17 November 2016
The German Federal and State Commissioners (‘the Commissioners’) published, on 11 November 2016, their analysis of a draft General Federal Data Protection Act (‘ABDSG’) by the German Ministry of the Interior (‘BMI’) from August 2016 (‘the Report’). A finalised ABDSG is intended to replace the current Federal Data Protection Act 2003, in light of the entry into force of the General Data Protection Regulation (‘GDPR’) in May 2018.
Dr. Carlo Piltz, Lawyer at JBB Rechtsanwälte, told DataGuidance, “The Report refers to the BMI’s draft ABDSG, [which] was also heavily criticised by the Ministry of Justice, and is now being revised. I think this is a good start to some extent, however, it also contains deficiencies […] It highlights the fact that, with the GDPR applying as of 25 May 2018, we will not only deal with one data protection law in the EU. Especially in the public sector but also for certain processing operations and obligations of private entities, we will face a situation with different and possibly divergent national data protection laws. One major problem in this regard, is the fact that the GDPR does not provide any rule when such national data protection laws apply. The application of national data protection law is totally left to the Member States and this might in practice create uncertainty if divergent standards evolve.”
In particular, the Commissioners argue that the draft ABDSG does not adequately implement the GDPR and that some parts should be legislated for at the state rather than at the federal level.
“According to the Commissioners, the draft ABDSG sometimes repeats opening clauses from the GDPR, but does not implement them and thus, violates the GDPR and German constitutional law,” said Dr. Andreas Splittgerber, Partner at Olswang LLP. “In addition, the Commissioners argue that the level of data protection in Germany is lowered in the draft ABDSG, for example, rights of the individuals are curtailed in the draft and the legitimisation of processing of sensitive data is extended, or at least, a widened interpretation of the principle is adopted.”
One major problem in this regard is the fact that the GDPR does not provide any rule when such national data protection laws apply. The application of national data protection law is totally left to the Member States and this might in practice create uncertainty if divergent standards evolve
The Commissioners did, however, generally welcome the draft ABDSG’s use of Article 88 of the GDPR, which provides that Member States may, by law or by collective agreements, establish more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees’ personal data in the employment context.
Dr. Ulrich Baumgartner, Partner at Osborne Clarke LLP, highlighted, “The draft ABDSG almost literally reiterates the sole provision in the current Federal Data Protection Act 2003 dealing with the processing of employee and applicant data. On the one hand, the Commissioners welcome this, doubting that the GDPR would really fit with existing German employment law. On the other hand, the Commissioners call on the German legislator to adopt a more comprehensive German law on the protection of personal data in an employment context – something which the Government has tried a couple of times over the last decades without success.”
In addition, the Commissioners expressed their approval of Section 14 of the draft ABDSG, which regulates data protection officers (‘DPOs’).
Piltz commented, “According to Section 14, a DPO has to be appointed in cases where personal data is commercially processed for the purpose of transfer. Furthermore, a DPO has to be appointed where private bodies generally deploy a minimum of ten employees to carry out the automatic processing of personal data on an ongoing basis.”
Although a revised version of the draft ABDSG is expected to be released shortly, Piltz and Baumgartner noted that a definitive timeline for its adoption was unclear, due to national elections due to take place in autumn 2017.
Alexis Kateifides | Privacy Analyst