Telecommunications Telemedia Data Protection Act TTDSG

What is the Telecommunications and Telemedia Data Protection Act (TTDSG)?

The "Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia", which is referred to in abbreviated form as the "Telecommunications and Telemedia Data Protection Act" and abbreviated as the "TTDSG", is intended to bring together various data protection rules. Specifically, the sector-specific data protection rules of the Telemedia Act (TMG) and Telecommunications Act (TKG).

For example, there is a section on "data protection" in the Telemedia Act (TMG) and the Telecommunications Act (TKG) also explicitly refers to data protection and telecommunications secrecy in Part 7. Until now, the GDPR and the TMG and TKG have existed side by side and caused certain legal uncertainties, which are now to be abolished with the restructuring. The TTDSG will come into force on 01.12.2021 and will in particular bring new regulations for cookies and so-called PIMS.

Most important information on the TTDSG

  • The TTDSG is the abbreviation for the "Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia", which is referred to in abbreviated form as the "Telecommunications and Telemedia Data Protection Act".
  • The Data Protection Act TTDSG applies from 01.12.2021
  • In the Act, data protection provisions from the Telemedia Act and the Telecommunications Act are repealed or transferred to the TTDSG.
  • Specifications "Personal Information Management Services" in short "PIMS" are regulated, which are defined as recognised services for the management of personal information

Meet the Experts

Lawyer Richard Bode on the TTDSG

Lawyer Richard Bode shows you what companies must be prepared for when the TTDSG comes into force on 1 December 2021. In particular, the requirements for consent management for websites will be explained using the best practice solution from Usercentrics.

 Online 1 hour Free of charge

Emergence of the TTDSG

The "Act to Regulate Data Protection and Privacy in Telecommunications and Telemedia", which is referred to in abbreviated form as the "Telecommunications Telemedia Data Protection Act" and abbreviated as the "TTDSG", is intended to bring together various data protection rules. Specifically, the sector-specific data protection rules of the Telemedia Act (TMG) and Telecommunications Act (TKG). Thus, there is the section "Data Protection" in the TMG and the TKG also explicitly refers to data protection and telecommunications secrecy in Part 7. Until now, the GDPR and the TMG and TKG have existed side by side and caused certain legal uncertainties, which are now to be abolished with the restructuring.

To this end, the data protection provisions from the TMG and TKG are repealed or transferred to the TTDSG. If you take a closer look at these adjustments, you will see that the regulations in question have simply been removed from both the TKG and the TMG and transferred to the new TTDSG. Even partly in the exact wording.

Background of the TTDSG

Apart from the newly integrated regulations from the TMG and TKG, the new TTDSG offers hardly any innovations at first glance. Of course, this law was not only created for cosmetic reasons, but has some very tangible backgrounds. Specifically, it is about the final harmonisation of the previous German law with the regulations from the General Data Protection Regulation and the ePrivacy Directive, which have existed for some time now.

Harmonisation with the GDPR

The adjustments to harmonise with the General Data Protection Regulation are minor. There is a simple reason for this: there have already been quite a few. In the three years since the GDPR came into force, some amendments were made to both the TKG and the TMG to address the new regulations. In fact, however, there has been a duplication of many regulations. A look at the version of the Telemedia Act that is still in force shows that the service provider (for example, the operator of a website) is subject to special regulations on the information of data subjects and that special regulations also apply, for example, for consent. If these regulations are set against the provisions of the GDPR, this duplication is no longer apparent. Therefore, if one looks at the new TTDSG, it is noticeable that these regulations have been dropped.

Adaptation to the requirements of the ePrivacy Directive

Of particular importance is also the adaptation to the requirements of the ePrivacy Directive. Already last year, the Federal Court of Justice made a decision here that made lawyers shake their heads. The background to this was the question, which had been disputed for many years, of whether the TMG should implement the requirements of the ePrivacy Directive and whether it succeeded in doing so. This was controversial above all with regard to information that was to be stored on users' end devices. Better known to most as cookies, even if this only refers to a part of the information that may be stored.

Storage of cookies

Contrary to the actually clear requirements of the Directive, German law provided that consent to the setting of cookies was only necessary in a few cases. The Federal Supreme Court therefore had to find a solution. And it found it in a way that was not unusual but not necessarily successful, by simply saying that the law must not be applied in its wording, but in a European interpretation. Of course, this could not remain so for long, and so the new TTDSG now also provides for concrete regulations for the storage of such information in accordance with European law in § 25 and § 26.

What exactly is the content of the TTDSG?

So let us turn to the concrete regulations.

§ Section 25 TTDSG: Dealing with cookies

"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."

We are therefore confronted with the basic rule that any storage of information in the end user's terminal equipment or access to it requires consent. The inclined data protectionist will of course notice here that the second sentence of this paragraph catapults us directly into the GDPR, because nothing else is the "Regulation (EU) 2016/679". For questions around the definition of consent, we should therefore simply refer to Article 7 of the GDPR (voluntariness, informedness, transparency, prohibition of tying, etc.).

Of particular importance, however, is the following observation:

The information to be stored is forbidden from having any identifying effect and must be quite explicitly not personal data. All information is covered by this regulation . Also any purely technical information!

Of course, no rule is without exception. We find this in the second paragraph of § 25 TTDSG:

"Consent under paragraph 1 is not required,

  1. where the sole purpose of storing information in the end-user's terminal equipment or the sole purpose of accessing information already stored in the end-user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
  2. where the storage of information in the terminal equipment of the end-user or the access to information already stored in the terminal equipment of the end-user is strictly necessary in order for the provider of a telemedia service to provide a telemedia service explicitly requested by the user".

So we have two scenarios that allow us to store or access the information even without consent.

The first application is certainly the one that is uninteresting in everyday life. In this respect, it only addresses the self-evident, but of course it also has its justification. It is similar to Article 6 (1) (b) or (c) of the GDPR. Even if no personal data need be involved in the specific case, the TTDSG permits the filing of or access to simply necessary information that is required for an individual communication process. However, this restriction should be restrictively observed and really only apply to "messages" (see section 2(2)(4) TTDSG) to "terminal equipment" (see section 2(2)(6) TTDSG) in connection with transmission in a "public communications network" (see section 3(42) TKG-neu).

Of course, the second use case is much more exciting: Here, it is based on the fact that the user wants to use a telemedia service offered by the provider and that the filing of or access to the stored information is absolutely necessary is to provide the service. The regulation therefore has two pitfalls. First, it must be an explicitly requested telemedia service.

Telemedia service according to § 1 TMG

"all electronic information and communication services, insofar as they are not telecommunications services pursuant to section 3 no. 24 of the Telecommunications Act, which consist entirely in the transmission of signals via telecommunications networks, telecommunications-based services pursuant to section 3 no. 25 of the Telecommunications Act or broadcasting pursuant to section 2 of the Interstate Broadcasting Treaty".

One could therefore basically say that all information, irrespective of entering into contractual relationships or the like, which can at least also be retrieved digitally, is to be qualified as such services. Secondly, the processing of the information must be absolutely necessary for this service.

Now, this is a law that has not even been enacted yet. Therefore, it is not yet possible to answer whether and to what extent there will be qualitative differences between, for example, "necessity" in the GDPR (e.g. Art. 6(1)(b) GDPR) and "absolute necessity". As a result, both terms will probably be very similar or even synonymous. The "essential" information already known today, which for example realises the shopping basket in an online shop, will probably develop in roughly this direction.

At this point, however, one might ask how far this goes, because in many cases it will be possible to create services on a technical level that do not require such information. Whether an obligation to use the least storage-intensive technology design could then be derived from this remains open at present.

Whenever these exceptions are not fulfilled, the only remaining option is consent from paragraph 1. But that would be a very small task and would not bring any improvement with regard to the current forest of banners on European websites. For this reason, Section 26 of the TTDSG was introduced at short notice.

§ Section 26 TTDSG: What are PIMS?

This makes it possible for users of telemedia services to rely on central administration services to manage consents. These are also known as PIMS (for Privacy Information Management System) Most people are also familiar with these systems, which are now firmly integrated in some browsers (e.g. Do-Not-Track). Of course, these can still be used, but until the providers of telemedia services can be obliged to take them into account, recognition by an independent body, which does not yet exist, is required, which can check such systems on the basis of a legal ordinance that has yet to be drafted.

Of course, there are other regulations within the new TTDSG that represent an innovation. However, these are less significant in everyday life and include the following aspects:

  • According to § 4 TTDSG the exercise of rights under the secrecy of telecommunications is now also available to the heirs of the actual right holder in a legally regulated manner.
  • In § 6 TTDSG for the first time, a precise procedure for the extraction of message content in the transmission process for forwarding to third parties or for independent processing by the TKG obligated party. This is relevant today insofar as providers of TKG services, in simplified terms the message intermediaries, also offer their own services to "get more out of the data".
  • The previous "participant directories" are replaced by the in § 17 TTDSG end-user directories" have been replaced. In terms of content, this does not result in any significant changes. Only some obligations to provide information have been included, but these only affect TKG providers.
  • In contrast, the issue of providing end-user data (but only those that have been published in the end-user directories at the request of the user) was regulated in more detail. § 18 TTDSG regulates the right of the providers of directory enquiry services to receive the contents of the end user directories in a manner that enables a technical implementation.
  • An important and also politically highly controversial innovation is the in § 23 TTDSG The TMG service provider's option to store passwords and other data that are equivalent to passwords or allow similar access. It is important to note, on the one hand, that this is not a mandatory provision ("may") and, on the other hand, that a whole series of data protection obligations would stand in the way of the storage of passwords in particular, as well as Section 22 of the TTDSG, which also requires appropriate technical measures for the protection of information.

You are welcome to contact us as external data protection officerorder. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Learn more

Penalties and fines under the TTDSG

Above all, Section 28 of the TTDSG should be taken to heart, which stipulates fines that may be imposed by the Federal Network Agency or the Federal Data Protection Commissioner for disregarding almost all regulations of the TTDSG. These are defined in three levels from €50,000.00 to €100,000.00 to €300,000.00 and will be calculated individually depending on the severity of a violation. And yes, there are also custodial sentences. But these are limited to a really very narrow scope of exceptions and relate, on the one hand, to illegal wiretapping and the dissemination of the wiretapping findings of information not intended for the public and, on the other hand, to the covert installation of a telecommunications system for the purpose of listening in on the surroundings without being noticed.

Assessment of the TTDSG by lawyer Richard Bode

At first glance, the TTDSG offers little that is new and contains regulations that will automatically disappear from the TKG and TMG when they come into force on 1 December 2021. In addition, the law attempts to catch up with the regulations of the GDPR and the ePrivacy Directive and harmonise them with German law.

Conclusion: What do companies need to consider in order to be prepared for the entry into force of the TTDSG?

What to do now? First take a deep breath. Then visit your own website and check whether the consent manager, which hopefully already exists, really only lists data processing under "essential" or "necessary" that really deserve the name. If this is not the case, you should certainly organise good advice very quickly and clean up the mess again. The same applies here: Less is more!

Meet the Experts

Lawyer Richard Bode on the TTDSG

Lawyer Richard Bode shows you what companies must be prepared for when the TTDSG comes into force on 1 December 2021. In particular, the requirements for consent management for websites will be explained using the best practice solution from Usercentrics.

 Online 1 hour Free of charge
Lawyer Richard Bode on the TTDSG

Richard Bode

Lawyer, Data Protection Officer

Mr. Bode is a lawyer specialising in data protection and IT law. He is also a certified external Data Protection Officer (TÜV-DSB) and certified data protection auditor (TÜV-DSA) and trains Data Protection Officers for various educational institutions.

This might interest you too:

Data Protection Breaches

Data Protection Breaches

When is an incident reportable? How can the risk be reduced? How to report data breaches correctly in accordance with the GDPR.
Anonymised data

Informational self-determination

The right to informational self-determination has increasing importance in the digital age and is directly related to data protection and the GDPR.
Data protection basics

Data protection

Data protection is generally the protection of personal data of each individual against their unauthorised collection, processing and disclosure.