Who: European Commission, German Federal Ministry of Economic Affairs
Where: Germany
When: 5 February 2014
Law stated as at: 4 March 2014
What happened:
“This website uses cookies. If you continue using this site we assume that you are happy with that”. Internet users all across Europe see this or similar notices on a daily basis. All across Europe? Well, not entirely. Even almost three years after the expiry of the transposition deadline, Germany still has not implemented the ePrivacy Directive (EC) 2002/58, as amended by Directive (EC) 2009/136, commonly known as the Cookie Directive. At least, that is what everyone believed – until early February 2014, when the European Commission confirmed that the European cookie regulations in fact had been in force in Germany all along, without anyone noticing it.
The background
In 2009 the European Parliament adopted an amendment to the ePrivacy Directive. Among other modifications the new version of the directive, (EC) 2009/136, fundamentally changed the provisions about the use of cookies and introduced an obligation for website operators to receive their users’ consent for using cookies and similar technologies.
Although this new, stricter cookie regulation was not very popular, most member states implemented the European cookie regulations as of late 2012. Germany, however, almost vigorously refused to implement the ePrivacy Directive. Until this day, there is no dedicated provision that expressly addresses the use of cookies. There are indeed regulations for specific use cases which may involve cookies, such as tracking and profiling. But the general use of cookies is still unregulated. At least this was the common opinion amongst German lawyers, including regulators and data protection authorities, who were quite unhappy with the non-implementation.
Surprise! The Cookie Directive has been implemented
Earlier in 2014, after Germany’s new government was in place following the September 2013 elections, a German law blog made a press inquiry to the responsible Federal Ministry of Economic Affairs and asked whether the Ministry now intended to implement the ePrivacy Directive.
They got an interesting response. According to the Ministry, German data protection and telemedia provisions are sufficient to comply with the ePrivacy Directive. In other words, Germany does not need to implement the Directive – instead, the European cookie regulations have always been in force. The Ministry stated that the German government had answered a European Commission questionnaire on the implementation the ePrivacy Directive in 2013, and the commission “had not given any indication” that the German provisions were insufficient to comply with the European requirements.
But there was another surprise: The European Commission fully confirmed the Ministry’s statement. “We can confirm that Germany has transposed the revised ePrivacy Directive into national law” was the Commission’s short but quite unambiguous answer to the law blog’s enquiry.
So what happened?
According to the aforementioned EC questionnaire, which is now publicly available (PDF in German and English), the German government considers two provisions in the German Telemedia Act (TMG) as sufficient to fulfill the requirements of the ePrivacy Directive.
The first provision is Sec. 13 para, 1 TMG, which requires service providers to inform their users about the collection, processing and use of personal data. This obligation also applies to “automatic procedures that allow a later identification of the user and prepare the collection of personal data”. In the government’s opinion – which is explicitly confirmed by the European commission – these “automatic procedures” also cover the use of cookies.
The second provision is Sec. 12 para. 1 TMG, which states that the collection and processing of personal data requires the users’ consent if it is not otherwise permitted by law. According to the government’s statement, this also applies to cookies.
Inconsistent and hardly enforceable
At first glance this sounds reasonable. Apparently German law already has obligations to inform users and to obtain their consent for using cookies. This would indeed correspond to the directive’s requirements. However, the arguments of the German government have a significant weak point. All these provisions in German law refer to the term “personal data” and therefore only apply to information that allows the identification of an individual person. But this is not necessarily the case for cookies: Depending on the specific use case, cookies may contain personal data. But they cannot be considered personal data as such. As a result the German regulations have a serious blind spot.
And there are even more issues: According to Sec. 13 para. 2 TMG the consent must not only be declared explicitly, the service provider is even required to record the consent. This is much stricter than the ePrivacy directive’s requirements — and it is quite hard to implement technically.
Moreover, there are several contradictions with other provisions of the Telemedia Act. For example, Sec. 15 para. 3 TMG requires only an opt-out notice for the use of tracking technologies for advertisement purposes. The problem is that most of these technologies make use of cookies. This leads to a serious conflict: According to the government’s opinion, the use of cookies generally requires an explicit consent – except when cookies are used for advertising technologies where an opt-out regime applies. That does not seem very consistent.
Consequently, even German data protection authorities, who already went through a similar argumentation back in 2010, found the regulatory approach “difficult to communicate” and “hardly enforceable”. And yet it is now approved by the European Commission.
Why this matters:
Cookie regulations are an important point on all online compliance checklists in Europe. However, the legal situation in Germany has been quite knotty ever since. Germany appeared to be a blank spot on the map of European cookie laws, but it was clear that this situation could not last forever.
Yet even the new statements of the German government and the European Commission have not shed any light on cookie regulations in Germany. We know that cookie regulations are in force, but we do not know their exact scope yet.
Although the German government and the European Commission have come to the mutual conclusion that the ePrivacy Directive has been transposed to German law, their arguments are inconsistent with and contradict other provisions of German data privacy law.
Even data protection authorities do not seem to follow the government’s arguments. As a result the situation is still far from clear and it is almost impossible to give a definite advice on how to comply with German cookie laws. However, there are three potential options for dealing with this uncertain situation:
1. allow users to give their explicit consent. This solution plays safe, but comes at the price of impaired user experience and probably lower conversion rates. This is the most cautious approach and appears “over-compliant” at the moment;
2. provide immediate and clear information about the use of cookies and the option to object to their use (e.g. by showing a banner or modal dialog). This seems to be a reasonable compromise at the moment, although some would say it does not differ significantly from the old cookie regime before the consent requirement was introduced; or
3. wait and see. It is rather unlikely that data protection authorities and courts require immediate action as the situation is completely unclear and the news about the Commission’s opinion is still very fresh. A risk remains, but we are not currently registering any hints of impending enforcement action by regulators.