The industry association Bitkom criticizes the position of the Data Protection Conference on web tracking and has published a statement on this. The Conference of Independent Federal and State Data Protection Authorities (DSK) had previously assessed the relationship between the new General Data Protection Regulation and the existing German Telemedia Act (TMG). In their opinion, the General Data Protection Regulation, which will apply from May 25, 2018, would completely replace the previous provisions of the Telemedia Act on web tracking. In the view of the digital association Bitkom, this interpretation is incorrect and the timing of the statement is extremely unfortunate. "This interpretation of the legal situation just a few weeks before the General Data Protection Regulation comes into force comes at an inopportune time for companies," says Susanne Dehmel from Bitkom's Executive Board, where she is responsible for legal affairs and security. "Website operators would have to change their previously lawful processes within a very short space of time. This is hardly feasible and the supervisory authorities should also be aware of this."

Web tracking falls under two directives

Bitkom explained the background in a press release on Friday. According to this, web tracking falls legally within the scope of both the General Data Protection Regulation and the ePrivacy Directive. The e-Privacy Directive is currently being revised in Brussels and is to be given the character of a European regulation, which will reduce the member states' leeway to a minimum. Against this background, the German legislator has so far left the national TMG regulations in place. The position of the DSK now states that website operators require the consent of internet users before they are allowed to track their surfing behavior or create user profiles. According to the German Telemedia Act, in many cases it has been sufficient to make the use of tracking transparent and to give users the opportunity to object to tracking (opt-out). However, even with the application of the General Data Protection Regulation, many legal experts still see room for the use of cookies or similar tracking tools on the basis of the legal permissions, for example in the case of legitimate provider interests, in contrast to the DSK.

From Bitkom's point of view, the DSK position creates additional legal uncertainty just a few weeks before the General Data Protection Regulation comes into force and only months before the ePrivacy Regulation is finalized. "In the short time available, many small and medium-sized companies in particular will not be able to make all the necessary adjustments," says Dehmel. This threatens trouble with the supervisory authorities and warnings under competition law. "The interpretation of the supervisory authorities puts many companies in a very difficult situation without any need."

"Devastating signal" to companies

In the industry association's statement on the "Position of the DSK on web tracking", Bitkom criticizes the legal policy signal in particular. It reads: "The DSK's paper sends a devastating signal to all those companies that make an honest effort to conscientiously implement and comply with the GDPR and other data protection rules. Over the past two years, Bitkom companies have been actively involved in interpreting, publicizing and helping to implement the regulations in practice. Under the GDPR, the supervisory authorities are also responsible for raising awareness and advising data controllers as well as promoting chain of custody and certifications. In our view, this includes a more intensive dialog with data controllers. As in the case of most other DSK papers, this did not take place in advance of this paper. Instead, four weeks before the GDPR becomes applicable, the DSK publishes a paper suggesting that companies must now convert their previously lawful opt-out processes to opt-in procedures within a very short space of time. It should be clear to the supervisory authorities that experience has shown that this is hardly feasible for many companies in the time remaining. If not, this only shows the urgency of a structured, comprehensive dialog with industry and associations. Only in this way can we create a minimum level of legal certainty for law-abiding companies and at the same time prevent a large number of avoidable data protection breaches. This would help both data protection and companies."

You can find the statement in full at the following link: https://www.bitkom.org/noindex/Publikationen/2018/Positionspapiere/180511-Positionsbestimmung-der-Datenschutzkonferenz-vom-26-April-2018/Bitkom-Stellungnahme-Position-DSK-DSGVO-TMG.pdf