Hanno Timner and Jens Wollesen
Privacy + Data Security
Germany is the first Member State in the EU to approve a law implementing the General Data Protection Regulation (GDPR) into national law. Germany’s Federal Assembly (Bundesrat) cleared the new Federal Data Protection Act (New Act) on May 12, 2017, which now must be signed by the Federal President to become law.
The New Act will repeal the current Federal Data Protection Act (FDPA) on May 25, 2018, when the GDPR enters into force. Companies that fall within the New Act’s scope (see below) will therefore not only have to comply with the GDPR but also with the New Act.
The GDPR’s harmonization is not all-encompassing: The GDPR will enter into force across the European Union on May 25, 2018, and it will replace and harmonize the national data protection laws of the 28 EU Member States. There are, however, a number of areas in the GDPR where Member States may add their own rules (e.g., processing in the employment context and processing of sensitive personal information), so local requirements may vary.
There will be a tiered approach where the New Act complements the GDPR: The German New Act is meant to repeal and replace the FDPA in its entirety. A large portion of the GDPR’s material provisions takes effect directly and do not require any implementation. Such provisions are therefore not included in the New Act. Rather, the focus is on the areas that require, or offer the possibility of, further regulation by the national legislation.
The scope of the New Act mirrors that of the GDPR but also does more: The New Act will apply to the processing of personal information:
The above expansions as to the scope of application are noteworthy, as the GDPR has been intended to ensure harmonization of the European privacy regime and a prevention of an accumulation of different national regimes that apply. The expansion of application principles under the German New Act could very well end up having a contrary effect.
The New Act does not, however, deviate from the GDPR’s rules on the (national) DPAs’ authority to enforce privacy law. Thus, an Irish or Polish DPA could have authority to enforce the German New Act.
Highlights of the New Act:
The New Act provides for lower thresholds than the GDPR for the appointment of a DPO. The New Act does not require the appointment of a separate German DPO. Therefore, under Art. 37 para. 2 GDPR, a group of companies may appoint a single DPO, satisfying the requirements under the New Act.
Comprehensive implementation act may obstruct effective harmonization: It is clear that the New Act is much more comprehensive than the FDPA (by comparison, the FDPA has a total of 48 provisions versus 85 provisions in the draft New Act). German Data Protection Authorities already pointed out that the detailed provisions of the New Act may effectively get in the way of the harmonization effect of the GDPR. Lawmakers have addressed specific points of criticism, such as the previously extensive limitation of information rights, while leaving the overall structure intact. The New Act’s exemptions from the GDPR will, however, likely remain a potential source of conflict.
The original draft of the New Act is available on the webpage of the Federal Ministry of the Interior, available here. Amendments of the legislative procedure are available here (both documents in German only). A consolidated version of the amended New Act has not yet been published.
©1996-2019 Morrison & Foerster LLP. All rights reserved.