The EU’s General Data Protection Regulation (GDPR), which comes into force in May 2018, is generally designed to align data protection requirements across the EU. However, its opening clauses offer countries some freedom in their implementation of the Regulation and, thus, room to differ. In August 2016, the German Ministry of the Interior (BMI) released its first GDPR implementation proposal to widespread criticism from both experts and data protection authorities. Recently, the BMI published a revised proposal, a new Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG). The draft BDSG provides further details regarding the scope and implementation of existing GDPR provisions and also contains additional data protection requirements beyond those provided for in the Regulation. We explore notable specifications to and deviations from the GDPR, below.
- Change of purpose of processing: Section 23 of the BDSG provides that changes to the purpose of processing personal data shall be permissible in several other scenarios than those listed in art. 6 sec. 4 GDPR.
- Information obligations: Sections 30 and 31 of the BDSG restrict the information rights regulated in art. 13, 14 of the GDPR. In particular, if providing a data subject with certain information (as set forth in art. 13 of the GDPR) involves a disproportionate effort or would seriously affect the purposes of processing, then the data subject need not be provided the information.
- Data Protection Officer: Section 36 of the BDSG obligates companies to appoint a Data Protection Officer if at least 10 persons are constantly engaged in processing of personal data, if they perform data processing which requires a data protection impact assessment (art. 35 GDPR), or if they process data for the purpose of transfer.
- Penalties: Section 40 of the BDSG limits penalties for violations of the regulations contained in art. 83 sec. 4, 5 or 6 GDPR to Euro 300.000.
- Other obligations of controllers and processors: Sections 57 through 72 of the BDSG set forth additional obligations for data controllers and processors. The sections also contain several practically-relevant deviations from the GDPR requirements and are worth review.
- Processing in the context of employment: We note that Section 24 of the BDSG regulates data protection for employees but that, as written Section 24 generally aligns with the provisions currently in effect in Germany with respect to employee data processing (in place since 2009).
The draft BDSG bill proposed by the BMI provides many exceptions to the obligations imposed on companies by the GDPR. It is also, however, highly complex, and therefore provides challenges to companies seeking to interpret the scope of their data protection obligations where they are subject to both the GDPR and German law.
Moreover, many of the draft regulations are problematic with regard to European Law and their enforceability is not certain. One of the primary aims of the GDPR is to ensure harmonization in data protection law within the EU. The draft BDSG’s change of purpose provision, the restriction of information obligations, and the proposed limitation of penalties challenges this aim and are, therefore, questionable.
Finally, the draft BDSG fails to address important points of criticism made with respect to the initial, August 2016, draft. As a result, it is unclear whether the current draft will be successfully enacted and, if it is, whether it complies with compulsory European law requirements (e.g., art 288 sec. 2 TFEU). Thus, while the new draft is instructive, there remains uncertainty as to what measures that companies operating under both the GDPR and German law should take to prepare themselves for data protection compliance.