After a first read through of the leaked Commission proposal for a new data protection regulation (Draft Regulation) that was published by statewatch.org (it is not meant to be officially published until the end of January), I remembered a speech by Viviane Reding’s Chief of Cabinet who said that the Commissioner for Justice was very impressed by German data protection rules. This might help in explaining several provisions of the Draft Regulation.
Take for example the rules on data processing. After some scandals on data leakages at data processors,Germanytightened the requirements for the contract on data processing to cover several specific details of data security. Article 27 of the Draft Regulation takes up this idea and requires controller and processor to stipulate several rules and precautionary measures in their agreement, as that the controller may only act on instructions from the controller and that its staff must have committed themselves to confidentiality. However, contrary to German law, the contract must not cover specific details on data security measures.
Another principle deriving from German data protection is Article 4 of the Draft regulation, which says that personal data must be limited to the minimum necessary in relation to the purposes for which they are processed. This is almost the same as the principle of data reduction in sec. 3 a of the German Federal Data Protection Act. In comparison, Article 6 of the current Directive only required data processing not to be “excessive in relation to the purposes for which they are collected and/or further processed”.
Also the stricter requirements to consent to data processing seem to derive from German data protection law. Article 7 of the Draft Regulation provides amongst others that consent to data processing in a written declaration on another matter must be made distinguishable in its appearance, which is almost the same provision as in sec. 4 a of the German Federal Data Protection Act (BDSG). Also the data subject’s right to withdraw such consent at any time is an unwritten principle of German law, as well as the assumption that a consent is not freely given where there is a significant imbalance between the data subject and the controller.
The Draft Regulation also covers the use of personal data for direct marketing for commercial purposes and makes it subject to the data subject’s consent to such marketing (Article 5 para 2 Draft Regulation). This is even stricter than German data protection law, which provided an important exception for the requirement of a consent in allowing the use of personal data for advertising if the data was listed and contained only categories as name, occupation, title, address and year of birth and was obtained through a contract or a similar relation with the data subject or from public sources.
Therefore, reading the Draft regulation as a German is an interesting déja vu. The fact that the European Commission proposes a regulation to create a harmonised level of data protection will – if it is eventually adopted – certainly make the life of many companies easier, as the legal requirements were sometimes very different in several member states. However, the regulation contains quite strict and detailed rules. It remains to be seen if other member states will agree that the principles of countries with a stricter approach to data protection should be applied to the whole European Union.