The General Data Protection Regulation (“GDPR”) comes into force on 25 May 2018. It is binding for all member states and provides for a harmonisation of the data protection regime throughout the EU. However, various opening clauses provide member states with discretion to introduce additional national provisions to further specify the application of the GDPR. The German legislator has been among the first to draft such provisions supplementing the GDPR.
What areas does the General Federal Data Protection Act cover?
Recently a draft of the German Federal Ministry of the Interior for a General Federal Data Protection Act (Allgemeines Bundesdatenschutzgesetz, “GFDPA”) has been leaked. This is meant to replace the current Federal Data Protection Act (Bundesdatenschutzgesetz, “FDPA”). The draft includes new provisions in areas that are subject to the opening clauses of the GDPR. For example:
- Data protection officer: Sec. 14 (1) GFDPA extends the scope of the GDPR and requires the appointment of a data protection officer for companies that employ more than 10 people who are constantly tasked with the processing of personal data.
- Rights of data subjects: The draft GFDPA includes various limitations of the rights of data subjects, e.g. there is no requirement to inform a data subject about data collection if this would require a disproportionate effort (sec. 7 (2) GFDPA).
- Data processing in the context of employment: Unfortunately, sec. 33 GFDPA merely reflects the current provision in the FDPA on data processing in the context of employment and does not comprehensively regulate this issue. Thus, it is likely that the on-going debate in Germany about a potential “Employee Data Protection Act” will continue.
- Administrative fines: Sec. 42 (1) GFDPA introduces a personal liability in the amount of up to EUR 300,000.
- Right of action of data protection authorities: According to sec. 28 GFDPA data protection authorities have the right to bring an action before the German Federal Administrative Court against adequacy decisions by the European Commission (e.g. on the EU-US Privacy Shield).
How did the Federal Ministry of Justice react to the draft GFDPA?
The Federal Ministry of Justice (“FMJ”) raised some major concerns in relation to the proposed GFDPA. The FMJ noted that the regulative approach is incomprehensible for authorities, companies and data subjects. It also pointed out that the scope of most provisions was unclear and contained several gaps.
What are the next steps ahead?
The GFDPA is currently only in draft form. It is expected that it will be amended soon based on the concerns that have been raised. The draft document nevertheless gives a useful insight into the thought process of the German legislator. Further, the matter is highly time-sensitive as the German general elections are coming up in the fall of 2017. It is thus likely that the government will want to push the GFDPA across the finish line in the current legislative period. While drafting such national legislation it will be important to ensure that the national law will not hinder the harmonisation that has been achieved by the GDPR.
The key take-away is that companies that want to get ready for the new data protection regime in May 2018 should not only focus on the GDPR, but also on the national laws that will be introduced in the next 19 months.