- The 2009 "data protection scandals" " (involving inter alia Deutsche Bahn's mass screening of 230,000 employees) were one of the main reasons for last year's amendments to the Federal German Data Protection Act (GDPA). However, these amendments actually addressed the topic of employee data only with a single general provision (the current s. 32), which left many questions unanswered.
Therefore a government bill for implementing a framework for the handling of employee data has been discussed in parliamentary hearings. The bill picks up on criticisms to the 2009 amendments and provides a comprehensive framework addressing most of the relevant aspects of an employment relationship in detail. In particular, it includes restrictions for employers seeking to (i) rely on employees' consent for processing data on them, (ii) gather information on applicants via social networks, (iii) process employee data to detect and/or prevent fraud or bribery, and (iv) use CCTV, GPS and/or biometry-based technology to monitor employees.
The bill is not expected to be passed before March 2011, making it unlikely that will come into force before autumn 2011.
- Triggered by the introduction of Google's Street View service in Germany, the German Government held a top level meeting with representatives from data protection authorities, key industry members and other experts in order to discuss the appropriate approach for regulating such "geo location services" and other internet services raising data protection concerns.
The participants of the meeting agreed that instead of the government amending the Federal German Data Protection Act, the German IT industry should find a reasonable self-binding framework addressing the publicly voiced concerns against Street View like services. In parallel, the German government would only draft a "red line" bill for amending the GDPA, focussing on areas deemed to be too sensitive to be left to self-regulation.
The industry's effort (dubbed the "Data Protection Codex for Geo Data Services") was formulated under supervision of industry association BITKOM, published on 30 November 2010 and is currently under review by the German Government.
On 1 December 2010, the German Government presented its "red line" bill, focusing on internet publications of personal data with the potential to severely breach the data subjects' personal rights. Such publications shall be prohibited unless they are justified by statutory provisions, explicitly and separately obtained consent, or prevailing legitimate interests of the data controller. Any internet publication of personal data which (i) have been commercially and intentionally collected, stored and potentially enriched with further information and (ii) can be used to create detailed personality or movement profiles is deemed to be a severe breach of personal rights. This also applies to internet publications depicturing or describing the data subject in an insulting way. Further topics that have been identified to a have a similarly severe impact on personal rights and which shall be addressed in further discussions on the "red line" bill are face recognition technology, the creation of user profiles based on search engine queries and the collection of location data via smart phones. Lastly, the Government suggests entitling data subjects to compensation for immaterial damages if their personal rights have been infringed severely. Formal parliamentary hearings on the bill have not been scheduled and are not expected before spring 2011.