The most important facts about the new “Guidance for telemedia providers” issued by the German data protection supervisory authority on December 20, 2021

by Katrin Nebermann

Shortly before Christmas, the supervisory authorities updated the “Guidance for telemedia providers” (OH Telemedien 2021), which is crucial for the legally compliant use of web analytics. The background to this was the Telecommunications Telemedia Data Protection Act (TTDSG), which came into force on December 1, 2021 and transposed the EU ePrivacy Directive into German law. The corresponding §25 TTDSG applies to all technologies by means of which information is stored or read out on the user’s end devices.

The orientation guide is available at:

https://www.datenschutzkonferenz-online.de/media/oh/20211220_oh_telemedien.pdf

We have summarized the three most important points for you and explained them in more detail below:

Re 1: Need for consent

The new guidance confirms the legal basis of consent-free session tracking with etracker Analytics:

1. the back-end linking of visit data using browser and header information does not require consent under the TTDSG.

According to the supervisory authorities, this is clearly not active access to the end device’s memory:

“Access requires a targeted transmission of browser information that is not initiated by the end user. If only information, such as browser or header information, is processed, which is transmitted inevitably or due to (browser) settings of the terminal device when a telemedia service is called up, this is not to be regarded as ‘access to information that is already stored in the terminal device’. Examples of this are

• the public IP address of the end device,
• the address of the website accessed (URL),
• the user agent string with browser and operating system version and
• the set language.”

In order to meet the requirements of the GDPR, etracker automatically shortens the IP address before it is stored and combines the data transmitted by the browser with a random value that changes daily. This limits the anonymous linking of visits to a maximum of 24 hours. Users cannot be tracked over longer periods of time.

2. data protection-friendly processing for the purpose of web analysis can still be based on the legal basis of overriding legitimate interest (Art. 6 para. 1 lit. f GDPR).

The use of etracker Analytics can still be based on the legitimate interest. The guidance clarifies that consent is not preferable to a predominantly legitimate interest. Both legal bases are of equal rank and equal value. However, the legal basis of the legitimate interest requires an individual balancing of interests. The audit standards for this are unchanged compared to 2019. The template for weighing up interests that we provide is therefore still up to date, as it is based precisely on the standards from 2019. These also form the basis for our audit and the award of the ePrivacyseal data protection seal of approval.

Re 2: US web analytics services such as Google Analytics

The guidance clarifies that the legal basis of legitimate interest does not apply if the provider reserves the right to use the data for its own purposes:

“Furthermore, in cases where third-party service providers are involved in tracking as processors, it must be ensured whether these service providers also process data of the data subjects for their own purposes (e.g. to improve their own services or to create interest profiles). In this case – and even if the third-party service provider only reserves the right to do so in the abstract – the scope of commissioned processing under Art. 28 GDPR is exceeded. As a rule, Art. 6 para. 1 lit. f GDPR cannot form an effective legal basis for the transfer of personal data – even if it is only the IP address – to these third-party service providers.”

Even with the user’s consent, there is no legal basis for data processing by US providers:

“However, especially in connection with the integration of third-party content and the use of tracking services, it will often not be possible to take sufficient additional measures. In this case, the services concerned may not be used, i.e. they may not be integrated into the website. Personal data that is processed in connection with the regular tracking of user behavior on websites or in apps cannot be transferred to a third country on the basis of consent in accordance with Art. 49 para. 1 lit. a GDPR.”

Re 3. consent banner

The supervisory authorities have taken a clear position on the design of consent banners: Making refusal more difficult leads to legally ineffective consent:

“If consent banners are displayed in telemedia offers that only contain an “Okay” button, clicking on the button does not constitute an unequivocal declaration.”

It goes on to say: “Users must be given an option in the consent banner that is equivalent to consent to refuse consent. If there is a button for consenting to certain processes on the first level of the consent banner, there must also be a correspondingly displayed button to reject these processes.”

In addition, the dialog must contain all essential information at the highest level so that the consent is legally effective:

“In principle, it is possible to design consent banners in multiple layers, i.e. to provide more detailed information only on a second level of the banner, which users can access via a button or link. However, if there is already a button on the first level of the banner with which consent can be given for various purposes, specific information on all individual purposes must also be included on this first level. It would be too vague to merely provide generic, general or vague information on the purposes, such as “We use cookies to provide you with a better user experience.”

Disclaimer

These statements do not constitute legal advice and cannot replace individual legal advice. They are a professional discussion and summary of the topic. If necessary, we will be happy to put you in touch with a specialist lawyer.