Germany’s Teleservices Data Protection Act [Published in Privacy Law & Policy Reporter, 1998, volume 5, pp 53–54] Lee A Bygrave Germany has recently enacted federal data protection legislation for electronic information and communication services. The legislation, in the form of the Teleservices Data Protection Act (Teledienstedatenschutzgesetz) of 1997,1 is the first legislation in Europe, if not the world, specifically to address privacy and data protection issues in an Internet context. It can be expected to exert considerable influence on other countries’ legislative activity in the field. The Teleservices Data Protection Act was passed as one element of a broader legislative package to regulate electronic information and communication services.2 The legislative package deals with a wide range of issues, including digital signatures and legal protection of databases.3 For present purposes, however, it is the provisions on privacy and data protection which are of concern. In the following, I do not attempt to describe the Teleservices Data Protection Act in its entirety, but focus on its most interesting and central features. The rules in the Act are largely based on the core principles of fair information practices found in other data protection laws. What is innovative about the Act, though, is the way in which it extends these principles to cover a variety of issues – transactional anonymity, pseudonymity, cookies, processing of clickstream data, etc – which have gained prominence with the emergence and widening use of distributed computer networks such as the Internet. Also innovative is the Act’s focus on what Germans call ‘systemic data protection’ (‘Systemdatenschutz’); ie, the integration of data protection concerns with the development and functionalities of information systems. Ambit The notion of ‘teleservices’ is defined broadly to cover ‘all electronic information and communication services which are designed for the individual use of combinable data such as characters, images or sounds and are based on transmission by means of telecommunication’ (s 2(1) of the Teleservices Act). Examples of such services which are mentioned in the legislation are telebanking, telegaming and provision of Internet access. However, certain types of telecommunication, broadcasting and mass media services which could qualify as teleservices under the above definition are expressly exempted from coverage by the legislation. 1 Long title: Act on the Protection of Personal Data used in Teleservices (Gesetz über den Datenschutz bei Telediensten). The Act was adopted on 22.7.1997 and entered into force on 1.8.1997. 2 An English translation of the entire legislative package is available at URL http://www.iid.de/iukdg/iukdge.html. For the German version, see URL http://www.iid.de/rahmen/iukdgk.html. 3 For a brief overview of the whole legislative package, see U Wuermeling, ‘Multimedia Law – Germany’ (1998) 14 Computer Law & Security Report, 41–44. Anonymity The issue of transactional anonymity is expressly addressed in the Act. Section 3(4) provides that ‘[t]he design and selection of technical devices to be used for teleservices shall be oriented to the goal of collecting, processing and using either no personal data at all or as few data as possible’. Further, the Act stipulates that a teleservice provider ‘shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable’ and that the user ‘shall be informed about these options’ (s 4(1)).4 These provisions are reinforced in s 4(2), which requires teleservice providers to ‘take technical and organizational measures to ensure that … personal data generated in connection with the process of requesting, accessing or otherwise using teleservices are erased immediately upon conclusion of the procedure unless further storage is required for accounting purposes’. This erasure requirement obviously extends to clickstream data insofar as the latter are personal. Data deletion requirements are also stipulated in s 6(2), with an 80-day maximum period allowed for the retention of user-related accounting data, unless there are payment disputes. Teleservice providers are prohibited from passing on to other providers or third parties – not including criminal prosecution agencies – any data relating to users’ utilisation of a teleservice with the exception of ‘anonymised utilization data for the purpose of market research’ or ‘accounting data to the extent necessary for collecting a claim’ (s 6(3)). Invoices for the use of a teleservice may only reveal ‘the provider, time, duration, type, content and frequency’ of teleservice use if the user asks for such details (s 6(5)). The Act fails to define what is meant by ‘anonymous’. Presumably, anonymity is to be defined in the light of s 3(7) of the Federal Data Protection Act. This provision defines ‘depersonalized data’ as information which ‘can no longer be attributed to ... [an identified or identifiable natural person] or only with a disproportionately great expenditure of time, money and labour’. Electronic consent Particularly innovative in the Act is its provision for teleservice users to be able to declare their consent electronically. Electronic declaration of consent is allowed if the teleservice provider ‘ensures that 1. such consent can be given only through an unambiguous and deliberate act by the user, 2. consent cannot be modified without detection, 3. the creator can be identified, 4. the consent is recorded and 5. the text of the consent can be obtained by the user on request at any time’ (s 3(7)). 4 Note also s 4(4), set out below in relation to profiling. Abuse of monopoly position The Act attempts to address the situation in which a teleservice provider exploits its service monopoly by forcing users to consent to the processing of their data for purposes other than the performance of teleservices. Section 3(3) states: ‘The provider shall not make the rendering of teleservices conditional upon the consent of the user to the effect that his data may be processed or used for other purposes if other access to these teleservices is not or not reasonably provided to the user’. Restrictions on marketing Like the EU Directive on data protection, the Teleservices Data Protection Act is expressly concerned with limiting the extent to which data controllers can exploit data for the purpose of marketing goods and services vis-à-vis the data subjects. Building on Art 14(b) of the Directive, the Act provides that ‘[p]rocessing and use of contractual data for the purpose of advising, advertising, market research or for the demand-oriented design of the teleservices are only permissible if the user has given his explicit consent’ (s 5(2)). Profiling The Act takes a restrictive approach to profiling practices. Teleservice providers are required to ensure that ‘personal data relating to the use of several teleservices by one user are processed separately; a combination of such data is not permitted unless it is necessary for accounting purposes’ (s 4(2)(4)). Further, the creation of user profiles is allowed only if pseudonyms are employed, and the ‘[p]rofiles retrievable under pseudonyms shall not be combined with data relating to the bearer of the pseudonym’ (s 4(4)). It is uncertain from the Act whether the restrictions in s 4(4) may be waived by the consent of the data subject. Orientation of data subjects In addition to making provision for ordinary data access rights,5 the Act requires teleservice providers to orient users about aspects of their data-processing practices on their own initiative. These requirements elaborate upon and extend Arts 10 and 11 of the EU Directive on data protection. The most central of these requirements states that a user of teleservices ‘shall be informed about the type, scope, place and purposes of collection, processing and use of his personal data’ (s 3(5)). The provision goes on to address the use of cookies mechanisms, stipulating that, ‘[i]n case of automatic processing, which permits subsequent identification of the user and which prepares the collection, processing or use of personal data, the user shall be informed prior to the beginning of the procedure’. The user must also be informed about his/her right to withdraw consent to a given data5 See s 7: ‘The user shall be entitled at any time to inspect, free of charge, stored data concerning his person or his pseudonym …. The information shall be given electronically if so requested by the user. […]’. processing operation (s 3(6)). He/she must further be notified of whatever options exist for making anonymous or pseudonymous use and payment of teleservices (s 4(1)). Finally, he/she must be notified of any communication to other providers of data relating to his/her teleservice usage (s 4(3)).