Telecommunications-Telemedia Data Protection Act (TTDSG) - Summary of the main provisions

The new Act Data Protection and Privacy of Telecommunication and Telemedia Services (TTDSG) has been in force in Germany since December 1, 2021. It merges the data protection provisions of the Telemedia Act (TMG) and the Telecommunications Act (TKG) in a single new Act. In doing so, the German legislature is fulfilling, with considerable delay, its obligation to transpose European law into national law in conformity with the respective European Directives (in particular the Directive 2002/58/EC as amended by Directive 2009/136/EC; so-called Cookie Directive).

Aim of the TTDSG

The TTDSG is intended to harmonize the data protection provisions of the TKG and the TMG and eliminate legal uncertainty regarding the distinction between the sector specific data protection rules and the General Data Protection Regulation (GDPR).

Scope

Due to the revision of the TKG in December 2021, the TTDSG applies not only to providers of telecommunications services that are number-based (i.e. telephone services), but also to providers of number-independent services (so-called over-the-top services such as webmail or messenger services).

The TTDSG also applies to providers of telemedia services. Telemedia are electronic information and communication services, unless they are telecommunications services or telecommunications-based services (see above) or broadcasting. This includes websites and other online offers of goods/services, video on demand platforms, but also simple advertising e-mails.

The geographic scope of application basically corresponds to that of the GDPR.

Summary

The TTDSG regulates data protection and privacy in telecommunications. The provisions of Secs. 88-107 of the former TKG and supplementary provisions have been transferred to Secs. 3-18 of the TTDSG and concern in particular:

• Secrecy of telecommunications: Secrecy of telecommunications ensures the confidentiality of communications and prohibits, for example, unauthorized access to the content of communications or knowledge of the parties to the communication. For the first time, it is expressly stipulated that the secrecy of telecommunications does not prevent heirs from exercising their rights.
• Misuse of telecommunications equipment: The improper use of telecommunications equipment that resembles or is based on the appearance of everyday objects for the purpose of surreptitious eavesdropping and hidden filming/photography is prohibited. This also applies to the placing of such equipment on the market.
• Sector-specific data protection rules: The sector-specific data protection rules in the TTDSG creates the necessary legal basis in the system of prohibition with reservation of permission so that telecommunications providers can provide and bill for their services. In addition to regular operation, this includes error and fault elimination and protection against misuse. Strict purpose limitation and data economy apply to all data processing.

Furthermore, the TTDSG regulates telemedia data protection. While the general rules concerning telemedia services are further codified in the TMG, the TTDSG applies to telemedia data protection with priority over the GDPR. Essential regulations concern:

• Security of processing: Under the TTDSG (as previously under the TMG), service providers are separately required to implement technical and organizational measures for data protection in addition to the requirements under Art. 32 DSGVO.
• Protection of data of children below the legal age: Data collected from children below the legal age for the purpose of age gates may not be used for commercial purposes.
• Inventory data disclosure and information on usage data: Telemedia providers may only disclose certain data about their users in the course of official investigations. The TTDSG provides for the corresponding authorizations limited to certain groups of cases, and the provider must bear the costs for the information.
• Cookies & Co and consent management: The TTDSG contains a completely new version of the regulation on the storage of information and access to this information on the user's terminal equipment, e.g., in the case of cookies. In principle, the requirement to obtain prior consent now applies - as it does uniformly in Europe - unless an exception applies, such as in the case of necessary access to the information on the end device in order to provide the service at all.

Section 26 TTDSG supplements Section 25 TTDSG to the effect that independent services, so-called Personal Information Management Systems (PIMS), can be used for consent management.

The Commissioner for Data Protection and Freedom of Information (BfDI) remains responsible for the supervision of the processing of personal data of natural persons and legal entities. The Federal Network Agency (BNetzA) retains supervision for ensuring the provisions of the first and second parts of the TTDSG concerning telecommunication services. Violations of the provisions of the TTDSG can be prosecuted under criminal and regulatory law. Violations of the confidentiality of communications can be punished by imprisonment of up to two years or fines, while violations of the other provisions of the TTDSG can result in fines of up to EUR 300,000.00. It should be noted that violations of telecommunications secrecy are subject to the general Criminal Code (StGB) and can be punished with a prison sentence of up to five years or a fine under Section 206 of the StGB.