What are PIMS? | #explore

8 September 2022

Anyone who wants to read the news, book hotels or find a train first has to get past the inevitable cookie banner. This is a step forward for data protection and digital selfdetermination: after all, providers are no longer allowed to track our digital movements without our permission. But the main issue is that many users find the banner annoying and will quickly click on “Allow all” to get it out of the way. The idea is for data trustees such as PIMS to change all this. Data protection expert Tobias Mielke from TÜViT explains what this will involve.

#explore: What are PIMS?

Tobias Mielke: PIMS is the acronym for “Personal Information Management Services”. These programs or services are intended to help users manage cookie settings centrally. To this end, the cookie preferences are set once only in a programme or browser plug-in. When a website is accessed, these preferences are then automatically transmitted by the PIMS, meaning that the cookie banner will no longer be displayed. The possibility of these kinds of “consent management services” is enshrined in the German Telecommunications Telemedia Data Protection Act (TTDSG), which came into force at the end of last year. According to this act, the providers of such services must be independent – which means that they must have no economic interest in the granting of consent and the data being managed. And they may process these data exclusively for the purpose of consent management and are not permitted, for instance, to create and sell user profiles. The TTDSG states that the German government must seek the consent of the upper and lower houses of the German parliament for its use of a statutory instrument to fulfil its duty of determining the recognition procedure for such services for the administration of consent.

#explore: The Federal Ministry for Digital and Transport (BMDV) has now presented the first draft of such a regulation. Where do PIMS systems stand in this draft legislation?

Tobias Mielke: PIMS is the acronym for “Personal Information Management Services”. These programs or services are intended to help users manage cookie settings centrally. To this end, the cookie preferences are set once only in a programme or browser plug-in. When a website is accessed, these preferences are then automatically transmitted by the PIMS, meaning that the cookie banner will no longer be displayed. The possibility of these kinds of “consent management services” is enshrined in the German Telecommunications Telemedia Data Protection Act (TTDSG), which came into force at the end of last year.

According to this act, the providers of such services must be independent – which means that they must have no economic interest in the granting of consent and the data being managed. And they may process these data exclusively for the purpose of consent management and are not permitted, for instance, to create and sell user profiles. The TTDSG states that the German government must seek the consent of the upper and lower houses of the German parliament for its use of a statutory instrument to fulfil its duty of determining the recognition procedure for such services for the administration of consent.

About

Tobias Mielke doubles as an expert in management systems for information security and data protection and an appraiser and auditor for data protection at TÜViT.

#explore: What might the use of these PIMS look like in practice?

Tobias Mielke: The idea is for the PIMS to transmit their own preferences to the accessed website via the browser, for example using a plug-in. These settings would also be binding for the website. If a user were to withhold their consent to analytical cookies, website operators would not be allowed to show a cookie banner again with the aim of getting consent regardless. If they were to completely do away with banners, however, the users would not be able to surf in the future either. The draft provides for exceptions: for telemedia providers who finance themselves in whole or in part through advertising, such as news portals. These would be allowed to refer users to fee-based, but advertising- and cookie-free alternatives or to ask them to change their preferences to gain access to the website. When we are online, we should therefore expect to continue to come across the cookie walls that are familiar to us from many online media. What we are looking at is still only the first draft of a regulation. The key points are therefore still subject to change. How these offers are going to be specifically implemented in technical terms will also need to be clarified. From our point of view, they should ideally be created by independent third parties, such as the TÜV associations, using a fiduciary model. If they were to be developed by private companies, they would have to be audited and monitored by independent bodies so that their data protection and IT security would actually be guaranteed.

Also interesting

Cybersecurity

Protecting lifts from IT attacks

How lifts can be manipulated by hackers.

How can unmanned aerial vehicles (UAV) be made hackproof?

More and more UAVs are taking to the skies on professional missions.

More chips to come from domestic production

How the EU plans to ramp up semiconductor production in Europe.