Out-Law Analysis | 04 May 2017 | 10:15 am | 6 min. read
The proposed new Federal Data Protection Act (FDPA) addresses issues such as when businesses will need to appoint a data protection officer, conditions for processing employee data, and restrictions on the rights enjoyed by data subjects. It is also set to introduce a new criminal offence related to the disclosure of personal data as part of an enhanced sanctions regime.
The draft FDPA has already been approved by the Bundestag, Germany's parliament, and is now before the Bundesrat – the assembly of the heads of the state governments within Germany and second law-making chamber in the country – for scrutiny.
Background to the new Federal Data Protection Act
There is already a Federal Data Protection Act in place in Germany. However, much of the substance of the existing Act is set to be replaced when the GDPR comes into effect on 25 May 2018.
While the GDPR, as an EU Regulation, will apply unilaterally across the EU and does not require to be implemented in the national laws of each EU country, it does contain a number of provisions that either specifically require EU member states to expand further in national law or provide the freedom to those countries to derogate from the Regulation in certain circumstances.
The proposed new FDPA is Germany's response to those requirements and freedoms.
Similarly, the UK government is currently consulting on how it might account for GDPR-related requirements and derogations within UK data protection law. However, with federal elections due to be held in the autumn and a summer parliamentary recess due before that, it is likely that Germany will have a new GDPR-ready data protection regime finalised first.
Appointment of data protection officers (DPOs)
One of the areas that the proposed new FDPA addresses is the circumstances in which businesses will be obliged to appoint a data protection officer (DPO).
Under the GDPR, Many organisations, including most public bodies, will be obliged to appoint DPOs.
Businesses whose "core activities" consist of data processing which "by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale" are required to appoint a DPO under the Regulation, as are those whose "core activities" involve processing special categories of personal data and personal data relating to criminal convictions and offences on a large scale.
The new FDPA, however, looks set to apply stricter criteria on when organisations in Germany must appoint a DPO.
According to the proposals, every business with 10 or more employees that permanently process personal data will need to appoint a DPO. In addition, in cases where data controllers are obliged to perform a data protection impact assessment or where they are commercially processing personal data for the purpose of transfer, anonymised transfer, or for the purpose of market and public opinion polling research, a DPO is needed regardless of the number of employees that organisation has.
The processing of employment data is one of the main areas that the GDPR leaves for each EU country to write its own rules on.
The proposed new FDPA sets out conditions for processing employee data for standard employment relationship purposes but also provides a framework for the specific purpose of internal investigations and more generally. It also states that any consent given by an employee must be in writing, unless a different form is reasonable due to the specific circumstances of the case.
According to the draft Act, the processing of employee data for internal investigation purposes is only justified if the employer has initial evidence that the employee has committed an offence, the investigation is reasonable in scope and necessary for further detection of the case, whilst any opposing legitimate interests of the employees must not overweigh.
The proposed new legislation also contains statutory guidance on what might constitute 'freely given' consent to data processing in the context of the employer-employee relationship. The GDPR specifically states that where there is a clear imbalance in the relationship between a data controller and data subject then consent would not be 'freely given' and therefore not a valid basis for data processing. The employer-employee relationship may be construed as an example.
The draft FDPA states that consent would be considered freely given if there is a financial benefit to the employee from the processing of their data or if the employer and employee have a similar interest in the matter which the data processing concerns.
Those are non-exhaustive examples, so there is scope for other employment data processing activities to be eligible for the 'freely given' consent requirements. The examples, however, will certainly be used as benchmarks by data protection authorities.
Restrictions on the rights of data subjects
Under the GDPR, people will have defined rights over their data. Those rights include qualified rights to access data organisations hold about them, as well as qualified rights to require correction or erasure of such data.
The draft FDPA contains exemptions in relation to when those rights apply. At an earlier stage of the development of the legislation, the European Commission raised concerns that the proposed exemptions at the time were beyond what the GDPR allows EU countries to provide for. It remains to be seen whether the Commission will challenge the exemptions as they are framed in the current draft.
Processing data for research and statistical purposes
The GDPR gives each EU country the right to limit rights that people enjoy under the Regulation where their personal data is processed for scientific or historical research purposes or statistical purposes.
Under the draft FDPA, processing of sensitive data is permitted without consent where such data processing is required for research and statistics purposes provided that the interest of the controller substantially overweighs the opposing interests of the data subject.
The proposed new FDPA also restricts some of the data subjects' rights to the extent that those rights have the potential of rendering the research and statistic purposes impossible or having a substantially negative impact on them. In a nutshell, German organisations that process personal data for such purposes will likely often be exempt from the data subject access rights, as well as from the right to erasure, but they will be obliged to anonymise the data they are using as soon as possible.
The aim of the Act's provisions in this area is to empower big data projects and facilitate the use of special categories of data – such as health data – if that data is anonymised.
A new criminal sanction
Under the GDPR, businesses face fines of up to 4% of their annual global turnover, or €20 million, whichever is highest, if they breach certain provisions of the Regulation. However, EU member states are obliged to set out further national rules on what other penalties, beyond fines, can be imposed for breaches. The Regulation requires that the penalties are "effective, proportionate and dissuasive".
The new FDPA, as currently drafted, contains provisions which would introduce a new criminal offence into German data protection law.
Under the proposed Act, a person could be jailed for up to three years if they knowingly transfer to a third party or make publically available personal data about a large number of people that is not already publically available for a business purpose. What constitutes a 'large' number of people is not defined in the proposals.
Data transfers – providing for challenges to EU 'adequacy decisions'
Organisations' ability to transfer personal data outside of Europe is restricted under EU data protection rules. Those restrictions will remain in place under the GDPR.
One of the ways in which businesses can transfer personal data to countries based outside the European Economic Area (EEA) is where the European Commission has pre-approved the destination country as providing data protection that is "essentially equivalent" to that on offer in the EU.
There are currently a number of so-called 'adequacy decisions' in place, including in relation to the EU-US Privacy Shield finalised last year. The Privacy Shield was created following a decision by the EU's highest court that effectively invalidated the Commission's adequacy decision in respect of the data transfer framework that was previously in place for EU-US data transfers.
The ruling of the Court of Justice of the EU (CJEU) clarified that Commission adequacy decisions can be challenged by national data protection authorities. This right is set to be formally provided for under the new FDPA in Germany.
Under the envisaged process, data protection authorities in Germany will be able to challenge Commission adequacy decisions before an administrative court in the country. The court can, but will not be obliged to, hear counter-arguments from the Commission over the legal challenge against its decisions. The court can confirm the validity of the Commission decision, but they will not be able to overturn those adequacy decisions. Instead, the German court will be able to refer the legal challenge to the CJEU to consider.
Stephan Appt is a Munich-based data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.