On December 11, 2008, the German Federal Government adopted a number of amendments to the Federal Data Protection Act which have far-reaching consequences for businesses. The amendments were developed in response to a number of data breaches in Germany in recent months.
The proposed changes can be summarized as follows: (1) abolishment of the so-called “list privilege” and introduction of an “opt-in” requirement for the sharing of personal data in the context of address selling, advertising and market research, with some exemptions, e.g. opt-in does not apply for a company’s own customers, and, there is a 3-year grace period; (2) creation of a security breach notification requirement applying to certain categories of personal data; (3) a proposed comprehensive Data Protection Audit Act, according to which data controllers and providers of data processing systems and software could voluntarily undergo an audit in order to have their data protection concept and technical facilities assessed and evaluated; (4) an increase of fines from € 25,000 up to € 50,000 for violation of certain provisions and from € 250,000 to € 300,000 in case of serious legal violations and the possibility of forfeiture of profits. The bill still needs to pass the federal council and federal parliament. The first reading in the council is scheduled for February 13, 2009. The amendments are expected to enter into force on July 1, 2009.