The independent German federal and state data protection supervisory authorities came together to set out the recommendation in a new report, which reflects on the experiences they have gained in implementing the EU's General Data Protection Regulation (GDPR).
The report addresses a wide range of issues, including provisions on data protection by design and by default that are contained in the GDPR. According to the German authorities, those provisions are "not broad enough" because they only apply to data controllers and not to the producers, suppliers, importers, traders that often provide controllers with the devices, software and systems they use.
"The GDPR’s data protection by design/by default principles are geared to producers but do not impose any obligations on them in that capacity," the German authorities said in their report. "The call for data protection by design/by default thus often comes to nothing if it is directed only at controllers. In the interests of promoting privacy and data protection, the GDPR should, therefore, also oblige software producers to comply with this design principle. In practice, it will in particular apply to the producers of complex software, such as operating systems, database management systems, standard office bundles and very specific specialist applications."
The proposals, if implemented, would also give data subjects new rights to raise a legal challenge before the courts against software developers over non-compliant data processing, and they would also have qualified rights to claim compensation should they suffer damage as a result of a developer's "omissions".
Data protection law expert Ruth Maria Bousonville of Pinsent Masons, the law firm behind Out-Law, said: "The report must not be read as saying that GDPR doesn’t impose obligations on software developers and producers of hardware with embedded software. If software or devices are designed to give the producer access to personal user data, the producer determines the purposes and means of such processing. This makes the producer a controller. Now that supervisory authorities are obviously focusing in on such products, software developers and hardware producers are well advised to closely observe the GDPR, if they are established, or have customers, in the EEA."
In their report, the German data protection authorities also called for EU law makers to offer greater clarity on the circumstances in which organisations can process personal data for direct marketing purposes without needing the consent of data subjects to do so.
The authorities said that while the GDPR specifies that personal data processing for direct marketing purposes may be regarded as carried out for a legitimate interest, there are questions that arise over when that is the case.
"Direct marketing affects many sectors and many data subjects," they said. "Member states have very different traditions in this regard, which means that the expectations of data subjects of which account needs to be taken when weighing up various interests may also differ. The legislator should, therefore, create more detailed provisions to ensure EU-wide harmonisation in terms of application."
"The European legislator should make statutory provisions in the GDPR in relation to direct marketing which, as a matter of principle, at the very least require that various interests are weighted," it said.
Tighter controls on profiling and reforms to the threshold for notifying personal data breaches were among the other changes called for by the German data watchdogs.
Currently, organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.
Under the German authorities' proposals, organisations would only need to notify data watchdogs in "cases which are likely to result in more than merely a minimal risk to the rights and freedoms of natural persons". However, they said the new notification should also be "expanded to include those cases in which it is not known whether a personal data breach has occurred but it be assumed to be the case".
"Often, a breach of data security has occurred but it is not known whether it has led to any personal data breach within the meaning of [the definition of 'personal data breach' under the GDPR]," they said.
The GDPR requires the European Commission to publish a report on the evaluation and review of the Regulation by 25 May 2020 – two years after the Regulation first took effect. The views of EU member states are to be considered by the Commission as part of its review through the umbrella of the Council of Ministers, and it is open to the Commission to request information from individual EU countries too to help inform its report.