Update Data Protection No. 24
Data Protection Adaptation and Implementation Act-EU (DSAnpUG-EU) passed by lower and upper houses of the German parliament
As a result, a further important piece in the new "data protection patchwork rug" puzzle is now in place.
Following the adoption of the GDPR around one and a half years ago, the German lawmaker has been faced with the challenge of removing possible inconsistencies and loopholes, resulting from the priority application of the GDPR over national data protection law. The German lawmaker also wished to make large-scale use of the escape clauses, contained in the GDPR, for national special regulations. To this end it has now adopted the Data Protection Adaptation and Implementation Act-EU ("DSAnpUG"). Germany is therefore one of the first Member States to lay down new data protection regulations prompted by the GDPR.
In this respect, the lawmaker deliberately chose the route of repealing the entire previous Federal Data Protection Act (BDSG), and replacing it with a completely new BDSG (frequently referred to as BDSG New). Whether this removes all possible legal uncertainty is questionable. All the same, the national lawmaker must be given credit overall for the fact that an agreement has been achieved between the lower and the upper house before the end of the current legislation period, meaning that the uncertainty in this respect will not continue beyond the date of the Federal election.
Overview of the special regulations compared to the GDPR
The DSAnpaUG provides for certain special regulations compared to the GDPR. We have listed the most important of these below:
- Section 4 BDSG New includes a regulation on the admissibility of and further preconditions for video surveillance in public areas (this regulation thus ousts Art. 6 Subsection 1 lit. f GDPR). In part however, the regulation also again contains references back to the GDPR (e.g. to Art. 13 and 14 concerning the obligations of transparency).
- Section 22 BDSG New includes a regulation on the admissibility of processing special categories of personal data (e.g. health data, data on membership of a religious group and similar). Here, the German lawmaker restricts the admissibility significantly further than envisaged in Art. 9 GDPR. In addition to the question of admissibility, Section 22 Subsection 2 makes a detailed ruling on technical and organizational measures. Here, the law names ten measures that are to be taken into account when processing special categories of personal data.
- Section 24 BDSG New contains a regulation on the processing of personal data for purposes other than those for which the data was originally collected. This regulation is considerably more restrictive than envisaged by Art. 6 Subsection 4 GDPR. Whilst the European lawmaker has ultimately codified a balancing solution, the German lawmaker now reduces the area of application of the change of purpose to two final case groups. If one takes this seriously and if the regulation lasts (see below), this is likely to constitute a serious limitation of many big data applications.
- Section 26 BDSG New includes a regulation on data processing for the purposes of an employment relationship. In addition to the regulation on the admissibility of data processing that is very similar to the current BDSG (Section 32 BDSG Old), Subsection 2 also contains a regulation on the assessment of the voluntary nature of declarations of consent in an employment relationship. In addition and in contrast to the GDPR, the written form is required for a declaration of consent within the framework of an employment relationship. All the same, the lawmaker has taken account of the fact that a restricting regulation on special categories of personal data in employment relationships is not meaningfully workable, and has added a corresponding deviation from Section 22 BDSG New in Section 26 Subsection 3 BDSG New.
- Section 31 BDSG New includes a special regulation on scoring and credit references.
- Sections 32 and 33 BDSG New contain a restricting regulation on the obligation of transparency. Here, there were arguments until the very end, among other things in terms of whether and to what extent the obligation of transparency can be dispensed with if this would "require disproportionate expense". A broad exemption regulation of this nature has now been included, not generally but rather only with regard to data stored analogously.
- Under Section 38 BDSG New, companies must - as in the past - appoint a Data Protection Supervisor if, as a rule, at least 10 persons are permanently involved in the automated processing of personal data.
Is the German lawmaker shifting in the context of the escape clauses?
Just looking at the above points, it is striking how considerably the German lawmaker is deviating from the regulations of the GDPR on important points. Whether these deviations are covered in the scope shown by the escape clauses of the GDPR is questionable. In a legal dispute, it will be possible to object to almost every one of the above mentioned regulations by claiming that it is not admissible on the basis of the GDPR, with the result that the GDPR is to be given priority application. The national courts will ultimately have to submit the questions to the ECJ. In summary, it can therefore be stated that the German lawmaker has succeeded in again hugely increasing the legal uncertainty created by the GDPR, even if, in individual cases (e.g. with scoring and credit references), it at least had the intention of creating a clearer framework for companies.