![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
On 27 October, the German Parliament (Bundestag) adopted an amendment to the Federal Telecommunications Act (Telekommunikationsgesetz—TKG). By virtue of this amendment, several EU directives are implemented into German telecommunications law. The amendments include some remarkable changes to the data privacy rules for telecommunication service providers.
One noteworthy amendment is the repeal of Sec. 92 TKG, which enshrined restrictions on the transfer of telecommunication data outside of Germany and, therefore, often proved as a roadblock to offshore outsourcings by telco companies. While within the EU service providers could operate on the basis of the data processor privilege, Sec. 92 TKG did not allow this approach with respect to data processors outside of the EU. Now these restrictions have been removed.
Another major change relates to the data breach notification rules. By implementing the respective provisions from EU directive 2009/136/EC, amending the E-Privacy Directive, a new data breach notification regime has been implemented. Now, in the case of a personal data breach, any provider of publicly available electronic communications services shall be under an obligation to notify the federal data protection commissioner as well as the Federal Network Agency—irrespective of any adverse effect on the personal data or privacy of the subscribers or other affected individuals. Notification of a data breach to a subscriber, which is required if there is a threat of serious harm, can only be avoided if the provider has demonstrated to the satisfaction of the Federal Network Agency that it has implemented appropriate technological protection measures and that those measures were applied to the data concerned by the security breach. What is more, the providers now must maintain an inventory of data breaches comprising the facts surrounding the breach, its effects and the remedial action that has been taken.
Even though the data breach rules have been tightened significantly, German Federal Data Protection Commissioner Peter Schaar has criticized the amendment to the Telecommunications Act. In particular, he claims that customer-related traffic data may be stored for an unlimited period of time, which was not the case before. Also, he regrets that German lawmakers have not transposed the new “cookie regulation” under Sec. 5, Para. 3 of the amended E-Privacy Directive into national law—even though the deadline expired in May 2011. Therefore, uncertainty remains as to whether explicit opt-in consent is required for placing cookies or whether appropriate browser settings would also be sufficient.
