On 5 July 2017, almost a year before the General Data Protection Regulation (EU/2016/679, the "GDPR") will be applied, the new German Federal Data Protection Act ('Bundesdatenschutzgesetz') passed the final stage of the legislative process, the so-called German Data Protection Amendment Act (the "GDPAA"). It has been countersigned by the German Federal President and published in the Federal Law Gazette.
The GDPAA will, with one exception outlined below, enter into force on 25 May 2018, and will substantially change the current German Federal Data Protection Act in order to align it to the GDPR, to make use of its derogations, and to implement the Law Enforcement Directive (EU/2016/680).
Although the GDPR directly applies across the EU and its provisions prevail over national law, Member States retain the ability to introduce their own national legislation based on certain derogations provided for by the GDPR. These derogations include national security, prevention and detection of crime, and also apply in certain other important situations – the so-called 'opening clauses'.
What are the main provisions of the new German Federal Data Protection Act?
The German legislator has made extensive use of opening clauses and introduced a number of provisions that are relevant for the private sector, such as:
- Collection and use of employee data (Section 26 GDPAA):
A significant area where Member States may take divergent approaches under the GDPR is for the collection and use of employee data (see Article 88 GDPR). Germany has taken advantage of this and has more or less transposed its existing law into the new law.
As under the current German Federal Data Protection Act (the "FDPA") the processing of employee data is generally allowed if necessary for establishing or carrying out the employment relationship. The GDPAA also maintains the restrictions for investigations of criminal conduct, and now expressly mentions operating or service agreements (collective agreement) and collective bargaining agreements as possible legal basis for a processing of HR data. It further contains certain justifications for the use of special categories of employee data ('sensitive data') and a definition of the term 'employee'.
In addition to this, the GDPAA also provides clarification on consent, such as the circumstances when such consent is “freely given” in an employer-employment relationship (legal and economic advantages are considered in this respect and in the reasoning of the GDPAA, for example, refers to the use of IT for private purposes or to receive health benefits). Such consent shall generally be in writing unless another form is appropriate due to exceptional circumstances, but this is not further defined.
When interpreting the new rules, it will continue to be important to take a closer look at existing case law and guidance of DPAs, although such case law and guidance must be assessed in light of the GDPR.
- Special categories of data (in particular Section 22 GDPAA):
The GDPR sets out the general framework how ‘sensitive data’ can be used, and also allows Member States to set new conditions concerning health, biometric and genetic data.
The GDPAA took advantage of this and permits the processing of sensitive data if the processing is necessary for the purpose of, for example, preventive medicine, employee working capacity assessments, medical diagnosis, health and social care treatments, management or systems, agreements with health professionals (and their staff) where data is provided under the obligation of professional secrecy, and for reasons of public interest in the area of public health (as required, for example, to ensure high quality and security standards for health services, drugs or medical products). These further justifications will play an important role in practice for companies that are active in the healthcare sector.
However, such processing is only possible if safeguards are taken to protect such data. These safeguards must be tailored to the circumstances of the individual case and take into account the state of technological knowledge, costs of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. These "suitable and specific" safeguards may include technical and organizational measures, pseudonymisation, encryption, or the appointment of a Data Protection Officer (the GDPAA lists overall 10 different examples).
- Processing of data for research purposes and statistical purposes (Section 27 GDPAA):
The GDPAA makes use of the opening clause of Article 9(2) lit. j) GDPR and permits processing of sensitive data without consent for scientific or historical research and for statistical purposes, if the processing is necessary for these purposes and the data controller’s interest to process that data significantly outweighs the data subject’s interest.
To safeguard the interests of the data subject, the data controller must apply “suitable and specific measures”. Under these measures, sensitive data processed for these purposes must be anonymised, if the respective research or statistical purpose permits this, and the legitimate interest of the data subject do not prejudice such anonymisation.
The provision also contains additional restrictions of data subject rights in the context of a processing for research and statistical purposes, setting out the requirements for the publication of such data. This provision will be highly relevant for all companies that undertake research and process data for statistical purposes, such as, for example, in the context of clinical trials.
- Processing for new purposes (Section 24 GDPAA):
The GDPR permits Member States to alter the original purpose for which the personal data have been originally collected, but under the condition that national law "constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23(1)".
The GDPAA makes use of this opening clause and enables the alteration of the purpose for which personal data had originally been collected to the extent necessary for defence of national or public safety, or prosecution of criminal offences, and to assert, exercise or defend civil claims (but only if the interest of the data subject does not prevail).
This should also apply in the case of sensitive data, but only if one of the exceptions of Article 9(2) or Article 22 of the GDPR is also met.
- Restrictions on individual rights (Section 32 et seqq. GDPAA):
Under the GDPR Member States can, to a certain extent, limit data subject rights. Germany has made use of this opening clause and has significantly restricted such rights, including:
- The obligation to notify the individual (32 and 33 GDPAA): in certain limited cases, the GDPAA exempts the controller from its obligation to inform the individual of their rights if, for example, the information would impair the exercise or defence of civil claims (provided that there is no overriding interest of the individual in the provision of the information). Section 27 para.2 sentence 2 GDPAA also provides for an exception in the context of scientific research if providing such information would require unreasonable effort.
- The right to access data (Section 34 GDPAA): the GDPAA contains certain exemptions from the data subject’s right to access data if, for example, such data is only stored to comply with statutory retention provisions, or for the purposes of data backup or data protection control, the latter subject to further requirements.
- The right to erasure (Section 35 GDPAA): the GDPAA exempts the controller from its obligation to erase personal data where the erasure is, in case of non-automatic data processing, impossible, or only possible with disproportionately high effort and the data subject has a minor interest for erasure. These restrictions have resulted in heavy criticism from the European Commission during the legislative process in relation to the restrictions on the data subject’s right to information and erasure which are broadly formulated. However, very little of this criticism has been picked up in the final version of the GDPAA and it is therefore to be expected that the subject will be under continued scrutiny and debate, and that it may finally be decided in court.
- CCTV (Section 4 GDPAA):
While the GDPR does not expressly provide for derogations in respect of CCTV measures, the GDPAA contains specific rules concerning video surveillance of publicly accessible areas.
Germany has maintained the current rules which permit CCTV only to the extent necessary to fulfill public tasks, to exercise the right to determine who shall be allowed or denied access or to pursue rightful interests for precisely defined purposes provided there are no indications that the data subjects' legitimate interests prevail.
It further includes rules on the extent CCTV footage can be used and stored, including retention periods and how individuals need to be informed.
- Restriction of investigative power of DPA in case of professional secrecy (Section 29 para. 3 GDPAA):
The GDPAA restricts the investigative powers of DPAs in relation to professional secrecy obligations, including data held by a controller, such as medical professionals, psychologists or lawyers, or processors which are subject to such investigations.
- Appointment of Data Protection Officers (Section 38 GDPAA):
The GDPAA has made use of the possibility to derogate from the GDPR (see Article 37(4) GDPR) concerning the appointment of a data protection officer (“DPO”) to the new law.
This means that the threshold for the appointment of a DPO is much lower in Germany than compared to that of the GDPR. As such, the requirement comes generally into play if a minimum of ten employees are deployed to carry out the automatic processing of personal data on an ongoing basis.
If the business would be subjected to a Privacy Risk Assessment or if it conducts commercial data processing for the purpose of transfer, anonymised transfer or market opinion research, a DPO must be appointed regardless of the number of persons involved in the processing of personal data, which is a new provision compared with that in the FDPA.
In practice this will generally mean that companies established in Germany which were required to appoint a DPO under the current regime will continue to require one under the new regime.
- Credit information and scoring (Section 30 and 31 GDPAA):
Germany was keen on keeping the current data protection rules on scoring, credit checks and consumer credits as these provisions form a basis of the German credit system. The respective provisions of the FDPA have therefore simply been transposed into the GDPAA (Section 30 and 31 GDPAA, currently Section 29 para. 6 et seq. and Section 28 a, b FDPA).
- Sanctions (Section 41 et seqq. GDPAA):
According to Article 84(1) GDPR, Member States must lay down the rules on other penalties applicable to infringements of the GDPR, in particular to infringements which are not subject to administrative fines.
In addition to the fines provided for in the GDPR, the GDPAA stipulates that an administrative offence is committed by anyone who, whether intentionally or through negligence, fails to handle an information request appropriately, or fails to inform a consumer or to inform them fully and correctly, and to do so within the prescribed time limits, is subject to a fine of up to EUR 50,000.
More serious cases, for example where not publically accessible personal data of a large number of individuals is intentionally transferred or made available for commercial purposes, are subject to criminal liability which includes imprisonment for up to three years, or to a fine.
- Right of DPAs to file an action (Section 42b FDPA, Article 7 GDPAA):
Following the 'Schrems decision' of the CJEU, the GDPAA establishes a right of data protection authorities to challenge the validity of decisions of the European Commission in court.
The court of first instance is the Federal Administrative Court. The court can hear the European Commission as part of the proceedings, but cannot invalidate a Commission decision. In this case, it would need to refer the case to the CJEU.
While the GDPAA will become effective on 25 May 2018, this provision will take immediate effect from the day of the publication of the GDPAA.
The German legislator has reached its target to enact the GDPAA before the election of the German Parliament in September 2017. In order to meet this ambitious deadline, the initial idea was to keep as many of the current law provisions as possible and to only introduce changes where required. For example, the long-planned revision of the employee data protection rules was put aside. We assume that further adjustments will follow over the next couple of years (and perhaps then the German legislator may also lower the ceiling of 16 years for the requirement of parental consent under Article 8 of the GDPR, where the provision requires parental consent to be obtained for information society services offered directly to a child).
However, whether the opening clauses have been implemented appropriately and are compliant with the GDPR, considering the early criticism of the European Commission, will need to be further assessed and may keep courts busy in future. In addition, it should be noted that the GDPAA is only the beginning of the legislative process as the data protection laws of the German Federal States ('Bundesländer') and sector-specific data protection laws must also be adapted. It remains to be seen if this complex and extensive task will be completed by May 2018, especially given that very little will happen during the election period. If the German legislator fails to meet the deadline, the current law will be interpreted in light of the GDPR with the effect of higher legal uncertainty – though some officers at German DPAs have already indicated in unofficial statements that in this event they would likely consider such uncertainty and the absence of respective guidance as a factor when it comes to enforcement actions.