As deliberations on the General Data Protection Regulation (“GDPR”) between the trialogue parties European Parliament, European Council, and European Commission reach the final stages, the Conference of the Data Protection Commissioners of the German Federation and the German States (the “Conference”) has publicly criticized crucial points of the GDPR.
The Conference is calling on the trialogue parties to address its concerns regarding data economy, purpose limitation, individual’s consent, data subject’s rights and profiling, the need for data protection officers in private and public bodies, and the transfer of data to authorities and courts in third countries. The Conference's positions on these matters are outlined below.
Data Reduction and Data Economy as Design Objectives
The Conference stresses that the principles of data reduction and data economy are, in times of "big data" technologies, more important than ever, and must be expressly mentioned in the GDPR as a design objective. This is in line with the positions of the Parliament and the Commission, both of which support including data reduction and data economy as a fundamental principle in the GDPR. In the Council’s draft, the provision has been deleted.
No Softening of Purpose Limitation
In line with the Parliament, the Conference opposes attempts of the Commission and the Council to introduce exceptions to the principle of purpose limitation, which allows the processing of personal data for other purposes only when these purposes are compatible with the original purpose.
The Commission and Council favor an approach which allows processing also for certain defined noncompatible purposes, whereby the approach of the Council is even more far-reaching, allowing changes of the purpose in the overriding legitimate interest of the controller.
In this connection the Conference raises serious doubts as to the “privileged treatment” foreseen by the Council with respect to the processing for statistical, historical, and scientific purposes. It is a particular concern of the Conference that profiling by social networks, search engines, and analytical tools could benefit from the privilege of processing for statistical purposes.
Consent Must Be Explicit
For the Conference, as well as for the Parliament and the Commission, only explicit consent is suitable as an essential element to ensure data sovereignty. The proposal of the Council to allow for declarations of consent which only have to be unequivocal is rejected by the Conference fearing that this “could open the path” for opt-out as general means of consent.
Data Subject’s Rights and Profiling
The Conference emphasizes the importance of comprehensive information rights of the data subjects. Exercising those rights and any implementation measures taken must be free of charge. In this context the Conference challenges restrictions to the information right proposed by the Council.
The regulations relating to profiling in the proposals of all trialogue parties are regarded as insufficient by the Conference, which requests stricter rules on profiling which shall, inter alia, cover all forms of profiling and the measures based upon it, and exclude special categories of personal data—like health data—from profiling in any case.
Data Protection Officers in Private and Public Bodies
Given that data protection officers in private as well as in public bodies are well-established institutions in Germany, the Conference supports a mandatory appointment of data protection officers to be inserted in the GDPR. The Council’s proposal, however, does not foresee such mandatory requirement. While Commission and Parliament support the mandatory appointment of data protection officers, the Conference regards the criteria applied in their proposals to determine when such appointment is mandatory as “not convincing”.
Data Transfers to Authorities and Courts in Third Countries
A particular concern of the Conference is the data transfer to authorities and courts in third countries (countries outside of the European Economic Area not providing an adequate level of data protection from the EU viewpoint). The Conference supports the Parliament’s proposal to allow for such data transfers only if required by international agreements on administrative or mutual legal assistance, and only if the supervisory authority approved such transfer in the individual case.
The criticism expressed by the Conference makes it clear how important it is to the German data protection authorities that the GDPR guarantees improved data protection, or at least protection equal to current standards.
Further details of the position of the Conference can be inferred from its resolution of 14 August 2015. In the resolution the Conference addresses additional issues, including the definition of personal data which, according to the Conference, should make it undoubtedly clear that IP addresses and location data are to be considered personal data.