Law Library Stacks

Back to Online Privacy Law

*This report updates a report from 2012

Since 2012, several online data privacy reforms have been initiated or implemented in Germany. Whether or not the European Union Cookie Directive from 2009 has been properly implemented in Germany is subject to disagreement. In 2015, Germany passed a new Data Retention Act and the data retention obligations were supposed to apply to telecommunications providers starting on July 1, 2017. However, following a preliminary court decision that raised doubts about the compatibility of the German Act with EU law, the German Federal Network Agency decided to suspend the obligation for all providers until a final decision. Starting on May 25, 2018, the European Union General Data Protection Regulation will apply directly in Germany. It is supplemented by provisions of the amended German Data Protection Act.

Since 2012, several online data privacy reforms have been initiated or implemented in Germany, as further discussed below.

I. EU Cookie Directive

European Union (EU) Directive 2009/136/EC on the processing of personal data and the protection of privacy in the electronic communications sector (the Cookie Directive),[1] which amended the ePrivacy Directive,[2] has still not been expressly implemented in Germany. The amendment deals with the use of cookies and similar techniques, and the consent of the user as a requirement for storing or gaining access to information.[3] The German government claims that an implementation is not necessary as existing German law already conformed to the requirements of the Cookie Directive[4] and the EU Commission initially seemed to share that view.[5] However, a study prepared for the EU Commission in 2015 noted that Germany had not transposed the amendment of the ePrivacy Directive.[6] German federal and state data protection authorities are of the view that the German rules do not completely implement the amended EU Directive.[7] In any case, the proposed EU ePrivacy Regulation,[8] which will replace the ePrivacy Directive, contains new rules on cookies, so that the discussion of whether or not the EU Directive has been properly implemented will become obsolete when the Regulation enters into force, which is proposed to occur on May 25, 2018.

Back to Top

II. Data Retention

EU Directive 2006/24/EC on data retention was declared invalid by the Court of Justice of the European Union (ECJ) on April 8, 2014, and has not been replaced by new EU legislation.[9] Instead, national data retention laws are applicable, but they are subject to review by the ECJ.[10] In December 2015, Germany passed a new Data Retention Act, which amended the German Telecommunications Act (TCA) and the German Code of Criminal Procedure.[11] The amended provisions of the TCA obligate providers of publicly available telecommunication services to store certain user traffic data for a period of four weeks (location data) or ten weeks (communication data) and make them available to law enforcement upon request.[12] User metadata that need to be retained by internet access service providers include IP addresses, port numbers, and the date and time of internet access.[13] The amendments entered into force in December 2015 and the data retention obligations were supposed to apply to the providers after an interim period starting on July 1, 2017.[14] However, on June 22, 2017, the Higher Administrative Court of North Rhine-Westphalia held in an application for an interim order that the plaintiff in the case, a telecommunications provider, need not comply with the data retention obligation until the court has reached a final judgment.[15] The Court stated that it was doubtful whether the German data retention provisions were compatible with the requirements for national data retention laws as formulated by the ECJ.[16]

Even though the judgment only has effect for the parties involved in the case, the German Federal Network Agency (Bundesnetzagentur), a higher federal authority that regulates the telecommunications sector, decided to suspend the data retention obligations of the TCA for all providers until the final judgment and thus will not levy any fines for failure to comply until then.[17] Separately, the Parliamentary Research Services of the German Parliament has also found that the German data retention provisions are incompatible with the requirements for data retention that the ECJ formulated in its judgment.[18]

Back to Top

III. General Data Protection Regulation

The EU General Data Protection Regulation (GDPR)[19] entered into force on May 24, 2016, and will apply directly in Germany starting on May 25, 2018, with generally no domestic implementing legislation needed.[20] However, the GDPR also contains “opening clauses” that permit derogations for national legislation in certain areas[21] and specifically allows EU Member States to incorporate elements of the GDPR into their national law as far as necessary for coherence and making it comprehensible.[22] Germany therefore published the amendment of its Data Protection Act, which aligns it with the requirements of the GDPR and the EU Law Enforcement Directive (EU) 2016/680, in July 2017—the first EU Member State to do so.[23] It will enter into force at the same time as the GDPR will apply in Germany, on May 25, 2018.[24]

The new German Data Protection Act focuses on the areas for which the GDPR contained “opening clauses” allowing Member States to initiate more restrictive provisions, as the other areas are governed by the provisions of the GDPR itself. It also has a wider scope than the GDPR; it applies to the processing of personal data by federal and state public authorities and bodies as well as by private bodies.[25] The new German Data Protection Act took advantage of the opening clauses related to collection and use of employee data,[26] special categories of data (sensitive data),[27] processing of data for research purposes and statistical purposes,[28] processing for archiving purposes in the public interest,[29] processing for other purposes than the ones for which the personal data have been originally collected,[30] restrictions on the investigative power of data protection authorities in cases of professional secrecy,[31] appointment of data protection officers,[32] consumer loans,[33] credit reports and scoring,[34] sanctions,[35] the right of data protection authorities to file an action against a decision of the EU Commission,[36] video surveillance,[37] and restrictions on some of the data subjects’ rights.[38]

With regard to online privacy rights, the restrictions on the data subject’s right to erasure and to access data are the most important differences compared to the GDPR. If in a case of nonautomated data processing erasure is impossible or only possible with a disproportionate effort due to the specific mode of storage, and if the data subject’s interest in erasure is minimal, the right to erasure is replaced with a right to restriction of processing as codified in article 18 of the GDPR. This modification is not applicable if the processing was unlawful. Furthermore, the right to restriction applies instead of the right to erasure if erasure would conflict with a legal duty of the controller to retain the data for a specific time period.[39]

The Act restricts the right to access personal data in cases where they are only stored because the data may not be deleted due to legal provisions mandating retention (archived data), or the personal data are solely kept for purposes of monitoring or safeguarding data, or for data protection audits, and providing information would require a disproportionate effort.[40]

Lastly, the German Data Protection Act requires each company with ten or more employees involved in the automated processing of personal data to appoint a data protection officer, whereas the GDPR only obligates public authorities or bodies and entities whose core activities consist of processing operations that require regular and systematic monitoring of data subjects or processing of special categories of data on a large scale to appoint one.[41]

Back to Top

Prepared by Jenny Gesley
Foreign Law Specialist
Deember 2017


[1] Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No. 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement on Consumer Protection Laws (Cookie Directive), 2009 O.J. (L 337) 11, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF, archived at http://perma.cc/KW92-SUVC.

[2] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) (ePrivacy Directive), 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/legal-content /EN/TXT/PDF/?uri=CELEX:32002L0058&from=en, archived at http://perma.cc/LCQ4-LCJR.

[3] Cookie Directive art. 5, para. 3.

[4] European Commission, Directorate-General for the Information Society and Media, Questionnaire on the Implementation of the Article 5(3) of the ePrivacy Directive 7 (Oct. 4, 2011), https://www.telemedicus.info/ uploads/Dokumente/COCOM11-20QuestionnaireonArt.53e-PrivacyDir.pdf, archived at http://perma.cc/N6SV-CMA4.

[5] Adrian Schneider, EU-Kommission: Cookie-Richtlinie ist in Deutschland umgesetzt [EU Commission: Cookie Directive has Been Implemented in Germany], Telemedicus (Feb. 5, 2014), https://www.telemedicus.info/ article/2716-EU-Kommission-Cookie-Richtlinie-ist-in-Deutschland-umgesetzt.html, archived at http://perma.cc/T7NB-T39V.

[6] European Commission, Directorate-General for the Information Society and Media, ePrivacy Directive: Assessment of Transposition, Effectiveness and Compatibility with proposed Data Protection Regulation. Final Report 63 (Jan. 31, 2015), https://publications.europa.eu/en/publication-detail/-/publication/573b8f74-7220-41d7-9e4b-477ab1d45e29, archived at http://perma.cc/5SZ6-KQGW.

[7] Düsseldorfer Kreis, Umlaufentschließung der Datenschutzbeauftragten des Bundes und der Länder vom 05. Februar 2015. Keine Cookies ohne Einwilligung der Internetnutzer [Decision of the Data Protection Commissioners of the Federation and the States of February 5, 2015. No Cookies Without Consent of the Internet User], https://www.ldi.nrw.de/mainmenu_Service/submenu_Entschliessungsarchiv/Inhalt/Entschliessungen_Datenschutzkonferenz/Inhalt/
Entschliessungen_zwischen_den_Konferenzen/20150205_Keine_Cookies_ohne_Einwilligung_der_Internetnutzer/Keine_Cookies_ohne_Einwilligung_der_Internetnutzer1.pdf
, archived at http://perma.cc/9K2N-EYJB.

[8] Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (ePrivacy Regulation), COM (2017) 10 final (Jan. 10, 2017), http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241, archived at http://perma.cc/YX4Q-G2KX.

[9] Joined Cases C-293/12 and C-594/12, Digital Rights Ireland v. Minister for Communications, Marine and Natural Resources, ECLI:EU:C:2014:238, http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0293&lang1=en&ty pe=TXT&ancre, archived at http://perma.cc/XZK2-Y7D5.

[10] Joined Cases C-203/15, Tele2 Sverige AB v. Post-och telestyrelsen & C-698/15 Sec’y of State for the Home Dep’t v. Watson, paras. 75–81, ECLI:EU:C:2016:970, http://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX%3A 62015CJ0203, archived at http://perma.cc/PT73-PD2J.

[11] Gesetz zur Einführung einer Speicherfrist und einer Höchstspeicherfrist für Verkehrsdaten [Act Introducing a Storage Obligation and a Maximum Retention Period for Traffic Data], Dec. 10, 2015, Bundesgesetzblatt [BGBl.] [Federal Law Gazette] I at 2218, http://www.bgbl.de/xaver/bgbl/start.xav?startbk=Bundesanzeiger_ BGBl&jumpTo=bgbl115s2218.pdf, archived at http://perma.cc/8PF2-7P9K, English translation of draft act available at http://ec.europa.eu/growth/tools-databases/tris/en/index.cfm/search/?trisaction=search.detail&year= 2015&num=288&dLang=EN, archived at http://perma.cc/X7R8-W9WN.

[12] Telekommunikationsgesetz [TKG] [Telecommunications Act] [TCA], June 22, 2004, BGBl. I at 1190, as amended, §§ 113a-113g, http://www.gesetze-im-internet.de/tkg_2004/TKG.pdf, archived at http://perma.cc/BJ7H-RVHL.

[13] Id. § 113b, para. 3.

[14] Id. § 150, para. 13.

[15] Oberverwaltungsgericht NRW [Higher Administrative Court of NRW], June 22, 2017, docket no. 13 B 238/17, http://www.justiz.nrw.de/nrwe/ovgs/ovg_nrw/j2017/13_B_238_17_Beschluss_20170622.html, archived at http://perma.cc/AD9C-U67C.

[16] Joined Cases C-203/15, Tele2 Sverige AB v. Post-och telestyrelsen & C-698/15 Sec’y of State for the Home Dep’t v. Watson, paras. 75–81, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A 62015CJ0203, archived at http://perma.cc/PT73-PD2J.

[17] Bundesnetzagentur [Federal Network Agency], Speicherpflicht und Höchstspeicherfrist für Verkehrsdaten [Storage Obligation and a Maximum Retention Period for Traffic Data], June 28, 2017, https://www.bundes netzagentur.de/DE/Sachgebiete/Telekommunikation/Unternehmen_Institutionen/Anbieterpflichten/OeffentlicheSicherheit/Umsetzung110
TKG/VDS_113aTKG/VDS.html;jsessionid=399D3A7061786CA903F0173F0D900C7F?nn=329286#Inhalt
, archived at http://perma.cc/73CZ-G3M8.

[18] Wissenschaftliche Dienste [Parliamentary Research Services], Zur Vereinbarkeit des Gesetzes zur Einführung einer Speicherpflicht und einer Höchstspeicherfrist für Verkehrsdaten mit dem EuGH-Urteil vom 21. Dezember 2016 zur Vorratsdatenspeicherung [On the Compatibility of the Act Introducing a Storage Obligation and a Maximum Retention Period for Traffic Data with the Judgment of the ECJ of December 21, 2016 on Data Retention] 24, doc. no. PE 6 – 3000 – 167/16, Jan. 12, 2017, https://www.bundestag.de/blob/492116/d7f0beffe3ae7b37bd666d6b70e2cd22/pe-6-167-16-pdf-data.pdf, archived at http://perma.cc/Z6ER-RLH8.

[19] Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) art. 4 (1), 2016 O.J. (L 119) 1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN, archived at http://perma.cc/UWW3-KFMH.

[20] Id. art. 99; Consolidated Version of the Treaty on the Functioning of the European Union (TFEU) art. 288, para. 2, 2012 O.J. (C 326) 47, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:120 12E/TXT&from=EN, archived at https://perma.cc/K69X-SDQ9. Some provisions nonetheless require for their implementation the adoption of application measures by the Member States—for example, the appointment of a national regulator and administrative sanctions for a violation of the GDPR.

[21] GDPR, supra note 19, recitals 10, 19, 52; art. 9, para. 4; art. 88.

[22] Id. recital 8.

[23] Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) 2016/679 und zur Umsetzung der Richtlinie (EU) 2016/680 (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU - DSAnpUG-EU) [Act to Adapt the Data Protection Law to Regulation (EU) 2016/679 and to Implement Directive (EU) 2016/680 (Data Protection Adaption and Implementation Act EU)], June 30, 2017, BGBl. I at 2097, http://www.bgbl.de/xaver/bgbl/ start.xav?startbk= Bundesanzeiger_BGBl&jumpTo=bgbl117s2097.pdf, archived at http://perma.cc/DL3C-LKGD, English translation available at https://www.bmi.bund.de/SharedDocs/downloads/EN/gesetztestexte/ datenschutzanpassungs umsetzungsgesetz.pdf?__blob=publicationFile&v=1, archived at http://perma.cc/K79T-PMUW.

[24] Id. art. 8.

[25] Id. art. 1, § 1; GDPR, supra note 19, recital 19.

[26] Data Protection Adaption and Implementation Act EU, art. 1, § 26.

[27] Id. art. 1, § 22.

[28] Id. art. 1, § 27.

[29] Id. art. 1, § 28.

[30] Id. art. 1, § 24.

[31] Id. art. 1, § 29, para. 3.

[32] Id. art. 1, § 38.

[33] Id. art. 1, § 30.

[34] Id. art. 1, § 31.

[35] Id. art. 1, §§ 41 et seq.

[36] Id. art. 7, no. 5, § 42b.

[37] Id. art. 1, § 4.

[38] Id. art. 1, §§ 32–37.

[39] Id. § 35, para. 3; GDPR, supra note 19, art. 17, para. 3b.

[40] Data Protection Adaption and Implementation Act EU, art. 1, § 34.

[41] Id. art. 1, § 31, GDPR, supra note 19, art. 37.

Back to Top

Last Updated: 12/30/2020