The European Court of Justice (ECJ) has, in its judgment in Case C-582/14, ruled that the data protection provisions of the German Telemedia Act (TMG, pdf) are incompatible with European data protection law (in particular Art. 7 (f) of the Data Protection Directive). As a result, the relatively strict requirements for the processing of personal data in the provisions for telemedia services (e.g. an app or a website operator) pursuant to §§ 14 and 15 TMG must be interpreted and extended in the light of this judgment.
As a result, service providers are able to process personal data of a user not only to if it is needed for the establishment, content or amendment of a contractual relationship between the service provider and the user (§ 14 para 1 TMG) or to the extent necessary to enable and invoice the use of a telemedia service (§ 15 para. 1 TMG).
In his Opinion of 12 May 2016, the Advocate General had already held that § 15 of the TMG was not compatible with the European requirements laid down in Art. 7 (f) of the Data Protection Directive. § 15 TMG does not add additional requirements for the legality of a data processing to those provided for in Art. 7 (f). But it limits the material scope of the condition referred to in Art. 7 (f) thereof.
According to that provision, processing of personal data is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject
The problem with § 15 para 1 TMG (examined by the court) as well as with § 14 TMG is that these provisions allow processing of personal data only for specific and determined purposes and leave no room for the weighing of interests. However, due to the strictly limited processing possibilities within the framework of the TMG, the German legislator excludes the possibility for data controllers to process personal data in accordance with the European requirement of Article 7 (f). Or, in the words of the Advocate-General in his Opinion: “Paragraph 15 of the TMG would substantially reduce, with regard to Article 7(f) of Directive 95/46, the scope of the relevant legitimate interest justifying the processing of data and not merely define or qualify it”.
According to the ECJ ruling, a national provision which does not allow the legitimate interests of the data-processing body to be taken into account is not compatible with the requirements of the European Data Protection Directive. Neither § 14 nor § 15 TMG allow a weighing of interests according to the European standards. For this reason, in my opinion, the judgment, even though it assessed “only” § 15 para 1 TMG, must also be taken into account within the framework of the remaining paragraphs of § 15 TMG and also § 14 TMG, which anticipate and restrict the weighing of interests.
In practice, this means that Website and app operators are allowed to process personal data from their users even if this processing serves the realization of a legitimate interest, and does not override any legitimate interests or fundamental rights of users.
The European Court of Justice also explicitly stated in its judgment that such a legitimate interest is the maintenance of the functionality of websites and thus allows the storage of IP addresses for this purpose, even beyond the respective concrete usage process by the visitor. It is important to note that the court did not have to deal with further examples of “legitimate interests”, because this certain case only concerned the maintenance and functionality of a website.
One last point: the “processing of personal data for direct marketing purposes” may be regarded as carried out for a legitimate interest, as expressly stated in recital 47 of the General Data Protection Regulation.