Skip to main content

German Federal Court - Finally clarified: tracking cookies not without active consent

|

The discussion is not new. The European Court of Justice (ECJ) had already decided on 01.10.2019. But only the German Federal Court of Justice (judgement of 28.05.2020, ref.: I ZR 7/16) enforces now a consent as a prerequisite for a tracking cookie.

So far, no surprise. What is unexpected, however, is that despite the start of application of the GDPR, the German Federal Court of Justice still wants to apply the old profiling provision of Section 15 (3) of the German Telemedia Act (TMG) and not Article 6 GDPR, contrary to the view of the German data protection supervisory authorities. Does the admissibility now have to be reassessed? Do all privacy policies now have to be rewritten? So far, only the press release is available, but it contains the essential statements (https://www.bundesgerichtshof.de/SharedDocs/Pressemitteilungen/DE/2020/2020067.html?nn=10690868).

 

No tracking cookie without active consent - Pre-activated check marks are not consent

The German Federal Court of Justice decided in accordance with the European Court of Justice (judgement of 01.10.2020, ref. C- 673/17) that a pre-activated check mark does not constitute consent. What is required is rather an active action by the user - for example, activating a checkbox or clicking a button. This is not surprising. This is also explicitly stated in Recital 32 of the GDPR.

Practical consequence: Previous banners on websites that only provided information about the setting of cookies and tracking are clearly no longer sufficient. Even banners that only allow accepting but not rejecting are not sufficient. The German Federal Court of Justice has thus put an end to the lengthy legal dispute about the legal basis of a cookie consent requirement in Germany. The warning risk has increased.

Why is it not a contradiction that the decision is not new, but the risk of being warned only now increases? Quite simply: The decision of the ECJ of 01.10.2020 made it binding for the German Federal Court of Justice that consent requires active action. But the ECJ did not decide the legal dispute of the BGH, as the ECJ does not have jurisdiction in this matter. Only with its decision did the the German Federal Court of Justice finally declare all cookies that are not absolutely necessary for the operation of a website to be subject to unlimited consent in Germany as well.

 

Application of the old Section 15 (3) TMG and usage profiles only with consent?

In its further decision the German Federal Court of Justice makes a multiple somersault and leaves the reader irritated after the first reading. Why? The legal dispute only relates to the legal situation prior to the application of the GDPR. The German Federal Court of Justice had asked the ECJ how the cookie regulation of the Data Protection Directive 2002/58/EC (also referred to as ePrivacy Policy) is to be interpreted and received an answer to this question: According to the ECJ the consent required under Art. 5 (3) of Directive 2002/58/EC for the setting of a cookie presupposes the active action as consent and pre-activated check mark is not sufficient.

However, the German legislator had not implemented this cookie regulation into German law. In other words: The regulation, which the ECJ interpreted, does not exist in German law. The German Federal Court of Justice speaks this explicitly in the press release. Then the German Federal Court of Justice refers to the provision on the solution to the objection in the case of pseudonymous user profiles in Section 15 (3) of the German Telemedia Act (TMG), because the German legislator believes that it has thus implemented the cookie regulation.

And now the German Federal Court of Justice makes the first somersault: It interprets this regulation, which clearly provides for an objection solution, in conformity with the above-mentioned cookie regulation to the effect that consent is required. And already, according to German law, consent is already required in the form of an active act.

The curious thing about it, however, is this: The cookie regulation only regulates the setting of cookies, regardless of whether personal data are processed in the process. Section 15 (3) of the German Telemedia Act TMG, on the other hand, regulates the processing of personal data for user profiles and in no way regulates the setting of cookies. The corresponding reasons for the judgement are currently not yet available. It therefore remains to be seen whether the reasons for the judgement will possibly result in something else.

However, the German Federal Court of Justice does not stop at this reasoning and performs a second somersault: In the opinion of the German Federal Court of Justice, Section 15 (3) TMG continues to apply alongside the GDPR. It thus contradicts the interpretation of the German data protection supervisory authorities and the predominant previous legal opinions. It justifies this with the opening clause in Art. 95 GDPR. The approach is correct. This is because it regulates the continued validity of the provisions of the Data Protection Directive 2002/58/EC and thus also of the cookie regulation and corresponding implementations in German law. However, in my opinion, the requirements of Art. 95 GDPR do not exist for Section 15 (3) of the German Telemedia Act (TMG). And in general, this only works because the German Federal Court of Justice has already (see above) interpreted Section 15 (3) of the German Telemedia Act (TMG) as a consent provision, contrary to its wording.

This is also understandable from the perspective of the German Federal Court of Justice. If it had come to a different conclusion, there would be no requirement in Germany for consent to the setting of a cookie until the German legislature had created a German law with the content of the cookie regulation from the Directive. This is because without a transposition act a directive does not work between data processor and data subject.

You think that sounds complicated? That's right, it is! The German advertising industry could have been saved from this complexity: Either if the German legislator had adapted the TMG to the GDPR or, in part, if the German Federal Court of Justice had waived the statements on validity in relation of the GDPR.

Consequence very briefly: The setting of a tracking cookie requires consent - even under German law and without a new German law. The regulation on pseudonymous user profiles in Section 15 (3) TMG continues to apply. However, caution is required here. Because the press release is not sufficiently clear on this point.

What should you do now? Check whether your tracking method falls under the regulation. If so, make sure you get real consent. Also check the permissibility of profiling based on this legal situation. Check your privacy policy for processing personal data on your website and adapt it if necessary.

 

Article provided by: Dr. Jens Eckhardt (Derra, Meyer & Partner, Germany)

 

 

Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}