Germany’s Teleservices Data Protection Act

advertisement
Germany’s Teleservices Data Protection Act
[Published in Privacy Law & Policy Reporter, 1998, volume 5, pp 53–54]
Lee A Bygrave
Germany has recently enacted federal data protection legislation for electronic information and
communication services. The legislation, in the form of the Teleservices Data Protection Act
(Teledienstedatenschutzgesetz) of 1997,1 is the first legislation in Europe, if not the world,
specifically to address privacy and data protection issues in an Internet context. It can be expected
to exert considerable influence on other countries’ legislative activity in the field.
The Teleservices Data Protection Act was passed as one element of a broader legislative package
to regulate electronic information and communication services.2 The legislative package deals
with a wide range of issues, including digital signatures and legal protection of databases.3 For
present purposes, however, it is the provisions on privacy and data protection which are of concern.
In the following, I do not attempt to describe the Teleservices Data Protection Act in its entirety,
but focus on its most interesting and central features.
The rules in the Act are largely based on the core principles of fair information practices found in
other data protection laws. What is innovative about the Act, though, is the way in which it extends
these principles to cover a variety of issues – transactional anonymity, pseudonymity, cookies,
processing of clickstream data, etc – which have gained prominence with the emergence and
widening use of distributed computer networks such as the Internet. Also innovative is the Act’s
focus on what Germans call ‘systemic data protection’ (‘Systemdatenschutz’); ie, the integration of
data protection concerns with the development and functionalities of information systems.
Ambit
The notion of ‘teleservices’ is defined broadly to cover ‘all electronic information and
communication services which are designed for the individual use of combinable data such as
characters, images or sounds and are based on transmission by means of telecommunication’ (s
2(1) of the Teleservices Act). Examples of such services which are mentioned in the legislation
are telebanking, telegaming and provision of Internet access. However, certain types of
telecommunication, broadcasting and mass media services which could qualify as teleservices
under the above definition are expressly exempted from coverage by the legislation.
1
Long title: Act on the Protection of Personal Data used in Teleservices (Gesetz über den Datenschutz bei Telediensten). The Act
was adopted on 22.7.1997 and entered into force on 1.8.1997.
2
An English translation of the entire legislative package is available at URL http://www.iid.de/iukdg/iukdge.html. For the German
version, see URL http://www.iid.de/rahmen/iukdgk.html.
3
For a brief overview of the whole legislative package, see U Wuermeling, ‘Multimedia Law – Germany’ (1998) 14 Computer Law
& Security Report, 41–44.
Anonymity
The issue of transactional anonymity is expressly addressed in the Act. Section 3(4) provides that
‘[t]he design and selection of technical devices to be used for teleservices shall be oriented to the
goal of collecting, processing and using either no personal data at all or as few data as possible’.
Further, the Act stipulates that a teleservice provider ‘shall offer the user anonymous use and
payment of teleservices or use and payment under a pseudonym to the extent technically feasible
and reasonable’ and that the user ‘shall be informed about these options’ (s 4(1)).4
These provisions are reinforced in s 4(2), which requires teleservice providers to ‘take technical
and organizational measures to ensure that … personal data generated in connection with the
process of requesting, accessing or otherwise using teleservices are erased immediately upon
conclusion of the procedure unless further storage is required for accounting purposes’. This
erasure requirement obviously extends to clickstream data insofar as the latter are personal. Data
deletion requirements are also stipulated in s 6(2), with an 80-day maximum period allowed for
the retention of user-related accounting data, unless there are payment disputes.
Teleservice providers are prohibited from passing on to other providers or third parties – not
including criminal prosecution agencies – any data relating to users’ utilisation of a teleservice
with the exception of ‘anonymised utilization data for the purpose of market research’ or
‘accounting data to the extent necessary for collecting a claim’ (s 6(3)).
Invoices for the use of a teleservice may only reveal ‘the provider, time, duration, type, content
and frequency’ of teleservice use if the user asks for such details (s 6(5)).
The Act fails to define what is meant by ‘anonymous’. Presumably, anonymity is to be defined in
the light of s 3(7) of the Federal Data Protection Act. This provision defines ‘depersonalized
data’ as information which ‘can no longer be attributed to ... [an identified or identifiable natural
person] or only with a disproportionately great expenditure of time, money and labour’.
Electronic consent
Particularly innovative in the Act is its provision for teleservice users to be able to declare their
consent electronically. Electronic declaration of consent is allowed if the teleservice provider
‘ensures that
1. such consent can be given only through an unambiguous and deliberate act by the user,
2. consent cannot be modified without detection,
3. the creator can be identified,
4. the consent is recorded and
5. the text of the consent can be obtained by the user on request at any time’ (s 3(7)).
4
Note also s 4(4), set out below in relation to profiling.
Abuse of monopoly position
The Act attempts to address the situation in which a teleservice provider exploits its service
monopoly by forcing users to consent to the processing of their data for purposes other than the
performance of teleservices. Section 3(3) states: ‘The provider shall not make the rendering of
teleservices conditional upon the consent of the user to the effect that his data may be processed
or used for other purposes if other access to these teleservices is not or not reasonably provided to
the user’.
Restrictions on marketing
Like the EU Directive on data protection, the Teleservices Data Protection Act is expressly
concerned with limiting the extent to which data controllers can exploit data for the purpose of
marketing goods and services vis-à-vis the data subjects. Building on Art 14(b) of the Directive,
the Act provides that ‘[p]rocessing and use of contractual data for the purpose of advising,
advertising, market research or for the demand-oriented design of the teleservices are only
permissible if the user has given his explicit consent’ (s 5(2)).
Profiling
The Act takes a restrictive approach to profiling practices. Teleservice providers are required to
ensure that ‘personal data relating to the use of several teleservices by one user are processed
separately; a combination of such data is not permitted unless it is necessary for accounting
purposes’ (s 4(2)(4)). Further, the creation of user profiles is allowed only if pseudonyms are
employed, and the ‘[p]rofiles retrievable under pseudonyms shall not be combined with data
relating to the bearer of the pseudonym’ (s 4(4)). It is uncertain from the Act whether the
restrictions in s 4(4) may be waived by the consent of the data subject.
Orientation of data subjects
In addition to making provision for ordinary data access rights,5 the Act requires teleservice
providers to orient users about aspects of their data-processing practices on their own initiative.
These requirements elaborate upon and extend Arts 10 and 11 of the EU Directive on data
protection. The most central of these requirements states that a user of teleservices ‘shall be
informed about the type, scope, place and purposes of collection, processing and use of his
personal data’ (s 3(5)). The provision goes on to address the use of cookies mechanisms,
stipulating that, ‘[i]n case of automatic processing, which permits subsequent identification of the
user and which prepares the collection, processing or use of personal data, the user shall be
informed prior to the beginning of the procedure’.
The user must also be informed about his/her right to withdraw consent to a given data5
See s 7: ‘The user shall be entitled at any time to inspect, free of charge, stored data concerning his person or his pseudonym …. The
information shall be given electronically if so requested by the user. […]’.
processing operation (s 3(6)). He/she must further be notified of whatever options exist for
making anonymous or pseudonymous use and payment of teleservices (s 4(1)). Finally, he/she
must be notified of any communication to other providers of data relating to his/her teleservice
usage (s 4(3)).
Download