A second draft of the new German Federal Data Protection Act (BDSG-new), aimed at aligning German data protection law with the EU General Data Protection Regulation (GDPR) and EU directive 2016/680, was published on 22 November 2016. It replaces the first draft dated September 2016, which was heavily criticized. Currently, it is not clear whether this draft will eventually become law. It has yet to be approved by the Department of Justice and the German Parliament. What we do know, however, is that if it is approved, it will replace the current BDSG (BDSG-current) entirely and will supplement the GDPR, which will be enforceable from 25 May 2018 onwards. Although the GDPR itself has direct legal effect in all Member States, it allows national legislators to enact national laws with which it is consistent to supplement the EU regulation. Therefore, it is crucial for businesses operating in Germany to take a close look at the new draft BDSG in order to prepare for the new data protection regime. The following summary focuses on the draft’s most relevant provisions for data protection in the private sector.
1. Employee data (Section 24 BDSG-new)
According to Section. 24 of BDSG-new, the employer may process personal data for the purpose of the employment relationship if this is necessary for the decision about beginning, carrying out or terminating the employment relationship. This provision does not, in fact, contain any changes but corresponds with the current national stipulation on the processing of employee data (Section 32 BDSG-current). The fact that the drafting committee included the definition of employee currently found in Section 3 para. 11 BDSG-current adds to a better understanding of this provision.
2. Information obligations of the data controller (Sections 30, 31 BDSG-new)
One key aspect of the GDPR is the obligation to inform individuals in detail in the event of collection of their personal data, such as Articles 13 and 14 GDPR regarding the duty to notify data subjects of the controller’s and the data protection officer’s contact data, the purpose and the legal grounds for the processing, storage periods, the right to appeal and to demand correction or deletion etc. BDSG-new attempts to limit these obligations, claiming that Article 23 GDPR allows the national legislator to do so. Section 30 para. 1 BDSG-new provides that the information obligation shall not apply if it is impossible, requires disproportionate effort to provide the relevant information or if the individual’s interest in receiving the information is secondary. Section 31 para. 1 BDSG-new stipulates additional exceptions to the controller’s information obligations, which apply when personal data is not acquired from the individual. The exceptions apply if the disclosure poses a significant threat to the controller’s business purposes, taking into account the interests of the data subject, or if a public authority decides that disclosure would jeopardize the public order or safety or would otherwise be detrimental to national or state interests.
It is questionable whether Article 23 GDPR may serve as a legitimate legal basis for the above-mentioned limitations because one may well argue that Sections 30 and 31 BDSG-new do not meet its requirements. The provision lists extreme conditions under which limitations to the controller’s information obligations are permitted (such as for the purpose of ensuring national security, public safety, the defense of the country, the execution of a sentence, the prosecution and prevention of crime, important economic or financial interests of the European Union or of a member state, the protection of court procedures and the independence of the judiciary or the enforcement of civil rights, etc.). “Disproportional efforts by the data controller” is not among them. All legislative measures meeting the requirements must additionally contain specific regulations regarding, for instance, information about the purpose and categories of processing, the scope of the limitations, the categories of personal data, a guarantee against misuse, illegal access and illegal transmission, information about the responsible parties, information regarding the storage period and the concerned parties’ right to be informed about the imposition of limitations, etc.
3. Rights of the data subjects (Sections 32 – 35 BDSG-new)
Sections 32 – 35 BDSG-new further limit the rights of data subjects. These provisions contain numerous exceptions under which individuals may not demand disclosure of processing (Section 32), the deletion of personal data (Section 33), and may not have the right to object to the processing of their data (Section 34 and Section 35). Again, the German legislator refers to Article 23 GDPR as the legal ground for these limitations. It is questionable whether this is accurate for the same reasons as those set out above with regard to the data controller’s information obligation.
4. Appointment of a data protection officer (Section 36 BDSG-new)
Section 36 para. 1 BDSG-new stipulates under which conditions a data protection officer (DPO) must be appointed. Luckily, the GDPR luckily adopted the proven German DPO concept without regulating the details. Instead, Article 37 para. 4 GDPR authorizes the national legislator to enact details on the appointment of a DPO. As a result, Section 36 para. 1 BDSG-new mostly corresponds to the current law (Section 4 para. 1 BDSG-current). This means that as a general rule, a data controller permanently employing more than nine people in connection with the automated processing of personal data must appoint a data protection officer. Although it may not appear to be a business-friendly regulation at first sight, Section 36 BDSG-new will help data controllers and processors by providing clear instructions. Thus, it will prevent fines for non-compliance with the GDPR and the BDSG.
5. Special provisions
Further, the BDSG-new contains a few special provisions regarding the processing of personal data for the purpose of scientific and historical research (Section 25) and consumer loans (Section 29) as well as for the processing of personal data subject to non-disclosure obligations (Section 26). Businesses engaged in these activities should take a closer look at these provisions.
As is widely known, the GDPR provides for a “significantly wider range of offences” than does the current BDSG (see also http://blogs.dlapiper.com/privacymatters/germany-bavarian-data-protection-authority-issues-guidance-on-gdpr-sanctions/) and imposes severe financial sanctions.
However, the GDPR only explicitly regulates the liability of controllers, processors and accredited certification bodies and does not specifically refer to natural persons. The draft BDSG clarifies that natural persons acting on behalf of the data controller or processor can be held directly responsible (as is already the case under current German law) and stipulates a maximum administrative fine of 300,000 EUR for offences committed by anyone acting “on behalf of the controller or processor as part of his job” (Section 40 para. 1 BDSG-new).
The draft provision is based on Article 84 para. 1 GDPR. It is doubtful whether the liability cap for natural persons is enforceable since it can be undermined by claims for compensation by the controller or processor against the responsible person.
Another question arising from this provision is whether data protection officers will be considered to act “on behalf of the controller or processor as part of his job” and therefore also personally liable. As the liability concept of the GDPR does not take into account personal liability, it will be crucial to see how other Member States will approach the question of individual liability for data protection violations. If Germany is the only Member State win which individuals can be held directly responsible, this may result in significant disadvantages for German businesses and ultimately affect price calculations.
In addition, it remains unclear to what extent fines may be imposed for non-compliance with informational obligations, see Section 40 para. 2 BDSG-new.
Allegedly, the German legislator’s intention was to draft a business-friendly law. Whether this goal was achieved by the current draft legislation is questionable, to say the least. In particular, it is arguable that the GDPR is not a sufficient legal basis for the provisions of BDSG-new limiting information obligations and rights of the data subjects. The direct liability of individuals for data protection violations may also put businesses at risk. In any event, the draft makes data protection law even more complex and creates further legal uncertainty. It is unclear whether and to what extent it will enter into force. If it does enter into force, data controllers and processors doing business in Germany will need to comply with it in addition to the GDPR. Until then, it is advisable to prepare for the GDPR and simultaneously to keep a close eye on the German legislator’s progress in enacting a new BDSG.