In February 2017, the German Federal Government submitted a draft law (BDSG-E) for adapting the GDPR in Germany. The administration wants to push the draft quickly through the Federal Parliament. After a hearing of experts for data protection on the 27th of March, the final enacting is planned for April. The law will likely come into force in May 2017 without significant further changes.
The aim of the government is to make use of certain opening clauses in the GDPR in order to retain some well proven provisions of the German Data Protection Act (BDSG). However, it is sometimes unclear whether a national provision is still covered by an opening clause or whether it may violate European Law. According to German media coverage, the European Commission is already pressing for a number of changes in the draft law. A high-ranked representative of the DG Justice is quoted, constituting that some changes in the draft law are not covered by the opening clauses, and blaming the Geman government for undermining the original goal of the GDPR, full harmonisation.
Reason enough to have a closer look upon the most relevant sections of the German draft law.
It contains 84 sections. Compared to the old law that only had 48 sections, this alone indicates the complexity of the future German regulation.
- Administrative fines and Penalties
Art. 83 GDPR provides for the opportunity to impose fines up to 20 million Euros or up to 4 % of the total worldwide annual turnover of the preceding financial year. While the fines primarily apply to companies, the member states can determine "different penalties". The German legislator makes use of this opportunity by creating rules also allowing for the sanctioning of individuals, leading to a risk of liability for managers, employees and in-house data protection officers. Section 42 BDSG-E even foresees a punishment of up to three years imprisonment.
Thus, an effective and well organised compliance-structure is more crucial than ever.
- Change of purpose of processing
Section 22 BDSG-E states a number of exceptions for the lawful processing of special categories of personal data according to Art. 9 GDPR, e.g. in the area of health and social services. Those exceptions are safeguarded by a number of requirements regarding appropriate and specific measures on a technical and organizational level.
Interestingly, the high level of protection for special categories of personal data experiences another dilution: In case of scientific or historic research, even special categories of personal data can be processed without consent of the data subject, provided it is necessary for the relevant purpose and no overriding interests of the data subject are given. Although the controller has to provide appropriate measures to safeguard the data subjects interests (without further specification), this seems to be a quite generous exemption that allows for a flexible interpretation.
With regard to scoring-data and credit information about consumers, the BDSG-E maintains the provisions from of the current BDSG. The use of probability values in order to rate the credit standing of a consumer before entering into a contract can be lawful under certain requirements. However, it is uncertain whether these safeguards are sufficient to meet the requirements of the opening clause in Art 6 GDPR.
- Information Obligations
While the GDPR requires comprehensive information where personal data is collected from the data subject, the BDSG-E aims at creating exceptions for such information in specific cases. Section 32 and 33 BDSG-E will restrict the obligations according to Article 13 and 14 of the GDPR.
The requirement for additional information of the data subject, if the controller intends to further process data for a purpose other than that for which the data was collected (Art. 13 No.3 GDPR ), will not apply if it would require a disproportional effort or presumably preclude or seriously compromise the realization of the processing-objectives and therefore the interest of the data subject for information is not overriding.
Here, Germany makes use of the opening clause according of Art. 23 GDPR, allowing restrictions for specific purposes. Again, some critics from Brussels already rate these exemptions as a violation of EU law.
Also, the right to obtain information from the controller according to Art. 15 GDPR is limited by Section 34 of the draft law. Amongst other exemptions, the right does not exist in cases where personal data has been stored only for the purpose of data security or data supervision, if providing the required information to the data subject would mean disproportionate effort. As a further safeguard, the processing for further purposes has to be excluded by technical and organisational measures.
This surely does not contribute to legal certainty, and legal disputes are easy to predict, regardless of whether the GDPR gives room for theses exemptions.
And as if this was not enough, Section 29 BDSG-E restricts the obligation of the controller to provide the data subject with information granted by Article 14 GDPR in cases where confidentially interests of the controller are overriding.
Finally, even the "right to be forgotten", considered to be the sacred cow of the GDPR for some stakeholders during the legislative process, is limited by the German draft law: Section 35 BDSG-E codifies that an obligation to erase certain personal data does not take effect if erasure is not possible due to a particular way of data storage or only possible with a disproportionate effort. What sounds like an exemption for the blockchain technology might nevertheless conflict with the goal of the GDPR.
- Data Protection Officer
With regard to the obligation to appoint a data protection officer, the draft law keeps the current provisions of the German Data Protection Act and obliges every company with at least ten persons employed with the automatic processing of personal data to appoint a data protection officer. The GDPR only obliges companies to do so in exceptional cases.
The controller or the processor will also have to appoint a data protection officer if they deal with processing subject to a data protection impact assessment according to Article 35 GDPR. The same applies if personal data is processed for the purpose of commercial transfer of data or for marketing and market research purposes.
It will be interesting to see if these deviations from the GDPR will pass and come into force in Germany. It seems almost certain that the European Commission will not accept them and will initiate infringement proceedings.
In any case, the main goal and benefit of a fully harmonized legal framework for data protection in Europe would be undermined completely if other member states follow the German approach and try to follow individual national strategies as well.