Germany is one step closer to new data protection rules as the German Parliament and the Federal Council have both approved the draft of a new Federal Data Protection Act (Bundestag printing matter 18/11325). The purpose of the draft is to align German data protection law to the European General Data Protection Regulation ("GDPR"), which will be applicable as of May 25, 2018. The new law is intended to replace the existing Federal Data Protection Act with an identically named new act.
Overall, the German legislator appears to have taken the approach of retaining as much as possible of Germany's existing Federal Data Protection Act (such as the requirement to appoint a DPO). Further, the German legislator is making ample use of the GDPR opening clauses.
The draft contains specific provisions on the following key topics (amongst others):
1. Processing of employee data. The draft mainly reflects the currently applicable provisions on the processing of employee data. In addition, it states that employee consent is - under certain circumstances - a valid option. However, such consent must in principle be obtained in written form.
2. Automated decision making. The draft permits automated decision making in insurance relationships and provides that automated decision making may also be based on sensitive personal data.
3. Rating agencies and scoring. The draft contains provisions on the processing of personal data by rating agencies and for scoring purposes, essentially reflecting the currently applicable law.
4. Data subject rights. Importantly (and controversially), the draft restricts the broad rights of a data subject granted by the GDPR (eg, the broad information obligations and rights for deletion).
5. Data protection officer: The draft contains provisions basically requiring every data controller to appoint a data protection officer (similar to the current position in Germany).
Draft two-edged from company perspective
Even though the draft contains several provisions that are intended to make life easier for companies - it is two-edged from company perspective for several reasons:
- The draft bears the risk of conflicting with EU law, in particular the GDPR itself. This applies particularly to provisions reproducing the content of GDPR provisions. Such reproduction may unlawfully affect the jurisdiction of the European Court of Justice and thus be in breach of EU law. Furthermore, some provisions taking advantage of GDPR opener clauses are pro-business to an extent that they run the risk of exceeding the leeway granted by the respective opener clauses (eg, provisions stipulating exemptions from information obligations vis-à-vis data subjects).
- The aforementioned risk of non-compliance of the draft with EU law makes it difficult for companies to reliably plan the necessary steps to establish data protection compliance.
- The provisions that deviate from the GDPR contradict one of the main objectives of the GDPR - the objective to provide for a coherent data protection framework throughout the EU, which actually should be the biggest advantage of the GDPR, especially for companies operating across several or even all EU member states.
- Finally, the draft is extremely complex and detailed and contains a large number of references that will make it even more difficult to comply with the complex framework provided by the GDPR.
Getting prepared for GDPR
Regardless of what will be the final provisions contained in the new Federal Data Protection Act, companies should start working on becoming GDPR compliant as soon as possible. Even if the new Federal Data Protection Act will end up lowering the requirements for companies in some respects, the GDPR itself remains the inevitable and true game changer in the field of data protection compliance.