With the publication of the Council's proposals for a General Data Protection Regulation (GDPR) and the commencement of trilogues between the three institutions of the EU, the German regulators have a number of concerns about where the GDPR may be headed. The Council’s proposals would, in comparison with the suggestions of the EU Parliament and the Commission, lead to lower data protection standards in certain areas. As a result, the German Data Protection Authorities (DPAs) fear that the GDPR, which was initially planned to raise data protection standards, might, ultimately, fall behind current standards as set out in the Data Protection Directive 95/46/EC. In order to avoid this, the German DPAs have provided a number of suggestions for the final version of the GDPR.
Scope of "personal data"
A key issue for the German DPAs is that certain data currently considered personal data may be exempt from data protection obligations in future, in particular IP addresses and other identifiers. According to the Council’s draft, such data would not necessarily be considered “personal". The German DPAs would like clarification that respective identifiers will be considered personal data to the extent they can be attributed to natural persons.
General data protection principles
The DPAs would like to have the principles of data reduction and data economy included explicitly in the GDPR (this was deleted in the Council's draft). Furthermore, the German DPAs argue for a strict purpose limitation – personal data must only be used for the purposes they have been initially collected for, unless there are serious reasons for a change in purpose. The German DPAs fear that the amendments proposed by the Council could go too far and lead to data controllers having potentially far-reaching rights to change purposes.
Rights of data subjects
In addition, the DPAs would like to ensure strong data subject rights such as information and access rights. These rights should be enforceable without any cost to data subjects. The Council’s suggestions leave some room for interpretation which might lead to charges in certain cases. Furthermore, the value of data subject consent should be strengthened – according to the German DPAs only "opt-in" consent should be considered valid, not any unambiguous action from which consent might be deduced, as proposed by the Council. Also, execution of a contract or the provision of a service should not be made conditional on the consent to processing of data that is not necessary for the execution of that contract or the provision of related services. German DPAs are also lobbying for European citizens to have the right to use the internet without providing their real name ("pseudonymous use").
Various other concerns
The German DPAs want profiling to be permissible only under very strict conditions: the action of profiling itself should be subject to strict requirements. Technical and organisational data protection obligations should be strengthened and, while the German DPAs generally favour the new 'one stop shop' mechanism, procedures for the cooperation of European DPAs should be specified in detail in order to ensure that one responsible DPA cannot delay enforcement actions against controllers.
Various other topics are raised by the German DPAs e.g. stronger control should be required if data is transmitted to authorities or courts in third countries outside the European Economic Area; the exemption for "personal or household activity" should be limited to the bare minimum and data processing privileges for statistical purposes should also be limited (as otherwise profiling by social networks or search engines might also be covered). Perhaps above all, the DPAs in Germany regret that a peculiarity that currently exists only in a few European countries seems to have been taken off the agenda by the Council – the mandatory requirement for organisations to appoint a Data Protection Officer (DPO).
Data Protection Officers
Although the requirement to appoint a DPO was included in the drafts of the Commission and the Parliament, the Council believes that the bureaucratic and economic efforts of such implementation are too high – an argument which the German DPAs reject. In their view, Germany has had excellent experiences with DPOs, as they can lead to a better acceptance of data protection requirements within companies and also help streamline costs by providing data protection advice at early stages in the processing journey. DPOs would, in the eyes of the German DPAs, also reduce friction with the DPAs and help avoid fines by achieving early compliance. Whether or not their views will be reflected in the GDPR remains to be seen.