Update Data Protection No. 76
Federal High Court: non-necessary Cookies require consent; preselected checkboxes are not sufficient.
On 28 May 2020 the Federal High Court (Bundesgerichtshof (“BGH”) handed down its judgment in the Planet49 case after a long legal dispute (we have already reported in detail on the previous instances including the judgment of the European Court of Justice). The Federal High Court’s judgement contains a large number of important statements which can only be fully assessed once the written grounds are published. However, the following can already be said:
- Section 15 (3) of the German Telemedia Act (Telemediengesetz (“TMG”)) is still valid law and takes - contrary to the opinion of the German data protection supervisory authorities - precedence over the GDPR (i.e. has application priority over the GDPR).
- In Germany now also applies what the national legislator never has managed to implement: The setting and reading of cookies and the use of all comparable technologies requires a declaration of consent (except the cookie is “necessary” for a website).
- The requirements for the declaration of consent are very high.
- A specific German way of sanctioning a breach is facilitated: The use of warning letters and preliminary injunctions of an infringement of Section 15 (3) TMG is not linked to the very controversial discussion whether a competitor and a consumer protection agency has a claim to cease and desist any GDPR infringements.
- Whether Section 15 (3) TMG can also be used as a "legal basis" within the meaning of Art 6 GDPR cannot be answered with certainty without the reasons for the decision.
The facts in a nutshell
The facts of the case were based on a constellation that rarely occurs in practice: A checkbox was used to request permission to use a single remarketing tool (Remintrex) and to store corresponding cookies. This checkbox was not placed within the site’s cookie banner. A violation of Section 15 (3) TMG was only given because the checkbox was already ticked (“preselected”) before any action of the user. For further details on the facts of the case, please refer to our previous update on the ECJ ruling in this case. The most interesting points deriving from the ruling are the following.
Resurrection of Section 15 (3) TMG
Section 15 (3) TMG was for a long time the most important legal basis for online marketing in Germany. As there is no official translation of the provision available, we created a working translation:
The service provider may create user profiles using pseudonyms for the purposes of advertising, market research or for the needs-based design of telemedia, provided the user does not object to this. The service provider must inform the user of their right of objection within the scope of the notification according to Section 13 (1). These user profiles may not be merged with data about the bearer of the pseudonym.
According to the wording of Section 15 (3) TMG, tracking on the basis of pseudonymous data (such as cookie IDs) was permitted for analysis and marketing purposes as long as an possibility to opt-out was granted. Please note, that (a) the wording does not refer to cookies or similar technologies and (b) that the threshold for online marketing was relatively low in Germany.
After the GDPR entered into force, the German data protection supervisory authorities proclaimed in various publications that the data protection rules of the TMG no longer applied, as GDPR was now primarily applicable instead. (see, for example, p. 2 of the supervisory authorities' guidance for telemedia providers – unfortunately not available in English). The argued only Art 6 GDPR and its legal bases (namely “legitimate interest” and “consent”) applied.
The European Court of Justice and the BGH rejected this opinion of the German authorities, at least with respect to the legal basis. The ruling states that the German legislator implemented in the so-called “Cookie Directive” (i.e. the current version of Art 5 (3) of Directive 2002/58/EC) in form of Section 15 (3) TMG. Pursuant to Art. 95 GDPR all national implementations of Directive 2002/58/EC take precedence over the rules of the GDPR. Section 15 (3) TMG thus takes precedence over the rules of the GDPR and is therefore still primarily applicable law.
Consent required - but for what exactly?
Although the wording of Section 15 (3) TMG does not require a declaration of consent, the ECJ and the BGH found that Section 15 (3) TMG must be interpreted in conformity with the Directive, which means a consent requirement must be read into Section 15 (3) TMG.
High requirements for consent for cookies
In the press release available to date, it is indicated that the BGH applies the same standards for consents in former German case law. This also corresponds to the previous ECJ ruling. Consent to read data from a terminal device must therefore be given "in full knowledge of the facts", "for a specific case" and "voluntarily". Many cookie banners must now be checked to see whether these requirements are being met.
IAB TCF no "all-inclusive solution" in practice
In German practice, more and more companies have chosen a complex consent solution in the form of a "Consent Management Platform" (CMP). In particular, CMPs that have been certified according to the rules of the "Transparency & Consent Framework" (TCF) of the Interactive Advertising Bureau (IAB), a trade association of the online marketing industry, are widely spread and seem to appear on more and more websites in Germany (see iabeurope.eu/tcf-2-0/). The requirements of the IAB TCF have certainly significantly increased the overall level of consent mechanisms and information provided. However, caution is still required: The various CMP providers implement the IAB TCF in a very diverse manner.Some CMPs are much more transparent and user-friendly, while others are designed to make the user click on “ok” without dealing with the small printed information. Some focus only on cookies (some do not even mention other tracking technologies), while others aim for full GDPR compliance. Moreover, as an international body of rules and regulations, the IAB TCF cannot take into account any national legal basis: Section 15 (3) TMG therefore does not appear in the cosmos of the IAB TCF. Companies in Germany must now select their consent technology much more carefully in the light of the BGH Ruling.
Warning letters and preliminary injunctions
Under German law, it is possible to enforce a claim to cease and desist by way of (a) a so-called warning letter and (b) - if the warning is not complied with - a preliminary injunction. Currently, there is a comprehensive dispute about the question if anyone besides the data subject has a claim to cease and desist any infringements of the GDPR. Different local courts came to different conclusions. The discussion – which had begun before the GDPR – was brought forward with new arguments and a number of judgments since GDPR became applicable. However, as the BGH decided that Section 15 (3) TMG was still applicable, the discussion was now brought back to the state it was in May 2018.
No GDPR fine for violation of "Planet49 principles" in Germany?
According to the press release of the judgment it is still questionable how an administrative sanction against the illegal setting of a cookie could look like. The legislator formerly intended to sanction specific – but not all – breaches of TMG with a fine of up to EUR 50,000 (Section 16 TMG). However, as the corresponding violation of Section 15 (3) TMG is not explicitly mentioned in Sec. 16 TMG it is presumably not possible to impose such a fine for a violation of the violation of the Planet 49 principles. Further question: Can a fine be imposed for use of the data in violation of Art 6 or 7 GDPR or does Section 15 (3) TMG and the system of sanctions of the German Telemedia Act also "override" the rules in administrative fines of Art 83 GDPR? Unfortunately, it is still too early to discuss these questions in detail; the reasons for the judgment must be awaited.
The attention to cookie banners has never been as great in Germany as it will be in the next days and weeks. Every company should check for every website and app whether the requirements are met. Even if an IAB TCF-certified CMP is used, such a check must be carried out in order to avoid possible liability.