On February 1, 2017, the German Cabinet adopted a draft law to adapt data protection law to the EU General Data Protection Regulation (GDPR). This marks the beginning of the formal legislative process to replace the Federal Data Protection Act, which dates back to 1977.

Effective May 25, 2018, data protection in public and non-public fields will be governed by the GDPR as directly applicable law across the entire EU. Member States may only change certain details and make minor variations. In addition, the parallel EU Directive on the protection of personal data by competent authorities for the prevention and prosecution of criminal offenses is to be transposed into German law as of May 25, 2018.

Both areas are covered by the draft law on the “Act to adapt data protection law to Regulation (EU) 2016/679 and to transpose Directive (EU) 2016/680 (Data Protection Adaptation and Transposition Act EU).” While amendments may well be possible in the legislative process, the federal government’s basic orientation is clear: the scope of action should be used to maintain the provisions of the Federal Data Protection Act (such as for data protection officers and data protection supervision), to partly facilitate the handling of personal data (e.g., for information duties or scoring), and to adopt more detailed rules (e.g., for data protection in employment relationships).

An additional law will then contain further modifications that are necessary to adapt the numerous specific data protection regulations for individual areas in German law to the provisions of the GDPR.

Conclusion: The transposition of the EU General Data Protection Regulation into German law is gaining ground, but necessary legislative procedures have only just begun.