Updated guidance document for telemedia from the German data protection authorities

The German Data Protection Conference (Datenschutzkonferenz; the “Data Protection Conference”), which is the joint committee of the data protection authorities in Germany, recently published an updated version of its guidance for telemedia from the supervisory authorities (only available in german). This was published together with an informative evaluation report on the public consultation procedure (only available in german), which had been conducted prior to the update.

In order to minimise exposure to supervisory measures and fines, companies would be well-advised to use the German data protection authorities’ updated guidance as an opportunity to review the design of their websites, apps and other telemedia to see whether or not these take into account the supervisory authorities’ common positions. This also relates in particular to consent mechanisms for cookies and similar technologies.

Background: No special provisions for telemedia in the EU General Data Protection Regulation (GDPR), selective special provisions in the German Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia and already-established guidance from the Data Protection Conference.

The GDPR does not contain any special provisions on the design of telemedia. The German Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia (“Telekommunikation-Telemedien-Datenschutzgesetz”, hereinafter the “Act”), which has been in force since 1 December 2021, only provides for special requirements for certain aspects of the design of telemedia. These relate mainly to the use of cookies and similar technologies. The Act was enacted to implement the EU ePrivacy Directive, which was last amended in 2009. The ePivacy Regulation (only available in german), which is to replace the ePrivacy Directive, is still locked in the legislative process.

The Data Protection Conference published detailed guidance for telemedia providers in 2019, which included advice chiefly on issues surrounding the use of cookies and similar technologies. This was supplemented in 2020 when the Data Protection Conference published guidelines on the use of Google Analytics. On 20 December 2021, the Data Protection Conference adopted a new version of its guidance in order to take into account for the first time the Act, which had taken effect on 1 December 2021. Prior to revising its guidance, the Data Protection Conference initiated a consultation procedure (only available in german), allowing for the submission of comments until 15 March 2022. An evaluation of the comments received can be found in the media working group’s evaluation report on the consultation procedure concerning guidance for telemedia providers (only available in german).

Specific adjustments and additional details in the updated guidance

In the updated version of the telemedia supervisory authorities’ guidance (only available in german) (as of December 2022), the authorities have now made specific adjustments and added more detailed information. For example, on a topic of great importance to many website operators, namely of “reach measurement” (often also referred to as “web analysis”), the Committee states that such technologies may – even taking into consideration the strict requirements for the use of cookies in the Act ‒ be used at least for the “error-free delivery of the website” (in individual cases this may be done even without consent). Generally, use without consent will not, however, extend, for example, to measuring the “profitability of advertisements”. In its guidance, the Committee has also provided details on the design of consent banners.

Necessity for companies to consider revising their practices

Even if the updated version of the guidance does not conclusively and unambiguously answer all of the questions that are relevant in practice for ensuring that the design of telemedia conforms with data protection rules, nevertheless both the updated guidance and the evaluation report on the consultation procedure offer legal practitioners valuable insights into the German supervisory authorities’ legal views. It can be assumed that the supervisory authorities will base their administrative practice on the jointly formulated positions and, if any data protection requirements, as interpreted in their guidance, are violated, will take remedial action and, where necessary, impose fines.

Consequently, companies should keep the updated guidance and the evaluation report on the consultation process in mind when designing websites, apps and other telemedia. This applies especially to consent mechanisms for cookies and similar technologies (e.g. local storage, session storage, possibly browser fingerprinting, etc.). In order to minimise exposure to supervisory measures and fines, we recommend that companies use the German data protection authorities’ updated guidance as an opportunity to review the design of their websites, apps and other telemedia to see whether or not these take into account the supervisory authorities’ common positions.