Enlarge image
Cookie query
Photo: Bernd Weissbrod / dpa
It is already well after midnight when Bundestag Vice-President Hans-Peter Friedrich calls item 13 on the agenda - "Data protection in telecommunications".
It is about the Telecommunication-Telemedia-Data Protection Act, TTDSG for short.
A central point in it: new rules for cookies and the unloved cookie banners.
"The millions of cookie consents that pop up on German screens every day have nothing to do with digital self-determination, but with digital Sisyphean work," explains CDU MP Hansjörg Durz in front of the barely filled plenum.
"We have to free the citizens of this."
In fact, the draft law from the Federal Ministry of Economics has the exact opposite effect.
For a decade, the German legislator had neglected to finally transfer European regulations on advertising cookies into German law.
The Federal Court of Justice made it clear in May of last year that this can no longer continue: If companies want to save data on users' computers for advertising purposes, they must first give their consent.
In doing so, the judges revealed a loophole in the law that the legislature was supposed to close since 2011.
Flood of cookie banners
The result was a sudden flood of cookie banners and pop-ups that urge the audience to consent to the data processing or to send them through a veritable maze of setting options if they want to object to the data collection.
With the current draft law, this would largely be stipulated, thereby eliminating the contradiction between European and German law.
But nobody is really satisfied with the current situation: trade associations complain about the great effort and the deterrent effect, while data protectionists complain about the confusion that makes real control of their own data almost impossible.
For this reason, the law in the Bundestag is to be significantly expanded.
The CDU MP Tankred Schipanski had already explained where the journey should go before the debate: He wants to oblige browser manufacturers to integrate a central setting option for the cookies into the programs, he explained to the dpa.
While opposition politicians like Anke Domscheit-Berg are also calling for a browser solution, the approaches are very different.
In a guest article in the »Frankfurter Allgemeine Zeitung«, Schipanski's parliamentary group colleague Thomas Jarzombek and Professor Rolf Schwartmann from the Technical University of Cologne advertise a more detailed solution: The browser manufacturers are supposed to integrate »consent management systems« where trustees use the data the user should manage based on their specifications.
The aim of the union is to create a data pool that can compete with Google, Facebook, Amazon and Apple.
Data competition with Silicon Valley
Such a trustee could be the provider netID, founded in 2018, which offers a joint log-in for Internet offers and is currently advertising its services with a TV campaign.
No wonder: both the RTL media group and ProSiebenSat.1 are among the initiators of the service, which was founded in 2018.
Despite new additions such as Deutsche Telekom or Axel Springer, NetID currently only lists 123 websites on its own website that support joint log-in.
So there is still a long way to go to become a Google competitor.
Enlarge image
How little meaningful cookie banners are in today's practice is demonstrated by MP Hansjörg Durz on his own website: The users do not find out what data processing is involved, but two "agree" buttons are highlighted.
Photo: twitter
In contrast, consumer advocates want to make it as easy as possible for users to get out of advertising tracking, which creates detailed interest profiles of users by monitoring activities across different websites.
"We need at least a European approach to the ePrivacy Regulation," explains Schleswig-Holstein's data protection officer, Marit Hansen, to SPIEGEL.
"In my opinion - and also according to the requirements of the GDPR - the starting point must be 'data protection by default', that is, data protection-friendly default settings," says Hansen.
The rift also goes through the coalition.
The SPD-led Federal Ministry of Justice had already drawn up a catalog of requirements for cookie banners in 2019, which should make it as easy as possible for users to forbid any data transfer.
The Union-led Federal Ministry of Economics advocated a contradicting regulation in the hearing process: Browser manufacturers should even be forbidden from blocking cookies if a user had given his consent.
Apple shows no interest
This approach is aimed at browser manufacturers such as Apple and Mozilla, who for years have been blocking more and more cookies and other tracking techniques in Safari and Firefox that are supposed to monitor users across the web.
The main goal, however, is Google: The group is the world leader with its Chrome browser and has announced that it will be withdrawing from the cookie system for the coming year.
This is to be replaced by a new system that collects data less invasively.
At the request of SPIEGEL, neither Mozilla nor Google commented.
Apple only sent links to the company's position from 2019: »Safari is a browser with advanced features to protect your privacy.
These prevent cross-site tracking and minimize the data that is transmitted to other providers. "In other words: Forcing the iPhone company to adopt a special German method that wants to enforce more data transfer is likely to be very difficult.
German browser law would have a hard time
In any case, a national browser law would face major difficulties, as lawyer Simon Assion told SPIEGEL.
On the one hand, browsers are global products, on the other hand, the data protection regulations also relate to smartphone apps or any other software that communicates with the Internet.
"Something like this at least belongs at the EU level or, even better, should be agreed as a global industry standard," says Assion.
In addition, it is difficult to reconcile the ideas of the Union with the applicable EU law: "The GDPR presupposes that consents are only effective if they have been 'informed' and given 'for the specific case'," explains Assion.
If data trustees were to translate the user's will into such consents, assume a high level of trust in the respective provider.
The economic committee must now decide how to proceed.
The parliamentarians are under time pressure they have caused themselves.
On the one hand, the legislative period ends in autumn - little time for hearings and extensive legal work.
On the other hand, the Telecommunication-Telemedia-Data Protection Act was written as a supplement to the Telecommunication Modernization Act.
That would actually have been due in December in order to meet the European Union's deadlines.
If the parliamentarians only manage to pass one of the laws, a whole series of new legal loopholes would be the result.
"It is imperative that both laws take effect at the same time," warned the Federal Data Protection Commissioner Ulrich Kelber.
"Otherwise the privacy of electronic communication would be at risk."