Data Protection Academy » Data Protection Wiki » What is the TTDSG?
What is the Telecommunications and Telemedia Data Protection Act (TTDSG)?
The "Act on the Regulation of Data Protection and the Protection of Privacy in Telecommunications and Telemedia", which is referred to in abbreviated form as the "Telecommunications-Telemedia Data Protection Act" and abbreviated as "TTDSG", is intended to bring together various data protection regulations. Specifically, the sector-specific data protection regulations of the Telemedia Act (TMG) and the Telecommunications Act (TKG).
For example, there is a section on "data protection" in the Telemedia Act (TMG) and the Telecommunications Act (TKG) also explicitly refers to data protection and telecommunications secrecy in Part 7. Until now, the GDPR and the TMG and TKG have existed side by side and caused certain legal uncertainties, which are now to be abolished with the restructuring. The TTDSG will come into force on 01.12.2021 and will in particular bring new regulations for cookies and so-called PIMS.
Note
The TTDSG became the TDDDG on 13 May 2024. The Telecommunications Telemedia Data Protection Act originally came into force on 1 December 2021 under the abbreviation "TTDSG". The law was renamed the "Telecommunications Digital Services Data Protection Act (TDDDG)" in order to harmonise German law with the European Digital Services Act (DSA). The term "telemedium" was mainly replaced by the terminology "digital service" of the European regulation. Here you can find the official PDF.
Most important information on the TTDSG
- The TTDSG is the abbreviation for the "Gesetz zur Regelung des Datenschutzes und des Schutzes der Privatsphäre in der Telekommunikation und bei Telemedien", which is referred to in abbreviated form as the "Telekommunikation-Telemedien-Datenschutzgesetz" (Telecommunications and Telemedia Data Protection Act)
- The Data Protection Act TTDSG applies from 01.12.2021
- In the Act, data protection provisions from the Telemedia Act and the Telecommunications Act are repealed or transferred to the TTDSG.
- Personal Information Management Services" (PIMS) are regulated, which are defined as recognised services for the management of personal information
Content on the subject of the TTDSG:
Emergence of the TTDSG
The "Act on the Regulation of Data Protection and the Protection of Privacy in Telecommunications and Telemedia", which is referred to in abbreviated form as the "Telecommunications-Telemedia Data Protection Act" and abbreviated as "TTDSG", is intended to bring together various data protection regulations. Specifically, the sector-specific data protection regulations of the Telemedia Act (TMG) and the Telecommunications Act (TKG). There is a "Data protection" section in the TMG and the TKG also expressly refers to data protection and telecommunications secrecy in Part 7. Until now, the GDPR and the TMG and TKG have existed side by side and caused certain legal uncertainties, which are now to be abolished with the reorganisation.
To this end, the data protection provisions from the TMG and TKG are repealed or transferred to the TTDSG. If you take a closer look at these adjustments, you will see that the regulations in question have simply been removed from both the TKG and the TMG and transferred to the new TTDSG. Even partly in the exact wording.
Background of the TTDSG
Apart from the newly integrated regulations from the TMG and TKG, the new TTDSG offers hardly any innovations at first glance. Of course, this law was not only created for cosmetic reasons, but has some very tangible backgrounds. Specifically, it is about the final harmonisation of the previous German law with the regulations from the General Data Protection Regulation and the ePrivacy Directive, which have existed for some time now.
Harmonisation with the GDPR
The adjustments to harmonise with the General Data Protection Regulation are minor. There is a simple reason for this: there have already been quite a few. In the three years since the GDPR came into force, some amendments were made to both the TKG and the TMG to address the new regulations. In fact, however, there has been a duplication of many regulations. A look at the version of the Telemedia Act that is still in force shows that the service provider (for example, the operator of a website) is subject to special regulations on the information of data subjects and that special regulations also apply, for example, for consent. If these regulations are set against the provisions of the GDPR, this duplication is no longer apparent. Therefore, if one looks at the new TTDSG, it is noticeable that these regulations have been dropped.
Adaptation to the requirements of the ePrivacy Directive
Of particular importance is also the adaptation to the requirements of the ePrivacy Directive. Already last year, the Federal Court of Justice made a decision here that made lawyers shake their heads. The background to this was the question, which had been disputed for many years, of whether the TMG should implement the requirements of the ePrivacy Directive and whether it succeeded in doing so. This was controversial above all with regard to information that was to be stored on users' end devices. Better known to most as cookies, even if this only refers to a part of the information that may be stored.
What is the exact content of the TTDSG?
So let us turn to the concrete regulations.
Section 25 TTDSG: Dealing with cookies
"The storage of information in the end-user's terminal equipment or the access to information already stored in the terminal equipment shall only be allowed if the end-user has consented on the basis of clear and comprehensive information. The information to the end-user and the consent shall be provided in accordance with Regulation (EU) 2016/679."
Read paragraph 25 in the Robin Data Help Centre
We are therefore confronted with the basic rule that any storage of information in the end user's terminal equipment or access to it requires consent. The inclined data protectionist will of course notice here that the second sentence of this paragraph catapults us directly into the GDPR, because nothing else is the "Regulation (EU) 2016/679". For questions around the definition of consent, we should therefore simply refer to Article 7 of the GDPR (voluntariness, informedness, transparency, prohibition of tying, etc.).
Of particular importance, however, is the following observation:
The information to be stored is forbidden from having any identifying effect and must be quite explicitly not personal data. All information is covered by this regulation . Also any purely technical information!
Of course, no rule is without exception. We find this in the second paragraph of § 25 TTDSG:
"Consent under paragraph 1 is not required,
- where the sole purpose of storing information in the end-user's terminal equipment or the sole purpose of accessing information already stored in the end-user's terminal equipment is to carry out the transmission of a communication over a public telecommunications network; or
- where the storage of information in the terminal equipment of the end-user or the access to information already stored in the terminal equipment of the end-user is strictly necessary in order for the provider of a telemedia service to provide a telemedia service explicitly requested by the user".
So we have two scenarios that allow us to store or access the information even without consent.
The first application is certainly the one that is uninteresting in everyday life. In this respect, it merely addresses the self-evident, but of course it also has its justification. It behaves in a similar way as after Art. 6 para. 1 b) or c) DSGVO. Even if no personal data need be involved in the specific case, the TTDSG permits the filing of or access to information that is simply necessary for an individual communication process. However, this barrier should be observed restrictively and really only in the case of "messages" (See here § 2 para. 2 no. 4 TTDSG) to "terminal equipment" (see § 2 para. 2 no. 6 TTDSG) in connection with transmission in a "public communications network" (see § 3 No. 42 TKG-neu).
Much more exciting, of course, is the second applicationHere, the focus is on the fact that the user wants to use a telemedia service offered by the provider and that the filing of or access to the stored information is absolutely necessary is to provide the service. The regulation therefore has two pitfalls. Firstly, it must be an explicitly desired telemedia service. One could therefore basically say that all information, irrespective of entering into contractual relationships or the like, which can at least also be accessed digitally, qualifies as such services.
Secondly, the processing of the information must be absolutely necessary for this service. Now, this is a law that has not even been enacted yet. Therefore, it is not yet possible to answer whether and to what extent there will be qualitative differences between, for example, "necessity" in the GDPR (e.g. Art. 6 (1) (b) GDPR) and "absolute necessity". As a result, both terms will probably be very similar or even synonymous. The "essential" information already known today, which for example realises the shopping basket in an online shop, will probably develop in roughly this direction.
At this point, however, one might ask how far this goes, because in many cases it will be possible to create services on a technical level that do not require such information. Whether an obligation to use the least storage-intensive technology design could then be derived from this remains open at present.
Whenever these exceptions are not fulfilled, the only remaining option is consent from paragraph 1. But that would be a very small task and would not bring any improvement with regard to the current forest of banners on European websites. For this reason, Section 26 of the TTDSG was introduced at short notice.
Section 26 TTDSG: What are PIMS?
This makes it possible for users of telemedia services to rely on central administration services to manage consents. These are also known as PIMS (for Privacy Information Management System) Most people are also familiar with these systems, which are now firmly integrated in some browsers (e.g. Do-Not-Track). Of course, these can still be used, but until the providers of telemedia services can be obliged to take them into account, recognition by an independent body, which does not yet exist, is required, which can check such systems on the basis of a legal ordinance that has yet to be drafted.
Further innovations of the TTDSG
Of course, there are other regulations within the new TTDSG that represent an innovation. However, these are less significant in everyday life and include the following aspects:
- According to § 3 TTDSG the exercise of rights under the secrecy of telecommunications is now also available to the heirs of the actual right holder in a legally regulated manner.
- In § 6 TTDSG for the first time, a precise procedure for the extraction of message content in the transmission process for forwarding to third parties or for independent processing by the TKG obligated party. This is relevant today insofar as providers of TKG services, in simplified terms the message intermediaries, also offer their own services to "get more out of the data".
- The previous "participant directories" are replaced by the in § 17 TTDSG end-user directories" have been replaced. In terms of content, this does not result in any significant changes. Only some obligations to provide information have been included, but these only affect TKG providers.
- In contrast, the issue of providing end-user data (but only those that have been published in the end-user directories at the request of the user) was regulated in more detail. § 18 TTDSG regulates the right of the providers of directory enquiry services to receive the contents of the end user directories in a manner that enables a technical implementation.
- An important and also politically highly controversial innovation is the in § 23 TTDSG The TMG service provider's option to store passwords and other data that are equivalent to passwords or allow similar access. It is important to note, on the one hand, that this is not a mandatory provision ("may") and, on the other hand, that the storage of passwords, in particular, would be hindered by a whole series of obligations under data protection law and, in addition, would also § 19 TTDSGwhich also requires appropriate technical measures for the protection of information.
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
Penalties and fines under the TTDSG
In § 28 TTDSG regulates fines for disregarding almost all regulations of the TTDSG, which may be imposed by the Federal Network Agency or the Federal Data Protection Commissioner. These are defined in three levels from €50,000.00 to €100,000.00 to €300,000.00 and will be calculated individually depending on the severity of a violation. And yes, there are also custodial sentences. But these are limited to a really very narrow scope of exceptions and relate, on the one hand, to illegal wiretapping and the dissemination of the wiretapping findings of information not intended for the public and, on the other hand, to the covert installation of a telecommunications system for the purpose of listening in on the surroundings without being noticed.
Assessment of the TTDSG by lawyer Richard Bode
At first glance, the TTDSG offers little that is new and contains regulations that will automatically disappear from the TKG and TMG when they come into force on 1 December 2021. In addition, the law attempts to catch up with the regulations of the GDPR and the ePrivacy Directive and harmonise them with German law.
Conclusion: What do companies need to consider in order to be prepared for the entry into force of the TTDSG?
What to do now? First take a deep breath. Then visit your own website and check whether the consent manager, which hopefully already exists, really only lists data processing under "essential" or "necessary" that really deserve the name. If this is not the case, you should certainly organise good advice very quickly and clean up the mess again. The same applies here: Less is more!
Richard Bode
Mr. Bode is a lawyer specialising in data protection and IT law. He is also a certified external Data Protection Officer (TÜV-DSB) and certified data protection auditor (TÜV-DSA) and trains Data Protection Officers for various educational institutions.