On 1 February 2017, the German federal cabinet adopted a draft data protection bill. The planned implementation statute aims to supplement and further define the EU General Data Protection Regulation, which will come into force in 2018. The Chronicle of Data Protection’s summary of the most relevant aspects of the draft bill can be found here. We turn now to a preliminary assessment and explanation of proposed bill, provided by German Data Protection and Freedom of Information Officer Dr. Stefan Brink, European Parliament member Jan Albrecht, and Hogan Lovells partner Tim Wybitul.
- Dr Stefan Brink is the new Data Protection and Freedom of Information Officer for the German federal state of Baden-Württemberg. He is co-editor of one of Germany’s leading data protection commentaries and known as a proven expert in data protection matters as well as in the EU General Data Protection Regulation.
- Jan Philipp Albrecht is a member of the European Parliament and played a central role in the legislative procedure for the EU General Data Protection Regulation as rapporteur to the Parliament. He is co-author of a highly respected book and of a series of other publications on the new EU data protection law.
- Tim Wybitul is a partner at the commercial law firm Hogan Lovells. JUVE describes him as one of Germany’s leading lawyers in the field of data protection. He is editor of Zeitschrift für Datenschutz (ZD) and author of the German language EU General Data Protection Regulation: A Practical Guide for Companies. An English version is on its way and should be available soon.
What do you think of the draft?
DR STEFAN BRINK: We must be very wary that a remarkable success such as the EU General Data Protection Regulation isn’t diluted and devalued by a piece of national legislation. The German federal government’s draft undermines common European standards, restricts the rights of data subjects and allows Germany to go its own way in areas such as video surveillance.
TIM WYBITUL: The draft is good for lawyers, but bad for those who have to apply the new provisions. Even experts barely understand the planned rules. Companies would have to spend a lot of money to implement the planned complex rules. The draft is also imprecise in many places. This will lead to problems with interpretation – and, in turn, litigation and costs.
JAN PHILIPP ALBRECHT: That’s right. With its draft, the German federal government is running the risk of reversing the progress achieved by the General Data Protection Regulation for companies and consumers. The provisions of the draft that deviate from the Regulation could once again cause legal uncertainty and market fragmentation. Restricting consumer rights to the benefit of certain business models is simply against EU law.
Does the draft help companies or consumers?
TIM WYBITUL: Neither, I would say. The plan for Germany to go its own way on data protection will be pretty expensive for companies.
JAN PHILIPP ALBRECHT: The draft primarily serves the purposes of the German federal government, which wants to show that it is setting its own course on data protection after failing to do so when the EU’s data protection reform was being developed. However, such a stance will immediately encourage other member states to depart from the European consensus, which would be disastrous above all for companies and consumers in Germany.
DR STEFAN BRINK: I agree: the draft ostensibly aims to help companies by restricting consumer and employee rights. However, this approach won’t work in a club of nations like the EU, where common positions are more important than individual countries going it alone.
What are the disadvantages for consumers?
DR STEFAN BRINK: in future, every company and every consumer will have to deal with not one or two, but three or even four pieces of legislation: The General Regulation, the national amendment statute, special national laws in areas such as social security and employee data protection, as well as the Data Protection Directive covering public security. Experts will be the only ones who can see the full picture – leaving the ordinary consumer very much in the dark.
TIM WYBITUL: I agree. Consumers and employees of companies will simply not be able to understand the planned new law, which will open up loopholes and create legal uncertainty. This is a disadvantage for consumers. What’s more, the draft still aims to restrict data subjects’ rights, such as their rights to information when their data is processed.
JAN PHILIPP ALBRECHT: The restriction of data subjects’ rights weighs extremely heavily and, in this form, would immediately be overturned by the European Court of Justice. The opportunities for restricting rights in the General Data Protection Regulation are limited for good reason. It’s a bit rich for the German federal government to apparently be citing the risk to “generally recognised business interests” in order to justify excluding consumers’ rights to information.
What implications will the law developed by the German Interior Ministry have for businesses?
JAN PHILIPP ALBRECHT: For businesses, the EU General Data Protection Regulation represents one of the biggest anti-red tape measures and a massive growth opportunity in a European digital single market. If an individual country sets out to undermine the common set of rules by going it alone, it will not only cause enormous costs for businesses, but also jeopardise consumer confidence in the validity of the EU’s new, powerful data protection rules.
TIM WYBITUL: Above all, the law will be expensive. Many big companies have already set aside millions to implement the EU General Data Protection Regulation. Imagine what it will cost if you additionally have to analyse and implement special rules introduced by individual member states. In certain parts, the draft removes the harmonisation planned by the new EU data protection law. If member states now start issuing overly complex new regulations based on the GDPR, this will harm businesses and we will end up with the same patchwork that we have at present when it comes to data protection in the EU. What’s more, companies will have to implement different rules in every member state. This will cost a lot of money and makes little sense.
DR STEFAN BRINK: That’s right. After all, the main argument against federal data protection in Germany was the fragmentation of laws. If now – after the development of a uniform pan-European legal basis that also subsumes and carries forward many proven elements of German data protection – the German government implements a competing national law with umpteen special provisions, the advantages achieved will be lost. That’s why member states must be urged to show the utmost restraint with national legislation.
Will the planned German data protection law at least be valid if parliament cooperates with it?
TIM WYBITUL: No, probably not. A number of the planned provisions are likely to breach EU law, which takes precedence. Earlier versions of the draft have therefore met with heavy criticism from data protection specialists as well as the German Ministry of Justice. If the European Court of Justice overturns individual provisions in a few years, companies will have to re-adjust and this will again cost money, of course.
DR STEFAN BRINK: That’s right. In addition to the ECJ, the European Commission will monitor how far Germany goes its own way – and is highly likely to initiate infringement proceedings against Germany because its national law contradicts the General Regulation. This would be the worst-case scenario for data protection: a dispute lasting years over the validity of the relevant legal bases. I would therefore repeat that now is the time for countries to show restraint, not for small-minded attempts to change the law for the worse.
JAN PHILIPP ALBRECHT: It’s not only the Bundestag (lower house of the German parliament), but also the Bundesrat (upper house of the German parliament) that must act. Strong opposition is already emerging from Germany’s federal states. The German federal government should think twice about whether to insist on the controversial passages and thus create the risk that the draft will not enter into force by the effective date of the General Data Protection Regulation on 25 May 2018. Instead, it should focus on making the adjustments that are absolutely necessary in order to comply with the new EU law.
What alternatives are there to the current draft bill?
TIM WYBITUL: There are certainly alternatives. For example, it would be sensible if a German implementation statute was limited to the key provisions covering areas such as the jurisdiction of the data protection authorities, employee data protection and the appointment and protection against dismissal of data protection officers. This would create additional transparency and make it easier to implement the new EU data protection law. In contrast, the German Federal Interior Ministry’s current plans create uncertainty and make it harder to apply a uniform data protection law in the EU.
DR STEFAN BRINK: That’s exactly right! Issues that don’t absolutely and undisputedly require regulation – such as whether to preserve the tried-and-trusted institution of the company data protection officer – must be left alone. The General Regulation is a good working basis that we should evolve together at European level – where incidentally a large number of debates about special rules in areas such as big data, scoring, the Internet of things and robotics are being conducted anyway. The German federal government would be well advised not to be too hasty in tackling the outstanding issues relating to the new data protection law by going its own way; instead, it should play a defining role at EU level.
How likely is it that this draft bill actually is going to passed by the parliament?
TIM WYBITUL: This is hard to predict. Both the Federal Parliament (Bundestag) and the Federal Council (Bundesrat) would have to approve the draft bill. In the last few days, the draft has been under quite some criticism. The German government intends to have the bill passed by the Federal Council on 10 March 2017. I believe that there will at least be some changes to the current draft. For companies, this means that they need to allow for some flexibility in their GDPR implementation projects. However, they should clearly not put their implementation projects on hold.