With very little media attention, the German parliament has passed the Telecommunications and Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG), which will come into force on 1 December 2021.
The TTDSG, among other things:
- combines the data privacy provisions of Germany’s Telecommunications Act (TKG) and the Telemedia Act (TMG); and
- finally transposes Article 5(3) of Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the ‘ePrivacy Directive’ or ‘Cookie Directive’) into national law.
The TTDSG aims to be Germany’s comprehensive ePrivacy legislation for communication and online services, way before the EU ePrivacy Regulation – for which the legislative process is likely to drag on for several years – comes into force.
The main aspects of the TTDSG are as follows:
- The TTDSG applies to almost every device with an internet connection, such as smart-phones, computers, smart-TVs and other internet-of-things (IoT) devices (especially smart-home devices such as security cameras, lights and speakers) and connected vehicles.
- The new legislation covers, among other things, telecommunications secrecy and wiretapping bans, traffic and location data, regulations on itemised bills and billing, incoming calls, caller-ID display and suppression, telephone directories, and, in the case of telemedia providers, technical and organisational measures, the processing of data relating to minors, and obligations to provide information on inventory and usage data and passwords.
- The core of the new TTDSG is section 25, which regulates the protection of privacy in devices and requires – in principle – end-users to consent to any storage of and access to (non-personal) information stored in their devices. This affects all IoT service providers who in some form or another access data on users’ devices.
- Consent is always required, unless the sole purpose of the storage or access is the execution of the transmission of a message via a public telecommunications network or if the storage and access is needed to provide a telemedia service requested by the user. It is unclear whether legal obligations which require access to a device (e.g. product safety monitoring obligations) create an exemption from the consent requirement under the TTDSG.
- The competent supervisory authority can impose fines of up to €300,000 per case for violations of the TTDSG. If applicable, GDPR fines may be imposed on top (see more below).
How the TTDSG works with the GDPR
The EU General Data Protection Regulation (GDPR) will still apply in addition to the TTDSG. In a nutshell, the TTDSG has some form of gatekeeper functionality and imposes requirements on accessing a device via the internet, whereas the GDPR sets out requirements on processing personal data by this access. The TTDSG, however, imposes additional obligations to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Union as set out set out in Directive 2002/58/EC.
The IoT space and all other business that rely on accessing data on user devices have very little time to prepare for the requirements of the TTDSG.
Under the new law, data storage and access on a device will face much more scrutiny and may no longer be viable unless it falls under the narrow legal exemptions or users give their consent (a process that could be quite complicated).
This will particularly be the case where use-cases previously relied on the controllers’ legitimate interest. All use-cases should therefore be reviewed in order to determine if they need changing. While doing so, the following aspects must be considered.
Accessing a device via a telecommunication network
The consent requirement only applies to access via the internet, which applies to all IoT devices. For connected vehicles, the European Data Protection Board mentioned in its 2020 guidelines on processing personal data in the context of connected vehicles and mobility-related applications that a connected vehicle and every device connected to it is considered ‘terminal equipment’ under the ePrivacy Directive and therefore the TTDSG.
Providing a telecommunication or telemedia service
Depending on the nature of the telecommunication or telemedia service provided, a legal exemption might apply. If so, this should be documented. With the accompanying amendments to telecommunication law (Telekommunikationsmodernisierungsgesetz – TKMoG), which will also come into force on 1 December 2021, further requirements, in particular slightly amended definitions, should be considered.
Introducing a consent-management system
If no legal exemption applies, data storage in the device (ie updates) and access to data already stored in device requires consent, which must be provided in compliance with the GDPR. This may require a new consent-management system for use-cases that previously relied on legitimate interest.
Competent supervisory authority
Depending on the nature of the service, the competent supervisory authority could be the Federal Commissioner for Data Protection and Information Security (Bundesbeauftragter für Datenschutz und Informationssicherheit), the relevant state data protection authority (Landesdatenschutzbehörden) or even the Federal Network Agency (Bundesnetzagentur).