The background

1. On 19 February 2010, the complainant, a German national, complained to the European Commission that Germany had not properly implemented the ePrivacy Directive[1] (the 'Directive'). His complaint addressed three separate aspects, namely the implementation of the 'cookies' provision into German legislation, the storage of collected data and the rules on e-mail marketing. On 31 January 2011, the Commission sent a 'pre-closure letter' setting out why it intended to close the case. Despite the complainant's objections, the Commission subsequently informed him that his case had been closed.

2. The complainant turned to the European Ombudsman. He alleged that the Commission had not dealt with his infringement complaint properly. The Ombudsman opened an inquiry.

3. After having obtained an opinion from the Commission and the complainant’s observations on this opinion, the Ombudsman made a friendly solution proposal[2] to the effect that the Commission consider addressing the complainant's arguments in more detail. After analysing its reply, the Ombudsman found that the Commission had still not adequately explained its decision. She therefore made a draft recommendation[3]. In reply, the Commission argued that no further action was needed. The complainant criticized this view.

4. The Ombudsman's inquiry dealt with the three aspects of the complaint outlined above which will now be addressed in turn.

First aspect: the implementation of the 'cookies' provisions into German legislation

The procedure leading to the draft recommendation

5. The first aspect of the complaint concerned the complainant's argument that the relevant German legislation - the Telemediengesetz (TMG) - did not make the storage of data on a user's device (in what are known as 'cookies' which communicate the user's previous activity to websites) conditional on the user having been informed thereof, as the Directive requires. The Commission considered that Germany had properly implemented the Directive. The complainant argued that the Commission had not answered all his arguments. However, the Commission still closed the case.

6. In its opinion, the Commission stood by this decision, stating that the complainant had not submitted new facts. The complainant disagreed and referred to an e-mail sent to the Commission on 25 May 2011, a few weeks after the Commission had closed the case. In particular, he had pointed out that the relevant provision of the Directive, that is to say Article 5(3), had in the meantime been modified and the deadline for implementing the amended article had expired without Germany having adopted any implementing measures[4].

7. The Ombudsman made the preliminary assessment that the Commission had clearly explained, in its pre-closure letter, why it considered that there were no grounds for it to commence proceedings against Germany. However, it had failed to address the complainant's subsequent argument that Germany had not implemented the amended article. She therefore proposed that it do so.

8. In its reply, the Commission stated that, on 10 May 2012, Germany notified the Commission that it had transposed Directive 2009/136[5], which revised Article 5(3) of the Directive. The complainant observed that reliance on a mere notification from a Member State was not sufficient and that a proper analysis would lead to the conclusion that the relevant German law did not deal with the question of cookies. Even the German data protection supervisor had argued[6] that Article 5(3) had to be given direct effect because Germany had not properly transposed it. The complainant concluded that the Commission had not been able to identify a provision which could be considered to have transposed Article 5(3).

9. In her assessment after the proposal for a friendly solution, the Ombudsman agreed that it would be reasonable to expect that the Commission would have pointed to a specific provision which in its view transposed the amended provision of the Directive into German law. Since the Commission had not adequately explained its position, the Ombudsman recommended that the Commission either re-open its investigation or adequately explain why it did not think that further action was needed.

Arguments made following the draft recommendation

10. In its reply, the Commission referred to its conclusion presented in the pre-closure letter, namely that Articles 12 and 13 of the TMG sufficiently cover the requirements of Article 5(3) of the Directive. Article 12 states that personal data may be processed only where explicitly permitted by the law, or with the user's consent. Article 13 states that a user has to be informed at the beginning of any processing of the scope of this processing. The Commission considered this sufficient, especially in light of the broad definition of 'personal data' in Article 3 of the German data protection law. It added that the German authorities had informed it of their view that Articles 12 and 13 of the TMG implemented the revised version of Article 5(3) of the Directive, and that none of the complainant's arguments prompted the Commission to question this view.

11. The complainant maintained that Articles 12 and 13 of the TMG do not transpose the amended Directive as they do not deal with the 'cookies' issue. He noted that the draft version of the TMG stated that the government wanted to wait for the outcome of discussions on the transposition of the amended 'cookies' provision at the European level. Moreover, while members of the Bundestag belonging to the former coalition government had argued that there was no need to transpose the amended provision since the relevant German law already complied with the Directive, the coalition agreement of the current government stated that non-anonymous profiling must be made dependent on the consumer giving his/her consent. Thus, the amended Article 5(3) was not transposed into German law[7]. Finally, he again pointed to the opinion of the German data protection supervisor.

The Ombudsman's assessment after the draft recommendation

12. Following the Ombudsman's draft recommendation, the Commission provided a more comprehensive explanation as to why it decided not to commence infringement proceedings as regards the first aspect of the complaint. In particular, it clarified that, based on the German government's reply to its questions, it considers that Articles 12 and 13 of the TMG, seen in the context of the German data protection rules, are sufficient to implement both the original and the amended versions of Article 5(3) of the Directive. It thus addressed the complainant's argument that Article 5(3) had been amended since the pre-closure letter, and pointed to specific provisions in German legislation which, in its view, transposed the amended Article 5(3) of the Directive.

13. It is clear from his observations that the complainant still disagrees with the Commission's view, and that his view that the Directive has not been properly implemented is based on some authoritative statements, in particular, by the then German data protection supervisor.

14. According to well-established case-law, the Commission enjoys a wide margin of discretion when deciding whether to commence infringement proceedings against a Member State. Evidently, its view on and interpretation of both European and national legislation may differ from the complainant's, or national governments', or even that of specialised enforcement bodies in the Member States. This is even more so in a situation where there is wide-ranging debate on the interpretation of the underlying EU rules.

15. It is not disputed that Germany did not pass a new law to implement the amended Directive. However, this does not in itself mean that it has not implemented it; even the fact that an existing law does not expressly state the subject matter of the EU rule in question does not in any way preclude the possibility that it constitutes an act which implements the EU rule.

16. In this case, taking into account the content of Articles 12 and 13 TMG as summarised in paragraph 10 above, it was reasonable for the Commission to agree with the view of the German government that these provisions adequately implement the amended version of Article 5(3). It can thus be concluded that, following the draft recommendation, the Commission provided a sufficient explanation of its decision not to commence infringement proceedings as regards the first aspect of the complaint.

Second aspect: the storage of traffic data

The procedure leading to the draft recommendation

17. The complainant argued that Article 100 of the Telekommunikationsgesetz (TKG) allows for a 'non-limited' right to store traffic data. It thus breaches Article 6(1) of the Directive, which states that traffic data must be erased as soon as it is no longer needed for connection purposes, save for carefully defined exceptions; it also breaches Article 15(1) of the Directive, which allows exceptions only where they are "necessary, appropriate and proportionate in a democratic society".

18. In its pre-closure letter, the Commission explained that Article 100(3) TKG does not establish a right to store data, but allows the processing of such data only where such storage is necessary to combat abuse. This, it argued, was in line with Article 4 and recital 29 of the Directive, which refer to the need for measures to ensure the security of the service and allow the processing of billing data to combat any abusive use of the services. In his reply, the complainant argued that Article 6 of the Directive is the only legal basis for the processing of traffic data. Article 4 and recital 29 were thus irrelevant and the recital (i) could in any event not be used as a legal basis to limit a fundamental right and (ii) was also limited to "exceptional cases", whereas Article 100(1) TKG was not. The Commission considered that the complainant had not provided any new facts and closed the case.

19. In its opinion, the Commission stated that the pre-closure letter had already dealt with the complainant's criticism of its reliance on Article 4 and recital 29. The complainant disagreed. He drew attention to his e-mail of 25 May 2011, in which he referred to a judgment of the German Bundesgerichtshof[8] which, according to him, confirmed his interpretation of the German legislation, since it stated that Article 100(1) TKG did not require indications of a fault in the network for data to be processed. The Ombudsman noted that the Commission could not have addressed the complainant's views on Article 4 and recital 29 of the Directive in its pre-closure letter, since the complainant did not raise those issues until he responded to the pre-closure letter.

20. The Ombudsman thus asked the Commission to respond to these points.

21. In its reply, the Commission stated that, even if Article 6(1) of the Directive stated that traffic data had to be erased, it did not "conclusively determine" the question of the processing of traffic data, contrary to what the complainant had argued. In fact, Article 4 required providers to take measures to safeguard the network, and recital 29 provided an insight into the legislator's intention as regards the scope of this requirement. This supported its view that Article 100(3) TKG was in line with the Directive. The Commission also disputed the complainant's view that fundamental rights were being limited. Finally, the Commission did not consider that the judgment of the Bundesgerichtshof had any "substantive effect on the present case". The complainant maintained his position.

22. In her assessment leading to the draft recommendation, the Ombudsman criticised the Commission's view that the rules on storage of data do not limit fundamental rights. She drew the Commission's attention to a recent judgment of the Court of Justice[9] which annulled the Data Retention Directive[10] on the ground that the provisions interfering with fundamental rights in that Directive were not precise enough in order to limit the interference with the fundamental right to the protection of personal data to what is strictly necessary[11].

23. Moreover, she noted that the Commission had not explained why it considers that the judgment of the Bundesgerichtshof has "no substantive effect" on this case, and recommended that it take this judgment into account.

Arguments made following the draft recommendation

24. In its reply, the Commission maintained its original view (see paragraphs 18 and 19 above). It added that recital 53[12] of the Users' Rights Directive 2009/136/EC[13] constituted evidence of the legislator's intention with regard to the processing of traffic data for the purposes of ensuring network and information security.

25. In relation to the judgment of the Court of Justice which annulled the Data Retention Directive, the Commission noted that it post-dated its response to the Ombudsman's friendly solution proposal. While the judgment did not directly concern the Directive, the Commission stated nonetheless that it was in the process of analysing its impact on all related legislation, including the Directive.

26. Finally, as to the Bundesgerichtshof's judgment, the Commission noted that the court found that the retention of IP addresses was proportionate, provided that it was necessary for the detection of failures or errors. According to the Commission, the judgment thus showed that the notion of necessity in the German law in question was in line with the condition in recital 29 of the Directive that the processing of traffic data has to be "necessary in individual cases". The Commission therefore remained of the opinion that the judgment did not have any substantive effect on this case and, therefore, it saw no need to reconsider its position.

27. The complainant did not make any observations in relation to this last-mentioned judgment, but instead pointed to a more recent judgment delivered by the same German court[14] which he criticised for misinterpreting the notion of 'processing of data'.

28. He also considered "irrelevant" the Commission's reliance on recital 53 of the User's Rights Directive. He pointed out that a recital could not limit fundamental rights and that, in any event, it stipulates that data processing may be allowed "to the extent strictly necessary" only. Moreover, Article 15(1) of the Directive conclusively determines the cases in which the Data Protection Directive[15] prevails over the Directive and it allows the processing of communications data for the "prevention, investigation, detection and prosecution of ... unauthorised use of the electronic communication system" only. The complainant agreed that the rule which deals with preventing unauthorised use, Article 100(3) TKG, does require specific grounds (namely, a reasonable suspicion of abuse) for data to be stored. He maintained, however, that this is not the case with the processing allowed by Article 100(1) of the TKG.

The Ombudsman's assessment after the draft recommendation

29. The Ombudsman notes that the Commission has provided a coherent explanation as regards why the Bundesgerichtshof ruling (see paragraph 26 above) implies that the German courts interpret the German law in question as incorporating the notion of necessity in line with the condition in recital 29 of the Directive that the processing of traffic data has to be "necessary in individual cases". The complainant has not submitted any specific arguments in that regard. The Ombudsman therefore does not consider that any further inquiries into this matter are required.

30. Furthermore, the Commission explained its view that Article 4 of the Directive, read in the context of recital 29 of the Directive and Article 53 of the User's Rights Directive, can be interpreted to mean that data processing which is necessary to achieve the purposes set out therein is in line with EU law. Contrary to the complainant's protestations, it is perfectly reasonable to rely on a recital for information on the intention of the legislature in relation to the meaning of a particular legal provision.

31. However, the Commission still has not addressed to a satisfactory degree the complainant's argument that, since Article 100(1) TKG was not limited to exceptional cases, it could not be in line with the Directive.

32. It is true that the Court of Justice's judgment in Digital Rights Ireland and Seitlinger and Others[16] was delivered after the Commission's reply to the friendly solution proposal in this case. However, the Commission was perfectly able to take this judgment into account when responding to the Ombudsman’s draft recommendation. It should be noted that the Court of Justice stated in Digital Rights Ireland and Seitlinger and Others that provisions interfering with fundamental rights must be limited to what is strictly necessary. The Ombudsman thus encourages the Commission to carefully consider the impact of this judgment on the Directive and its application in the national legal systems.

33. In light of the failure noted above, the Ombudsman will close this aspect of her inquiry with a critical remark.

Third aspect: the rules on e-mail marketing

The procedure leading to the draft recommendation

34. The complainant argued that the German rules on e-marketing, contained in Article 95 of the TKG, were more permissive than those contained in the Directive. In its pre-closure letter, the Commission referred to the German law against unfair competition (Gesetz gegen unlauteren Wettbewerb - UWG). This law provides that e-mail marketing must be limited to e-mail addresses obtained in the context of the sale of a product or service. Clients must also be expressly informed that they may object to the use of their e-mail addresses for this purpose. The complainant observed that the TKG is more specific than the UWG and therefore overrides the latter. The Commission concluded that the complainant had not provided any new facts and thus closed the case.

35. In its opinion, the Commission stated that the complainant's view on the relationship between the TKG and the UWG was based on his personal interpretation of the law, an interpretation it had already rejected in its initial assessment. In his observations, the complainant referred to his e-mail to the Commission in which he submitted that the national regulatory authority (the Bundesnetzagentur) shared his interpretation of the relationship between the TKG and the UWG. The Ombudsman proposed that the Commission address the complainant's comments.

36. In its reply, the Commission simply noted that, based on the opinion submitted by the German government, it maintained its view that Article 13(2) of the Directive had been correctly transposed, and added that the complainant's e-mail exchange with the Bundesnetzagentur did not change this assessment. The complainant pointed out that the Commission had relied exclusively on the opinion of the German government and had ignored the view of the Bundesnetzagentur. It had thus made a manifestly false assumption on the situation in practice.

37. In her assessment after the friendly solution proposal, the Ombudsman concluded that the Commission should provide a meaningful explanation as to the discrepancy between the opinions of the German government and the Bundesnetzagentur, which was charged with implementing the rules in practice.

Arguments made following the draft recommendation

38. The Commission maintained its view that Article 95 TKG and Article 7 UWG taken together ensure compliance with the Directive. It had already explained this to the complainant in a letter of 11 June 2011, in which it stated that the fact that Article 95(2) of the TKG prevails over Article 7 UWG "in certain situations" was "already covered" by the investigation into the infringement complaint at issue here. The letter continued that, since Article 95 TKG allowed users to object to commercial e-mails easily and free of charge according to the German government, the Commission considered that the two provisions taken together complied with Article 13(2) of the Directive.

39. The Commission added that the complainant's communication with the Bundesnetzagentur had addressed only the question of the relationship between Article 95 TKG and Article 7 UWG and had not suggested that there was a problem with the enforcement of the relevant rules. It concluded that there was nothing in the e-mail exchange which would lead it to reconsider its position.

40. The complainant welcomed the fact that the Commission now appeared to acknowledge that Article 95 TKG was the only provision applicable to communications providers. This meant that Article 95 TKG should transpose the relevant provision of the Directive. He maintained that it did not, since it allowed the use of e-mail addresses obtained in other contexts than those enumerated in the Directive and since, in order to object to the use of their e-mail addresses, customers in Germany usually have to write a letter, which is neither easy nor free of charge.

The Ombudsman's assessment after the draft recommendation

41. In his complaint and subsequent correspondence with the Commission, the complainant alleged that Article 95 TKG could not be considered to have properly implemented Article 13(2) of the Directive because it failed to include certain conditions regarding the use of e-mails for marketing purposes required by the Directive. In its pre-closure letter, the Commission argued that the German government had assured it that this was not problematic, since Article 7 UWG imposed further conditions, in particular, that e-mail addresses could be used for marketing "own similar products or services" only. The complainant argued that this was insufficient since the TKG was the more specific rule. Companies could thus rely on Article 95 TKG which allows such practices, even though Article 7 UWG forbids them. He contacted the Bundesnetzagentur for confirmation of this interpretation and obtained it.

42. From the outset of this inquiry, the Commission dismissed this interpretation and argued, based on the opinion of the German government, that Article 95 TKG and 7 UWG read together provided the same protection as Article 13(2) of the Directive. It still maintains this view, while at the same time stating that the information provided by the Bundesnetzagentur served "only to confirm the issue of legal precedence of the two provisions", which it states it "already acknowledged" in its letter of 11 June 2011. The complainant had argued that this "issue of precedence" meant that Article 7 UWG was not applied, which in turn meant that Article 13(2) was insufficiently transposed. The Commission has not adequately explained - it has simply relied on a statement of fact - why it maintains that the two Articles can be read together so as to transpose the Directive properly.

43. In conclusion, despite the Ombudsman's draft recommendation to this effect, the Commission has not adequately explained why it considers that there was no need for it to take any action in relation to this aspect of the complainant's infringement complaint. The Ombudsman will make a corresponding critical remark below.  

Conclusions

On the basis of the inquiry into this complaint, the Ombudsman closes it with the following conclusions and critical remark:

As regards the first aspect, the Commission has accepted the Ombudsman's draft recommendation and has taken adequate steps to implement it.

The Commission has failed to provide a comprehensive and thorough explanation as to why it did not consider that it should take action in relation to the aspects of the complainant's infringement complaint which concerned (a) the storage and processing of data generally and (b) e-mail marketing rules.

The complainant and the Commission will be informed of this decision.

 

Emily O'Reilly
Strasbourg, 30/06/2015

 

[1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ 2002 L 201, p. 37, last amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, OJ 2009 L 337, p. 11.

[2] For further information on the background to the complaint, the parties' arguments and the Ombudsman's inquiry, please refer to the full text of the Ombudsman's friendly solution proposal available at: http://www.ombudsman.europa.eu/en/cases/correspondence.faces/en/54437/html.bookmark

[3] The full text of the draft recommendation is available at: http://www.ombudsman.europa.eu/en/cases/draftrecommendation.faces/en/54439/html.bookmark

[4] The new version which the complainant refers to was introduced by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ 2009 L337, p. 11. The deadline for transposing this amendment was 25 May 2011, that is, the day on which the complainant sent his e-mail.

[5] See footnote 4 above.

[6] During a data protection conference, as reported in this article (in German): http://www.heise.de/newsticker/meldung/Schaar-Cookie-Regeln-der-EU-gelten-unmittelbar-1570745.html

[7] The complainant is referring to the documents available here: https://www.bmwi.de/BMWi/Redaktion/PDF/Gesetz/referentenentwurf-tkg-2011%2Cproperty%3Dpdf%2Cbereich%3Dbmwi%2Csprache%3Dde%2Crwb%3Dtrue.pdf#page=4 and here: https://www.cdu.de/sites/default/files/media/dokumente/koalitionsvertrag.pdf#page=127

[8] Namely, the decision of 13 January 2011, III ZR 146/10, Speicherung dynamischer IP-Adressen.

[9] Joined Cases C-293/12 and C-594/12 Digital Rights Ireland and Seitlinger and Others, judgment of 8 April 2014, not yet published in the ECR.

[10] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, OJ 2006 L 105, p. 54.

[11] Paragraph 65 of the judgment cited in footnote 9 above.

[12] Recital 53 reads: "The processing of traffic data to the extent strictly necessary for the purposes of ensuring network and information security, that is, the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, and the security of the related services offered by, or accessible via, these networks and systems, by providers of security technologies and services when acting as data controllers is subject to Article 7(f) of Directive 95/46/EC. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems."

[13] Cited in footnote 4 above.

[14] Judgment of 3 July 2014, III ZR 391/13, available at http://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&nr=68350&pos=0&anz=1

[15] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

OJ 1995 L 281, p. 31.

[16] See footnote 9 above.