedia Data Protection Act ('TTDPA' or 'TTDSG' in German) will come into effect on 1 December 2021. The TTDPA centralizes the previously separate Telemedia Act 2007 and Telecommunications Act 1996 into one law.

What is the scope?

According to the TTDPA, all technologies that access 'end user equipment' i.e. user devices (including mobil phones, laptops, smart home devices, voice assistants and IoTs etc.), will require consent before they are used, whether or not personal data processing is involved. This is due to the fact that besides ensuring the right to data protection, the TTDPA also aims to enforce data privacy in accordance with the ePrivacy Directive, which covers personal and non-personal data. The scope of the TTDPA seems remarkably wide, Article 1(3) states:

"All companies and persons who have an establishment or provide or participate in the provision of services or make goods available on the market within the scope of this Act are subject to this Act".

Now let's break down the three criteria mentioned above:

If the organization has an establishment in Germany.

The establishment doesn't necessarily have to be actively involved in the processing activities such as tracking with the use of cookies. The mere existence of such an establishment in Germany is sufficient grounds for the TTDSG to be relevant to an organization. This is a very broad scope of application and even goes beyond Article 3(1) of the General Data Protection Regulation (GDPR), which at least requires such data processing to be carried out "in the context of the activities of an establishment of a controller or processor in the Union".

If the organization "participates in the provision of services" that are provided in Germany.

This is similar to Article 3(2) of the GDPR which establishes a market location principle. However, it remains unclear how high or low the bar for 'participating' in the provision of a service is. To assess if a company is in scope of the TTDSG, all services that the organization is involved in any way would need to be looked at, and not only those that the organization itself provides.

If the organization "makes goods available on the market" in Germany.

The question here is what "making available" means in comparison to "providing" goods in the market.

"Consent" according to the TTDPA

According to Article 25 of the TTDPA, which deals with the use of cookies and similar technologies - website operators require explicit user consent for the use of cookies and tracking services, with the exception of:

  • Essential technical cookies and information; and
  • Cookies and information used exclusively for the transmission of messages via a public telecommunications network.

Enforcement of the TTDPA

The enforcement of the TTDPA is  quite ambiguous when it comes to organizations located outside of Germany, which also counts for those located in other member states of the EU. There's a lack of cooperation and consistency mechanisms for cases in which service providers operates from or in several member states. Furthermore, the scope of the TTDPA is very broad and the relevant provisions are full of undefined legal terms.

Conclusion

Overall, it seems that the TTDPA has left us with more questions than answers, and with so many uncertainties for organizations that are not registered or have no office in Germany, it'll be interesting to see how the German authorities will enforce the TTDSG, especially in cross-border cases.

If you've prepared your organization for the GDPR and ePrivacy with the implementation of a Consent Management Platform (CMP), then changes that the TTDPA will bring in the upcoming months should not be overwhelming, but if you aren't yet prepared to deal with user consent and your organization falls into the three criteria of the TTDPA as mentioned above, you should start by going through our Cookie Banner Checklist.

DISCLAIMER: The contents of this website are intended to convey general information only and not to provide legal advice or opinions. The information presented on this website may not reflect the most current legal developments. An attorney should be contacted for advice on specific legal issues. The implementation of a data protection law compliant Consent Management Platform (CMP) is ultimately at the discretion of the respective data protection officer (DPO) or legal department.