German Data Privacy Law Continues to Evolve
Latest law sets a higher email privacy bar for German companies and service providers.
- A new data privacy law unifies several other German laws and tightens requirements for email.
- Companies can expect more change to come, as Germany’s lawmakers await additional EU-wide privacy regulation.
German politicians in May 2021 passed a new data privacy law to both adhere to EU guidelines and unify a web of existing national legislation. Because it was based on existing regulation, the law at first glance appears to offer little new, but it actually has significant implications for email service providers as well as employers that allow employees to use company email for private communication. The law went into effect in December 2021, and, because of its predictably clunky German name, is known by its acronym: TTDSG.
Politicians ostensibly passed the TTDSG to implement the European Union’s ePrivacy Directive, a supplement to the General Data Privacy Regulation (GDPR) that is formally known as the Directive on Privacy and Electronic Communications. But the true driver was to unify and clarify the handful of laws that govern German data privacy.
The country’s penchant for privacy means that at least four other laws control information flows including an arts-rights law as well as a general data privacy law.[i] The country also has both a telecommunications law (TKG) and a telemedia law (TMG); the sometimes-archaic laws separately govern telecommunications and online media, which are now often inseparable.
And while experts agreed that most companies need to do little to react to the new law, since companies were likely already in compliance with the previous laws, there are two exceptions. The TTDSG grants telecommunications-level data protection to so-called “over-the-top” (OTT) services, a term that applies to cloud-based email and other web-based messaging. This move is important because it forbids anyone not involved in a message to view that communication. The law also works to clarify the role of companies that allow employees to use corporate email for personal use.
Newly Protected Communication
Since web-based email applications and messaging services fall under the OTT provision, providers like Google and Facebook can no longer parse email and messages for targeted advertising or other services, according to attorneys at CMS.[ii] Service providers must also retain messages for potential legal investigations.
Companies face less strict requirements. It was previously unclear if employers could read employee emails without consent. Arguments had been made that companies in that case functioned as email providers on behalf of their employees. If the employers did read correspondence without permission, they exposed themselves to possible criminal prosecution under data protection laws.
Coupled with a recent court decision, the TTDSG clarified what constitutes a provider, making personal emails on corporate accounts subject to GDPR rules rather than more stringent German telecommunications law. Employers only need a compelling reason to snoop without permission, according to data privacy experts JOWECON.[iii]
More Bureaucracy to Protect Rights
“Privacy must also be protected in the digital world. At the same time, we have to enable business models. The new rules create a balance,” then-economy minister Peter Altmaier said when the law was passed in May. Altmaier’s coalition government of the left-leaning SPD and Angela Merkel’s conservative CDU was replaced late last year by a three-way coalition of the SPD, the environmental Greens and the business-friendly FDP.
Although cookies have little to do with email, the move highlights the central role privacy plays. German politicians would prefer an entire industry of cookies and rights management be created than to encroach on individual privacy rights. Eventually, privacy attorneys say, the TTDSG will likely be replaced by a German version of the much anticipated EU ePrivacy Regulation. This fortification of the existing ePrivacy Directive was to have been introduced alongside the GDPR in 2018, but it has been long in coming and is now expected to become law in 2025.[iv]
While Germany’s TTDSG clarified issues that existed in a pre-pandemic Germany, the country is also now wrestling with pandemic-related privacy issues, like everyone else. German companies that have allowed working from home during the pandemic have proved to be an El Dorado for cyber attackers specializing in phishing, ransomware and other exploits. Fifty-nine percent of companies that permitted employees to work from home reported phishing attacks since the start of the pandemic, both via email and by phone, according to a survey of 1,000 German companies by Bitkom, a digital trade association.[v] Among those, 52% said the attacks led to damages.
- 69% said such rules would introduce a moderate to high level of improvement to the overall cybersecurity of their business.
- 62% said mandated cybersecurity standards would moderately to greatly decrease their risk of cyberattacks.
- 65% predicted moderate to high increases in their costs.
- 67% saw a similar drop in their freedom to determine their own best course of action against cyberattacks.
Not All Encryption Is Created Equal
In today’s era of remote work: “Just sending employees home isn’t enough. Their equipment must be protected, communication channels to the company secured, and they must be made aware of the risks,” Bitkom President Achim Berg said. “Not doing so is negligent.”
Germans live up to their reputation as a society that appreciates law and order. But for guidance on implementing specific regulations like GDPR, they often turn to a network of independent associations and think tanks. Companies are required to encrypt any digital correspondence that includes personal information, and the association of independent public data watchdogs in 2020 said it recommends two levels of encryption,[vi] relying on companies’ discretion to decide which level would be appropriate.
Encryption of data in transport is compulsory for most correspondence, the association says, and that level of encryption is sufficient for any communication that, if viewed by unauthorized people, would only present a normal threat to the “rights and freedoms” of the people named in the email. Should the exposure create an “increased risk,” the association recommends end-to-end encryption.[vii]
Email in Germany is often seen as insecure and most companies as well as government agencies resist using it for official correspondence that could include specific figures or identifying information on M&A, for example. Although individuals can waive privacy rights in hopes of getting official government or corporate responses via email, attorneys advise against the practice because confusion can arise over the scope of the permission — a single email, a single issue or all correspondence — exposing companies and agencies to unnecessary risks.
The Bottom Line
German policymakers are sweating to maintain a balance between a demand for data security, efficient sharing of necessary information and slow-moving EU-wide regulation. Cyber attackers still seem to be ahead of political efforts.
[i] “TTDSG is coming: What changes will the new law bring?”, PSW Group Consulting
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!