More legal clarity
On 1 December 2021, a new law regulating data protection and privacy in telecommunications and telemedia will come into effect: the German Telecommunications Telemedia Data Protection Act (TTDSG). The TTDSG contains new provisions on digital legacy, privacy protection for terminal equipment and consent management. It intends to create more legal certainty and legal clarity for the protection of privacy in the digital world: For example, it aims to stem the cookie deluge and give website visitors more control over the data they collect. But not only that: it intends to provide more clarity in the regulatory jungle of the EU General Data Protection Regulation (GDPR), the ePrivacy Directive (yet to be implemented in Germany), the German Telemedia Act (TMG) and the German Telecommunications Act (TKG). To this end, the data protection provisions of the TMG and the TKG are repealed and merged in the TTDSG. In the process, adjustments were also implemented that were necessary due to the GDPR and the ePrivacy Directive.
Is the employer a telecommunications service provider in the case of permitted private use of company email accounts?
There has always been a legal dispute about the question of whether an employer is to be considered a business telecommunications service provider if it allows or tolerates the private use of company email systems. There was no uniform opinion in case law and legal literature on the previous regulation of telecommunications secrecy in Sec. 88 TKG. This unclear legal situation was not eliminated by the introduction of the new TTDSG. In our view, the legislator failed to create a practice-oriented solution in the new version of telecommunications secrecy in the TTDSG. Neither the wording of Sec. 3 TTDSG nor the recitals to the Act indicate whether employers are covered by the term “providers of telecommunications services offered wholly or partly on a business basis” who are obliged to maintain telecommunications secrecy. In times when home offices are commonplace for many employees and when the boundaries between privately and professionally used end devices and IT infrastructure are becoming increasingly blurred, a clear regulation certainly would have been desirable. If the employer wants to access the email inbox, on which private telecommunication contents protected by the secrecy of telecommunications such as emails and chats are also stored, it needs the active consent of the employee concerned according to the requirements of Art. 6 para. 1 sentence 1 lit. a), Art. 7 GDPR. If an employer accesses the employee’s emails without such consent in the case of permitted private use, there is a not inconsiderable risk that this will lead to a violation of the secrecy of telecommunications, which is punishable by law (Sec. 206 of the German Criminal Code).
Options for employers
If employers want to have legally secure access to email communication in company email systems, they have the option on the one hand, to completely prohibit the private use of official devices and infrastructure by employees. Employers should regularly monitor compliance with the ban. Where such a prohibition is not considered up-to-date or is not desired, employers should not merely tolerate private use of company communication tools, but explicitly allow it and at the same time establish clear rules and control mechanisms, for example, in a works or service agreement and in individual employees’ consent referring to this. With regard to the new TTDSG, it should be noted for future agreements and consents that telecommunications secrecy is no longer regulated in Sec. 88 TKG, but in Sec. 3 TTDSG.