With the EU’s General Data Protection Regulation (GDPR) scheduled to go into effect in May of 2018 – an ambitious effort to harmonize a patchwork of EU privacy laws and create a uniform privacy regime that restricts the collection, processing and use of individual information – Germany has become the first member state to amend its own privacy laws in anticipation of the coming changes.
In May 2017, the German Federal Council (‘Bundesrat’) passed an act intended to bring the current German data protection laws in line with the requirements of the GDPR. On July 5, 2017, the new German Federal Data Protection Act (‘Bundesdatenschutzgesetz’), referred to as the German Data Protection Act, was countersigned by the German Federal President and published in the Federal Law Gazette. The Act utilizes some of the framework and concepts of the GDPR to enhance Germany’s existing data protection rules, while at the same time modifies existing German privacy rules to allow for certain data to be used more freely in cases of national security and employment.
Under the new German law, employee data can be processed if “necessary” to establish or carry out the employment relationship (for example, to enforce a collective bargaining agreement). Although this is not a substantive change from existing law, some clarifications have been made to indicate when an employee will be deemed to have “freely consented” to data use or disclosure as part of the employee-employer relationship. The law also allows for the collection of certain health data, including genetic information, as necessary for medical treatment or for public health interests so long as the data can be anonymized or appropriately encrypted to prevent inadvertent disclosure. Certain sensitive medical data could also be used for scientific research where the company using the data takes “suitable and specific measures” to protect it.
In one provision that is certain to get close scrutiny, the law limits a consumer’s right to access their own data and exempts companies from having to erase or destroy personal data if fulfilling a consumer’s request would either be impossible or the effort required to do so is much greater than the purported interest in such erasure. This provision seems directly at odds with the GDPR’s goal of extending to citizens a so-called “right to be forgotten” or to have their data deleted upon request. How Germany reconciles the changes to its own privacy laws with those of the GDPR remains to be seen, but conflict between the two is likely to result in litigation. Indeed, the new German law also provides for the right of German data protection authorities to challenge decisions of the European Commission in court.
Commentators have also already noted that over the next year, adjustments to the law are likely as new data protection laws of the German Federal States (‘Bundesländer’) and sector-specific data protection laws are enacted. Although the goal of uniform privacy laws may be enviable, in practice this will remain illusory, even within large countries, much less across member states. And, of course, companies must remain mindful of the patchwork of data privacy rules impacting their business in order to minimize the monetary and reputational risks that can flow from the mishandling of sensitive data.