Well ahead of the implementation deadline for the European General Data Protection Regulation (GDPR), the German Parliament (Bundestag) passed a new Federal Data Protection Act (Bundesdatenschutzgesetz) on April 27, 2017. The Federal Council (Bundesrat) could confirm the Act before the summer, but may require further amendments. If the Parliament and the Council fail to agree, the legislative process will have to start from the beginning after the German elections in September.
The new Act retains the old title of the Bundesdatenschutzgesetz, but the content has changed completely. The GDPR is directly applicable and, therefore, the Act only complements the GDPR or regulates areas outside the scope of it. Most of the 85 Articles of the new Act deal with the public sector and the implementation of the Law Enforcement Directive. However, it also includes some provisions for the private sector based on opening clauses that either allow or require national implementation. The main German modifications for the private sector are the following:
Special types of data: The GDPR limits the permissible grounds for processing special types of data (including health data) and requires some of the legal grounds to be based on Member State law. For example, the Act authorizes health checks or certain research activities and provides further safeguards for such processing.
Purpose limitation: The principle of purpose limitation was one of the major sticking points during the GDPR negotiations and was only resolved by allowing member states some flexibility to legislate for changes in use. The Act takes advantage of this and allows data to be used for a new purpose (not contemplated or disclosed when collected), for example, for public safety reasons such as company internal criminal investigations, or in relation to the establishment, exercise or defense of civil claims. Notably, this flexibility also applies to special types of data.
Employment data: The GDPR enables member states to enact national rules on the processing of employment data. The Act takes advantage of this by setting out, for example, that the processing of employee data for the purpose of investigating a criminal offense requires documented factual evidence that the data subject has committed an offense. Any consent given by employees has to be in writing and the Act specifies the requirements under which such consent can be regarded as freely given. The Act specifically states that consent by employees is deemed to be provided freely if the employee gains a legal or financial benefit or if the employer and the employee has similar interest in the matter.
Research and statistics: The GDPR provides for a number of exemptions in the area of research and statistics. This is important for “big data” services and uses. The Act goes further and restricts some of the data subject rights when data is processed for research and statistical purposes. It also removes obstacles to processing special types of data for research and statistics, but requires anonymization of such data as soon as possible. The provision will provide more flexibility for big data projects in Germany especially in the health sector.
Secrecy: The Act modifies the balance between secrecy interests and transparency requirements in the GDPR. Specifically, the Act allows the right of access or the obligation to inform data subjects about data breaches to be limited to protect legitimate secrecy interests, for example, trade secrets. Further exemptions from the obligation to notify data subjects apply in relation to professional secrecy obligations (such as secrecy obligations of lawyers, doctors or auditors), and supervisory authority inspection rights are limited as well with regard to data protected by professional secrecy.
Credit information: The Act provides specific provisions in relation to credit information bureaus, including requirements for processing personal data relating to credit scoring and the reporting of poor credit history.
Data subject rights: The GDPR allows member states to limit data subject rights. The Act takes advantage of this by introducing further exemptions from the obligation to notify, the data access right, the right to erasure and the right to object. The exemptions are quite limited in scope and often relate to public interest. However, the Act also provides for exemptions with respect to data stored for compliance with retention obligations or as backup data.
Data Protection Officer: The Article 29 Working Party has already adopted Guidelines on Data Protection Officers, but the Act modifies the concept of the GDPR. As in the present Federal Data Protection Act, every company with 10 or more employees permanently processing personal data will need to appoint a Data Protection Officer. This is a significantly lower threshold than under the GDPR
Sanctions: In addition to the fines provided for in the GDPR, the Act provides for a criminal penalty with up to three years imprisonment.
The Act is scheduled to become effective on May 25, 2018. However, one provision will take effect when the Act is published. It introduces a right for data protection authorities to challenge the validity of decisions of the European Commission in a German court. This is a reaction to the Schrems decision in which the CJEU required a procedure that would allow data protection authorities to bring cases forward. The provision will allow German data protection authorities, for example, to start proceedings against the EU/US Privacy Shield or Standard Contractual Clauses. The procedure is quite unusual, because it starts directly at the level of the Federal Administrative Court (Bundesverwaltungsgericht) with the Data Protection Authority as plaintiff, but no defendant. The Act allows the Federal Administrative Court to hear the views of the European Commission, but the Court is not obliged to do so. The idea is that the Court refers the legal question to the CJEU, because – according to the Schrems decision – only the CJEU can declare decisions of the European Commission invalid.