Since 25 May of this year, the European Data Protection Regulation (DSGVO) and the Data Protection Directive (DSRL) are in force. The regulations are intended to replace the previously existing data protection law of the EU, which dates back to the 90s, and make it fit for the digital age. While a directive still requires transposition into national law, a regulation is in principle directly enforceable in the Member States. However, the General Data Protection Regulation contains numerous opening clauses that allow individual Member States to deviate from EU rules and to pursue national special channels.
Germany now apparently wants to make ample use of this possibility. At the end of November, the Federal Ministry of the Interior presented a draft bill for the adaptation of German data protection law to the new EU rules and consulted various stakeholders and associations. Central to the project is the new version of the Federal Data Protection Act. In addition to provisions implementing the Data Protection Directive, a number of provisions are also to be incorporated into the Act on the facts of the opening clauses of the Regulations of Data Protection.
We also looked at the 126-page draft bill and issued a written statement within a deadline of just two weeks. In fact, the design contains a lot of explosives.
Red lines crossed: privacy principles and data subjects are softened
Central principles of data protection, in particular purpose limitation, should be softened beyond recognition. The purpose limitation principle states that data may in principle only be used for the purpose for which it was collected. According to the plans of the Federal Ministry of the Interior, this should no longer apply in the future, for example, if a subsequent change of purpose is “in the legitimate interest” of the responsible person. By contrast, the draft does not define when such a “legitimate interest” exists. In these circumstances, data subjects can barely anticipate what will happen to their personal data after they have consented to data processing. Consent, so far one of the most important instruments for securing data sovereignty, is largely devalued in this way.
Conclusion: In the current version, contrary to EU law
Already in January 2017, the Federal Cabinet will deal with the draft. Even before the end of the legislature, the law should then have passed the Bundestag. To what extent the Federal Ministry of the Interior will respond to the criticism of the presenter’s draft will therefore be certain at the beginning of next year. A real U-turn is unlikely given the data protection-unfriendly course of the Federal Government. In the current version, however, the law will hardly stand up to a European review. This should also be remembered by parliamentarians, who will vote on the law next year. A repeal of the law by the European Court of Justice would be particularly bad for Germany as the motherland of data protection.