What does this cover?
The position paper of the Conference of the Data Protection Commissioners of the Federal Government and the Federal States was drafted as an appeal of the Federal and the various German State Data Protection Commissioners to the European Parliament, the Council and the Commission to improve or at least maintain the current data protection standard in Germany.
Key data protection points for the trilogue on the General Data Protection Regulation Draft were as follows:
1. Household exemption shall not be widened / Data processing by public order administration and for the purpose of threat prevention shall be covered
The household exemption shall not be widened and shall continue to exempt only processing related exclusively to personal and household activities. The Conference is opposed to the proposed restriction of the Regulation in favour of the proposed Directive on data processing by the police and judicial authorities. The Regulation should apply to data processing by the public order administration and for the purpose of threat prevention.
2. Personal data must be clearly defined
The Conference opposes to the Commission’s and Council’s proposed restriction that identification numbers, location data, online identifiers, IP addresses and other specific data need not necessarily be considered personal data.
3. Data minimization shall be maintained as a primary design objective
The Conference requires that the principle of data minimization and data avoidance which are currently primary objectives of German data protection regulation shall be enshrined explicitly in the GDPR. These principles are even more important against the background of Big Data technologies and omnipresent data processing operations.
4. and 5. The principles of purpose limitation must not be watered down. No free pass for archives, statistical, scientific or historical purposes
Data subjects shall be able to rely on the purpose limitation, e.g. that data shall only be processed for the purpose for which they have been collected. The Conference rejects the regulation proposed by the Council that data processing purposes may be amended or that the change of processing purposes for data processing for statistical, historical or scientific purposes shall be privileged.
6. Consent must ensure sole authority about data processing
Data subjects shall remain empowered to decide solely about the use of their personal data by consent. Such consent must be provided explicitly. It is not considered sufficient that declarations of consent are simply unambiguous. That would set the stage for blanket authorizations and finally opt-out solutions.
7. Data subjects’ rights must not be limited
Comprehensive data information rights shall enable the data subjects to assess the scope of the data processing operations. The exercise of such rights must be free. The Conference explicitly objects to the limitations proposed by the Council. The Conference stresses once again the need to strictly rule profiling limiting the matching and evaluation of personal data. The proposed regulations go short in this regard.
8. Accountability as a general principle
Compliance requirements must not be relativized. Risk based approaches can only refer to how obligations are met.
9. Technical and organizational data protection
The Conference requests the goals of confidentiality, integrity, availability, non-linkability, transparency and the ability to intervene to be included as explicit goals.
10. Effective data protection requires company data protection officers
The Conference supports the company and public authority data protection officers as an important part of effective data protection supervision. The designation of data protection officers shall become obligatory across Europe.
11. Data transfers to public authorities and courts in third countries require a stricter control
The Conference advocates a specific legal basis and proceeding for data transfers to governmental agencies and courts in third countries. Depending on whether the assistance is subject to an international treaty, requests for data transfers shall be handled by a designated body or by the data protection supervisory authorities.
To view the position paper (in German), please click here.
Reported and summarized by Dr. Stefanie Hellmich – Counsel in the IP/IT law department of Luther Rechtsan-waltsgesellschaft, Frankfurt am Main, Germany.
What action could be taken to manage risks that may arise from this development?
None - for interest only.