Find out today what the legal world will be talking about tomorrow.
Shortly prior to the direct application of the EU General Data Protection Regulation (GDPR), the Data Protection Conference (= the Conference of independent data protection authorities of the federal government and the German states) issued a surprising position statement on the applicability of the Telemedia Act as of May 25, 2018.
According to the opinion of the Data Protection Conference, the 4th chapter of the Telemedia Act will no longer apply under the GDPR. The provisions in this chapter are largely based on the Data Protection Directive, which will be repealed by the GDPR. As a result, data processing can no longer be based on Sections 12, 13, 15 Telemedia Act as of May 25, 2018. Grounds for legality of reach measurement and the use of tracking tools must therefore be found directly in the GDPR. This is also the result of the Data Protection Conference’s considerations in the position statement, which is generally supported.
The conclusion in item 9 of the Data Protection Conference’s position statement, however, that from May 25, 2018 the setting or reading of cookies (web tracking) is only possible with the informed consent of data subjects is being heavily criticized (e.g., in the joint press release of the German Advertising Federation). To justify this conclusion, however, the Data Protection Conference refers to Article 5(3) ePrivacy Directive, which would already call for an opt-in at the current time. On the basis of references in this Directive, the GDPR will apply as of May 25, 2018, so that the requirements of the GDPR must be complied with regard to the consent.
Consequently, there is already a contradiction in the position statement itself. Item 7 of the position statement lists that “processing strictly necessary to enable the provider to make the service requested by the data subjects available [...] may be based on Article 6(1)(b) or (f) GDPR.” If it is therefore necessary to set and read cookies to provide a contractual service, this may be based on the existing contractual relationship. This may particularly be cookies that are set and read during a user session, for example to be able to offer a meaningful shopping basket function in an online shop.
Item 8 of the position statement also refers to the fact that “whether and to what extent further processing is lawful,” must “[…] be reviewed on a case-by-case basis under Article 6(1)(f) GDPR.” As a result, tracking or reach measurement may also be based on a result of the balancing of interests. It is by no means clear that in principle the data subjects’ interests will prevail. According to recital 47 GDPR, direct marketing may be considered “processing serving a legitimate interest.” In addition, web tracking / reach measurement is usually carried out on a pseudonymous or anonymous basis, so that it is regularly not expected that the data subject has a predominant interest that requires protection.
Finally, according to Recital 47 GDPR, the website provider may also take into account the reasonable expectations of data subjects based on their relationship with the controller, when weighing the interests. In the age of the internet, every user knows that tracking methods for web analysis are usually used for websites. The site operator may and can therefore take this into account. There are thus no compelling indications that the interests of the data subjects in the absence of tracking are prevailing.
Therefore, the unequivocal conclusion of the Data Protection Conference – the need for consent – seems somewhat hasty. Companies must, however, be aware of this position statement and take it into account when using cookies.
Practical tip:
The Data Protection Conference’s position statement is causing a stir and website operators must position themselves accordingly. The Data Protection Conference’s statement has not remained unchallenged. Until the CJEU has issued a clear ruling, all possible interpretations remain open. The development of case law in this area is to be closely monitored.
If companies want to be absolutely certain, an opt-in must be provided for all tracking and targeting measures that are not strictly necessary, including cookies. The corresponding cookie banner should then allow a real choice, meaning that cookies may only be set if the website user has explicitly clicked on the “Yes” button.
Nevertheless, this does not seem absolutely necessary. Tracking and targeting measures may also be based on the company’s justified interests. The balance of interests should be comprehensively documented and the website user must be informed about the use of tracking and targeting measures in the Privacy Policy. Consent must only be obtained in this respect if the use cannot be based on the legitimate interest (e.g., neither on a pseudonymous nor on an anonymous basis). With regard to the ePrivacy Directive (and reasonable user expectations), additional security can be gained if reference to other cookies is also made in a cookie banner.
The conclusion in item 9 of the Data Protection Conference’s position statement, however, that from May 25, 2018 the setting or reading of cookies (web tracking) is only possible with the informed consent of data subjects is being heavily criticized (e.g., in the joint press release of the German Advertising Federation). To justify this conclusion, however, the Data Protection Conference refers to Article 5(3) ePrivacy Directive, which would already call for an opt-in at the current time. On the basis of references in this Directive, the GDPR will apply as of May 25, 2018, so that the requirements of the GDPR must be complied with regard to the consent.
Consequently, there is already a contradiction in the position statement itself. Item 7 of the position statement lists that “processing strictly necessary to enable the provider to make the service requested by the data subjects available [...] may be based on Article 6(1)(b) or (f) GDPR.” If it is therefore necessary to set and read cookies to provide a contractual service, this may be based on the existing contractual relationship. This may particularly be cookies that are set and read during a user session, for example to be able to offer a meaningful shopping basket function in an online shop.
Item 8 of the position statement also refers to the fact that “whether and to what extent further processing is lawful,” must “[…] be reviewed on a case-by-case basis under Article 6(1)(f) GDPR.” As a result, tracking or reach measurement may also be based on a result of the balancing of interests. It is by no means clear that in principle the data subjects’ interests will prevail. According to recital 47 GDPR, direct marketing may be considered “processing serving a legitimate interest.” In addition, web tracking / reach measurement is usually carried out on a pseudonymous or anonymous basis, so that it is regularly not expected that the data subject has a predominant interest that requires protection.
Finally, according to Recital 47 GDPR, the website provider may also take into account the reasonable expectations of data subjects based on their relationship with the controller, when weighing the interests. In the age of the internet, every user knows that tracking methods for web analysis are usually used for websites. The site operator may and can therefore take this into account. There are thus no compelling indications that the interests of the data subjects in the absence of tracking are prevailing.
Therefore, the unequivocal conclusion of the Data Protection Conference – the need for consent – seems somewhat hasty. Companies must, however, be aware of this position statement and take it into account when using cookies.
Practical tip:
The Data Protection Conference’s position statement is causing a stir and website operators must position themselves accordingly. The Data Protection Conference’s statement has not remained unchallenged. Until the CJEU has issued a clear ruling, all possible interpretations remain open. The development of case law in this area is to be closely monitored.
If companies want to be absolutely certain, an opt-in must be provided for all tracking and targeting measures that are not strictly necessary, including cookies. The corresponding cookie banner should then allow a real choice, meaning that cookies may only be set if the website user has explicitly clicked on the “Yes” button.
Nevertheless, this does not seem absolutely necessary. Tracking and targeting measures may also be based on the company’s justified interests. The balance of interests should be comprehensively documented and the website user must be informed about the use of tracking and targeting measures in the Privacy Policy. Consent must only be obtained in this respect if the use cannot be based on the legitimate interest (e.g., neither on a pseudonymous nor on an anonymous basis). With regard to the ePrivacy Directive (and reasonable user expectations), additional security can be gained if reference to other cookies is also made in a cookie banner.
Share in
Authors
