Long before the potential advent of the much-anticipated EU ePrivacy Regulation, e-privacy is “the” topic in Germany, outperforming even the never-ending “Schrems” saga. Why is that, you might ask? The answer is simple: Less than six months ago, the German government finally adopted a new e-privacy law that combines data protection provisions formerly part of telecommunications and telemedia laws into a new federal law. Thirteen years after the EU Cookie Directive came into effect, Germany finally has a “cookie law.” 

Its application in practice turns out to be challenging for some use cases (cookies in particular) while being inextricable for other business models — think connected car or Internet of Things. As the new law applies beyond personal data to any “information,” it also impacts mere machine-to-machine communication. Thus, its practical impact on data-driven business models is huge — as are legal uncertainties. 

This explains why a half-day event the Munich KnowledgeNet hosted last week in cooperation with leading German privacy magazine “Zeitschrift für Datenschutz” — the first in-person KN in too long — was packed with privacy pros eager to share first practical experiences.  

Attendees were particularly interested to hear from two industry speakers from the automotive and media sector about their companies’ implementation of the new rules. Other speakers included the head of the Lower Saxony and Bavarian data protection authorities, both leading voices on e-privacy among the German regulators. 

So, what were the takeaways? Our industry speakers highlighted challenges the new law brings primarily from a technology perspective. On websites, it is often a real challenge to collect prior user opt-in for processing of IP addresses (something the new law requires save for a certain narrow exception), particularly if such processing is technically required while the site loads and thus before users can interact with a consent banner. In the automotive space, one of the main challenges is multi-user scenarios — which if multiple drivers of a connected car need to opt in, and how can this be achieved in a practical way?

The German regulators are currently finalizing guidelines for implementing the new law. It is no surprise that their interpretation is rather strict and limited to the “classic” issues around cookies and website or application tracking. The forthcoming guidelines will offer little help with applying the new rules to other business models. Nevertheless, German DPAs are committed to providing guidance also beyond websites and apps in the mid-term. 

Until then, organizations will find themselves on their own while complaints and general enforcement activities are ticking up. But there is also an upside here: Without detailed guidance, organizations enjoy greater flexibility to work on an implementation that fits both the legal requirements and the business needs. And who knows — maybe the ePrivacy Regulations will turn the corner sooner than expected, as recent signals from Brussels appear to indicate. This will bring the short life of the new German e-privacy law to an abrupt end. But what a ride it was.