Privacy Law and Policy Reporter
Germany has recently enacted federal data protection legislation for electronic information and communication services. The legislation, in the form of the Teleservices Data Protection Act (Teledienstedatenschutzgesetz) of 1997, is the first legislation in Europe, if not the world, specifically to address privacy and data protection issues in an Internet context. It can be expected to exert considerable influence on other countries’ legislative activity in the field.
The Teleservices Data Protection Act was passed as one element of a broader legislative package to regulate electronic information and communication services, sometimes referred to as the ‘Multimedia Law’. The legislative package deals with a wide range of issues, including digital signatures and legal protection of databases. For present purposes, however, it is the provisions on privacy and data protection which are of concern.
In the following, I do not attempt to describe the Teleservices Data Protection Act in its entirety, but focus on its most interesting and central features.
The rules in the Act are largely based on the core principles of fair information practices found in other data protection laws. What is innovative about the Act, though, is the way in which it extends these principles to cover a variety of issues — transactional anonymity, pseudonymity, cookies, processing of clickstream data, etc — which have gained prominence with the emergence and widening use of distributed computer networks such as the Internet. Also innovative is the Act’s focus on what Germans call ‘systemic data protection’ (‘Systemdatenschutz’); that is, the integration of data protection concerns with the development and functionalities of information systems.
The notion of ‘teleservices’ is defined broadly to cover ‘all electronic information and communication services which are designed for the individual use of combinable data such as characters, images or sounds and are based on transmission by means of telecommunication’ (s 2(1) of the Teleservices Act). Examples of such services which are mentioned in the legislation are telebanking, telegaming and provision of Internet access. However, certain types of telecommunication, broadcasting and mass media services which could qualify as teleservices under the above definition are expressly exempted from coverage by the legislation.
The issue of transactional anonymity is expressly addressed in the Act. Section 3(4) provides that ‘the design and selection of technical devices to be used for teleservices shall be oriented to the goal of collecting, processing and using either no personal data at all or as few data as possible’. Further, the Act stipulates that a teleservice provider ‘shall offer the user anonymous use and payment of teleservices or use and payment under a pseudonym to the extent technically feasible and reasonable’ and that the user ‘shall be informed about these options’ (s 4(1)).
These provisions are reinforced in s 4(2), which requires teleservice providers to ‘take technical and organizational measures to ensure that ‘personal data generated in connection with the process of requesting, accessing or otherwise using teleservices are erased immediately upon conclusion of the procedure unless further storage is required for accounting purposes’. This erasure requirement obviously extends to clickstream data insofar as the latter are personal. Data deletion requirements are also stipulated in s 6(2), with an 80-day maximum period allowed for the retention of user-related accounting data, unless there are payment disputes.
Teleservice providers are prohibited from passing on to other providers or third parties — not including criminal prosecution agencies — any data relating to users’ utilisation of a teleservice with the exception of ‘anonymised utilization data for the purpose of market research’ or ‘accounting data to the extent necessary for collecting a claim’ (s 6(3)).
Invoices for the use of a teleservice may only reveal ‘the provider, time, duration, type, content and frequency’ of teleservice use if the user asks for such details (s 6(5)).
The Act fails to define what is meant by ‘anonymous’. Presumably, anonymity is to be defined in the light of s 3(7) of the Federal Data Protection Act. This provision defines ‘depersonalized data’ as information which ‘can no longer be attributed to ... [an identified or identifiable natural person] or only with a disproportionately great expenditure of time, money and labour’.
Particularly innovative in the Act is its provision for teleservice users to be able to declare their consent electronically. Electronic declaration of consent is allowed if the teleservice provider
1. such consent can be given only through an unambiguous and deliberate act by the user,
2. consent cannot be modified without detection,
3. the creator can be identified,
4. the consent is recorded and
5. the text of the consent can be obtained by the user on request at any time [s 3(7)].
The Act attempts to address the situation in which a teleservice provider exploits its service monopoly by forcing users to consent to the processing of their data for purposes other than the performance of teleservices. Section 3(3) states: ‘The provider shall not make the rendering of teleservices conditional upon the consent of the user to the effect that his data may be processed or used for other purposes if other access to these teleservices is not or not reasonably provided to the user’.
Like the EU Directive on data protection, the Teleservices Data Protection Act is expressly concerned with limiting the extent to which data controllers can exploit data for the purpose of marketing goods and services vis-à-vis the data subjects. Building on Art 14(b) of the Directive, the Act provides that ‘processing and use of contractual data for the purpose of advising, advertising, market research or for the demand-oriented design of the teleservices are only permissible if the user has given his explicit consent’ (s 5(2)).
The Act takes a restrictive approach to profiling practices. Teleservice providers are required to ensure that ‘personal data relating to the use of several teleservices by one user are processed separately; a combination of such data is not permitted unless it is necessary for accounting purposes’ (s 4(2)(4)). Further, the creation of user profiles is allowed only if pseudonyms are employed, and the ‘[p]rofiles retrievable under pseudonyms shall not be combined with data relating to the bearer of the pseudonym’ (s 4(4)). It is uncertain from the Act whether the restrictions in s 4(4) may be waived by the consent of the data subject.
The user must also be informed about his/her right to withdraw consent to a given data-processing operation (s 3(6)). He/she must further be notified of whatever options exist for making anonymous or pseudonymous use and payment of teleservices (s 4(1)). Finally, he/she must be notified of any communication to other providers of data relating to his/her teleservice usage (s 4(3)).
Lee Bygrave Research Fellow, Norwegian Research Centre for Computers and Law and member of PLPR’s editorial board.