From December onwards, with the entry into force of the law on data protection in telecommunications and telemedia (TTDSG), there are for the first time legal requirements for services with which consumers can manage their consent to the setting of cookies by website operators and the associated data processing. For example, “Personal Information Management Systems” (PIMS) or single sign-on solutions come into consideration. Observers are hoping for some “relief” from the current flood of cookie banners. For the most part, experts are more skeptical.
PIMS & Co
The effects of the TTDSG depend entirely on how it is interpreted, explained Florian Glatzner from the Federal Association of Consumer Organizations (vzbv) on Wednesday Data day of the data protection foundation in Berlin. Should general contradictions, for example in advertising tracking, be recognized, consumers could for the most part breathe a sigh of relief. In this case, the advertising industry and portal operators such as publishers would have to accept such a technically expressed announcement. You shouldn’t bombard users with cookie banners anyway.
According to the TTDSG, the federal government still has to define the recognition procedure for PIMS & Co. by means of an ordinance with the consent of the Bundestag and the Bundesrat. This should also include detailed technical and organizational measures.
Glatzner pleaded here in the sense of a Opinion of the vzbv that the framework should include as many different services as possible. The user must be able to decide for himself whether he wants to use the Max Schrems model on the basis of a Advanced Data Protection Protocol or trust a commercial login solution more.
The consumer advocate pointed out that the TTDSG would only implement the outdated guidelines for data protection in electronic communication. The more extensive e-privacy regulation is still pending. Here the Council of Ministers has deleted the clause for data protection-friendly default settings in the browser, while the EU Parliament is pushing for such a possibility for “signaling” decisions. The final compromise has to be awaited here as well as the Data Governance Act planned in parallel with its requirements for trustees.
Create a “trustworthy environment”
Since consent is “mostly mandatory” based on the General Data Protection Regulation (GDPR), according to Michael Neuber from the lobby area at Google PIMS, there is little added value. He therefore advocated creating a “trustworthy environment” for the processing of initially personal data through technical default settings such as extensive pseudonymisation. It is important to have an “industry-wide solution in order to still ensure traceability in HTTP”.
The lawyer advocated the Google approach of the privacy sandbox in order to develop data protection-friendly techniques beyond third-party cookies that do not come directly from the actual website operator and are used for comprehensive tracking. So far, there are 30 proposals under this umbrella such as the controversial FLoC for tracking users through federal learning. In the in-house browser, Chrome, there is no longer any option to read out its “fingerprint” and use it to create profiles.
In the case of PIMS, Neuber also warned that the signals from the management system to the browser as well as communication with other websites and servers must be secured. There is still no standard for this. So far it can hardly be clarified whether a consent signal has been “obtained by people” and is “valid and with integrity”. With the browser-based “Do not Track” standard, other players such as providers and router manufacturers would have made the default settings themselves over time, which should not be repeated.
Google may no longer rely on cookies, said Bernd Nauen, Managing Director of the Central Association of the German Advertising Industry (ZAW). The group has other options to fill its data storage. For many other companies, however, it is a “very important technology” in order to be able to finance themselves data-driven and to be able to scale their business in the network. If Google wants to develop in a different direction, this is “wonderful”. A limit is reached, however, “if the legitimate positions of others are curtailed”.
Nauen dismissed the appeal from the EU Parliament, for example, to ban targeted “spying” advertising as a “wrong path”. This would only lead to a larger flood of “not relevant” ads and more paid content, which the general public would not like. Contextual advertising without tracking is not a serious alternative. According to the insider, the protocol proposed by Schrems is also unlikely to be “recognized by many association members as the consent managers they have previously had in mind”.
In principle, the industry is working on PIMS. It should be noted, however, that these “tend not only to be user-friendly”. In addition, the providers of such programs should not become new gatekeepers.
“Toxic Business Models”
Malte Engeler, judge at the Schleswig-Holstein administrative court, referred to “fundamental problems” with the model of consent itself. The hurdles for this are too low, after which everything is released up to the violation of the essence of fundamental rights. Even “toxic business models” like Facebook’s could be justified with it. Furthermore, inequality is solidifying digitally, as poorer sections of the population in particular are increasingly being tracked. For lawyers, it is therefore up to the legislature to “grant collective legal protection” and to prohibit consent for certain areas such as personal advertising. He is here for example in the context of the e-privacy regulation for a “clear, strict, hard regulation”, so that an opt-in to profiling is no longer possible. This is the only way to prevent “we have to worry about cookie banners everywhere”.
A colleague of Engeler’s from the Regensburg Administrative Court, Kristin Benedikt, described the consent as overrated. The GDPR and the TTDSG provide for many cases in which a different legal basis applies for data processing. It is now also legally regulated that users can pay for services with their data. PIMS would offer “great solutions to resolve many scenarios”. The civil courts could then examine whether companies “ripped off users” with their business models or “solved the challenges properly through the terms and conditions”.
In the meantime, the Federal Ministry of Economics had initially formed expert groups and commissioned an expert opinion on PIMS, explained Rolf Bender from the lead department. There is still a lot of need for advice. The aim is to present a first draft for the regulation in the first quarter of 2022. Since this must be notified to the EU Commission, a decision in the federal cabinet can be expected in autumn. The rules can then come into force at the end of 2022.