Who: European Commission, German Federal Ministry of Economic Affairs
When: 5 February 2014
Law stated as at: 4 March 2014
Surprise! The Cookie Directive has been implemented
Earlier in 2014, after Germany’s new government was in place following the September 2013 elections, a German law blog made a press inquiry to the responsible Federal Ministry of Economic Affairs and asked whether the Ministry now intended to implement the ePrivacy Directive.
They got an interesting response. According to the Ministry, German data protection and telemedia provisions are sufficient to comply with the ePrivacy Directive. In other words, Germany does not need to implement the Directive – instead, the European cookie regulations have always been in force. The Ministry stated that the German government had answered a European Commission questionnaire on the implementation the ePrivacy Directive in 2013, and the commission “had not given any indication” that the German provisions were insufficient to comply with the European requirements.
But there was another surprise: The European Commission fully confirmed the Ministry’s statement. “We can confirm that Germany has transposed the revised ePrivacy Directive into national law” was the Commission’s short but quite unambiguous answer to the law blog’s enquiry.
So what happened?
According to the aforementioned EC questionnaire, which is now publicly available (PDF in German and English), the German government considers two provisions in the German Telemedia Act (TMG) as sufficient to fulfill the requirements of the ePrivacy Directive.
The second provision is Sec. 12 para. 1 TMG, which states that the collection and processing of personal data requires the users’ consent if it is not otherwise permitted by law. According to the government’s statement, this also applies to cookies.
Inconsistent and hardly enforceable
At first glance this sounds reasonable. Apparently German law already has obligations to inform users and to obtain their consent for using cookies. This would indeed correspond to the directive’s requirements. However, the arguments of the German government have a significant weak point. All these provisions in German law refer to the term “personal data” and therefore only apply to information that allows the identification of an individual person. But this is not necessarily the case for cookies: Depending on the specific use case, cookies may contain personal data. But they cannot be considered personal data as such. As a result the German regulations have a serious blind spot.
And there are even more issues: According to Sec. 13 para. 2 TMG the consent must not only be declared explicitly, the service provider is even required to record the consent. This is much stricter than the ePrivacy directive’s requirements — and it is quite hard to implement technically.
Consequently, even German data protection authorities, who already went through a similar argumentation back in 2010, found the regulatory approach “difficult to communicate” and “hardly enforceable”. And yet it is now approved by the European Commission.
Why this matters:
Cookie regulations are an important point on all online compliance checklists in Europe. However, the legal situation in Germany has been quite knotty ever since. Germany appeared to be a blank spot on the map of European cookie laws, but it was clear that this situation could not last forever.
Yet even the new statements of the German government and the European Commission have not shed any light on cookie regulations in Germany. We know that cookie regulations are in force, but we do not know their exact scope yet.
Although the German government and the European Commission have come to the mutual conclusion that the ePrivacy Directive has been transposed to German law, their arguments are inconsistent with and contradict other provisions of German data privacy law.
Even data protection authorities do not seem to follow the government’s arguments. As a result the situation is still far from clear and it is almost impossible to give a definite advice on how to comply with German cookie laws. However, there are three potential options for dealing with this uncertain situation:
1. allow users to give their explicit consent. This solution plays safe, but comes at the price of impaired user experience and probably lower conversion rates. This is the most cautious approach and appears “over-compliant” at the moment;
3. wait and see. It is rather unlikely that data protection authorities and courts require immediate action as the situation is completely unclear and the news about the Commission’s opinion is still very fresh. A risk remains, but we are not currently registering any hints of impending enforcement action by regulators.