On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009.
The legal obligation of a data controller to notify data breaches to the affected individuals and to the relevant data protection authorities (usually, the state’s data protection commissioner – Landesdatenschutzbeauftragter) is restricted to the loss or unlawful transmission of sensitive data, i.e. personal data revealing (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and information on an individual’s health or sex life, (ii) information that constitutes a professional secret, (iii) information regarding criminal activities or administrative offenses, or (iv) information relating to bank accounts or credit card accounts.
In addition to the requirement that the personal data subject to the data breach must fall within one of the categories specified above, the loss or unlawful transmission of such personal data to a third party must constitute a severe threat to the rights or legitimate interests of the individuals involved. If these two requirements are met, the data controller must, first of all, immediately (“without undue delay”) inform the competent data protection commissioner of the data breach, providing (i) a precise description of the data breach itself, (ii) information regarding the potential consequences and risks of such breach, as well as (iii) measures that have been or will be taken by the data controller in order to mitigate the negative impacts of such breach. As a second step, the data controllers must notify the individuals involved without undue delay, provided, however, that the controller has located the leak which has lead to the data breach and taken all measures in order to avoid unlawful access of third parties using such leak (“responsible disclosure”). In case personal data relating to potential criminal acts or administrative offenses has been breached, the individuals involved will only be informed by the controller provided that such information does not put an ongoing criminal investigation at risk.
Generally, each individual whose personal data has been breached must be informed by the data controller. However, if the information duty would lead to extraordinary and unreasonable costs (i.e. if the data breach affects a large number of people), the data controller can meet its obligation by publishing a detailed notification (of at least half a page) in two newspapers which are published throughout Germany.
The amendment to the FDPA, which is clearly inspired by U.S. data breach notification laws, is an important contribution to the protection of consumers. It remains to be seen, however, how corporations and data protection authorities will deal with the fact that notification obligations only apply if a data breach poses a severe threat to important rights and legitimate interests of individuals.