Data Protection in Germany – What's New?
The German Federal Data Protection Act ("FDPA") which came into force on 25 May 2018 together with the European Union's General Data Protection Regulation ("GDPR") makes specific provision for the federal public sector. It also sets out important national rules for the private sector, making use of the opening clauses provided by the GDPR. The German Parliament passed an amending act at the end of June 2019 which includes some changes to the FDPA. In addition, each of the 16 states in Germany has its own data protection laws. These apply only to the public sector in the relevant state.
For private companies the FDPA sets rules, e.g. on the designation of a data protection officer ("DPO") (Sec. 38 FDPA), on data processing in the context of employment (Sec. 26 FDPA) or regarding scoring and credit checks (Sec. 31 FDPA).
The FDPA provides for stricter rules than the GDPR for the designation of a DPO. At present, under Sec. 38 FDPA, data processors and controllers have to designate a DPO if at least 10 persons are regularly engaged in the automated processing of personal data. However, in the recent amending act, the German Parliament decided to increase the threshold to 20 persons.
According to Sec. 26 FDPA, personal data of employees may be processed for employment-related purposes, e.g. if the processing is necessary to enter into, carry out and terminate an employment relationship. Employees' personal data may also be processed to detect a criminal offence if there are sufficient documented indications to suspect that the employee has committed a crime while employed. The FDPA also sets out rules on when the consent of an employee is freely given and valid.
According to Sec. 31 FDPA, the use of scoring and credit checks is subject to certain conditions. It may only be used if privacy rules are met, relevant data are used and the score is based on acknowledged, reliable mathematical-statistical methods. Scores determined solely on the basis of address data are not permitted. If address data are used, the law requires the data subject to be notified in advance.
2018 has been the year of advice - 2019 will be the year of controls. (Stefan Brink, State Commissioner for Data Protection and Freedom of Information Baden-Württemberg)
The federal administrative structure in Germany results in a rather complex system with numerous data protection authorities. Since all the federal states as well as the Federal Republic itself each have their own authority, it is not easy to keep track of their competences and areas of focus. To ensure a unified application of the law, the authorities all meet every few months in the data protection conference (Datenschutzkonferenz – "DSK"). The DSK adopts resolutions, definitions and opinions on data protection. This helps identify the areas in which the authorities are most heavily engaged.
Lately, their common focus appeared to be data protection in the public sphere. In particular, discussions concentrated on matters such as the processing of health data in medical practices and hospitals, children's data in schools, the use of personal data in election campaigns as well as video surveillance and privacy in police work.
Artificial intelligence ("AI") systems are currently also in the spotlight. In April 2019, the DSK adopted a declaration on AI, acknowledging its useful advantages, but also pointing to the risks of data misuse. According to the DSK, there must be effective measures to prevent hidden discrimination and ensure compliance with the principles of purpose limitation and data minimisation. Despite the automated functioning of AI systems, a person must always be able to intervene in the data processing. Not only the result but also the whole process must be transparent and intelligible to the data subject. Currently, no standards exist for AI systems on the technical and organisational measures required by Article 25 GDPR. The DSK calls on science and industry to develop these standards now, with the active assistance of the data protection authorities.
Some of the authorities have announced that now that the GDPR has been operational for more than a year they see less need for comprehensive advice and will intensify supervision. This applies especially for large businesses, which are now expected to uphold the legal standards in full.
Those of us who are responsible for the implementation of data protection will have to be judged by whether we enforce the GDPR against large corporations. (Heinz Müller, State Commissioner for Data Protection and Freedom of Information Mecklenburg-Vorpommern)
For example, controls have been increased in digital matters. Thüringen's authority has just extensively checked privacy statements in apps, and Schleswig-Holstein and Bremen dealt with unnoticeable data processing by smartphones, so-called offline and cross-device tracking. Moreover, many authorities are giving particular consideration to employees' privacy at the moment, emphasising the limits to employer monitoring of employees.
Recent data protection law decisions also influence the supervision by the German authorities. As a result of the 2018 judgment by the European Court of Justice on the joint responsibility of Facebook fan page administrators, those fan pages will come under closer scrutiny. Berlin's data protection authority doubts that Facebook is providing sufficient information in this context.
A recent decision by the German Federal Cartel Office showed a novel understanding of the relationship between competition law and data protection. It found that a violation of data protection law may constitute an abuse of a dominant position. This raises questions on the role of data in competition law matters and is likely to encourage large and possibly dominant companies to devote particular attention to data privacy.
In Berlin, the online bank N26 has just been fined for keeping a "blacklist" of former customers with whom the bank wishes to have no further business relationship. Many question whether this decision weighed the interests correctly. This illustrates how data privacy can conflict with contractual freedom.
In December 2018, the German Federal Constitutional Court ruled on data protection in criminal investigations. It held that the investigating authorities may order email providers to store IP addresses even if, normally, in accordance with data protection law, they do not log these. As a result, in some cases, criminal justice considerations may outweigh privacy interests.