New developments affecting the General Data Protection Regulation

There is an increasing number of signs suggesting that the General Data Protection Regulation will be enacted at the end of 2015 or beginning of 2016 – even if many compromises must be made before then between the Commission, Parliament and Council, as suggested by the information currently available. The need for considerable discussion is evident from a 630-page document published by the Council in March 2015 which contains an article-by-article comparison of the existing drafts. Some insight into the course of the debates within the Council can be gleaned from the two “leaked” discussion versions dating from December 2014 and June 2015. These heavily footnoted documents, each over 260 pages, demonstrate the diverging views of individual countries on the matter.

Even though the many detailed discussions suggest that it is highly probable that in many cases the wording in the drafts will yet be changed before enactment, taking a look at the regulation is nevertheless worthwhile. After all, implementation of several basic concepts seems assured, at least in principle. This allows companies to start planning early on and ascertain which areas can expect to see changes and, accordingly, the areas where action needs to be taken in response. Any company now making large-scale investments in overhauling their lead generation, restructuring their customer database or modifying other processes involving personal data should devise a plan now to accommodate the changes currently taking shape. Otherwise they may find themselves with little time to implement necessary changes. It has been a long-held belief that, because of the relatively high level of data protection already existing in Germany, this country would face few consequences and would only be required to take minimal action. However, the more closely one examines the details, the more it becomes clear that companies will face a series of changes that have received too little consideration and discussion in Germany to date.

The drafts and the process: the 2012 Commission draft

The General Data Protection Regulation (below: “GDPR”) already has a long legislative history. Following the involvement of many interest groups, in January 2012 the Commission published a draft intended to update the outdated European data protection law contained in the directive of 1995 (95/46/EC) to take into account modern developments of the 21st century, such as cloud computing, social media, big data, Industry 4.0 and the Internet of Things. Despite noble intentions, for two years hardly anything happened that caught the attention of the general public.

2014 Draft of the Parliament and 2015 Draft of the Council

Then, after 12 March 2014, the process of enacting the GDPR gained new momentum. This was the day when the Parliament, with a large majority, passed a draft with modifications at many points that diverged from the proposal of the Commission. Based on this draft, the Council devised its own draft. According to the current schedule, the “trilogue” negotiations, i.e. the final reconciliation between the Commission, Parliament and Council, are to begin in summer 2015, to be completed in December 2015.
That being said, the following avoids detailed analyses; this seems especially prudent in light of the circumstance that the GDPR still largely remains a shapeless regulation.

Entry into force of the Regulation: at the earliest, end of 2017

All of the drafts contain an identical passage according to which the GDPR is to enter into force two years after its enactment. Based on the current situation, the earliest entry into force is therefore near the end of 2017. It still remains worthwhile to consider the drafts, since in some key areas it is already quite clear that the GDPR will have serious consequences for German data protection law.

Principle of prohibition subject to authority approval maintained

The basic principle of a prohibition subject to authority approval remains intact. After the enactment of the GDPR, data processing will still fundamentally remain prohibited except in cases where there is a statutory basis for authorisation. All essential statutory permits also remain intact. Some of the statutory permits deriving from Art. 7, letters a to f of Directive 95/46/EC are even adopted word-for-word in the various drafts of Art. 6 Para. 1 letters a to f GDPR. In principle, aside from permission granted by the person affected (letter a), the necessity of data processing in order to fulfill a contract (letter b) and the “legitimate interest of the data processor” (letter f) will remain the most important justifying circumstances, even after the reform. This continuity of the basic principle, however, should not give the erroneous impression that otherwise nothing will change in terms of application of data protection law in Germany.

New fines structure pursuant to Art. 79 GDPR

Currently, the maximum fine in the patchwork of German data protection regulations is 300,000 EUR, e.g. see Section 43 Para. 3 BDSG (German Federal Data Protection Act), Section 149 Para. 2 TKG (German Telecommunications Act), Section 85 SGB X (German Social Code, Book X). Yet other laws provide for lesser fines. For example, for breaches of data protection in connection with telemedia pursuant to Section 16 Para. 3 TMG (German Telemedia Act), fines up to a maximum of only 50,000 EUR can be adjudicated. With regard to other special data protection regulations, such as Section 21g EnWG (German Energy Economy Act), the legislative authority has not provided for any fines at all. Even if the specific maximum fine amount is being hotly debated, all the drafts clearly reveal that, on one hand, the GDPR will harmonise the highly varied landscape of fines in Germany, and on the other, will dramatically increase the maximum fines. The draft of the Parliament contains the most dramatic proposals, which include fines up to 100 million EUR or 5 percent of global annual revenue, whichever is higher. However, the most recently leaked document of the Council reveals that the value of the fines and the sanction system itself remain hotly contested. In this connection, the Council is proposing a new, three-level fine system that provides for fines of up to 1 million EUR or 2 percent of global annual revenue for the most serious breaches. This can still be a serious matter for large corporations, while at the same time representing a clear reduction in the fines framework for smaller companies and, especially, for individuals. Even if it is difficult to predict the actual maximum amounts, it is nevertheless likely that they will be above the amounts currently common in Germany. The question of whether the percentage of global annual revenue relates to the parent company as well or merely to individual legal persons also remains open. The drafts to date have shown a clear preference for the latter solution, however.

“One-Stop Shop”

The key phrase “One-Stop Shop” is being discussed to refer to a proposal under which the European Commission or a European “Data Protection Board” is to be granted far-reaching powers in matters with a transnational dimension. According to the drafts, at the national level there will be one “lead regulatory authority” for affiliated companies with activities in various European countries; this “lead regulatory authority” will then have certain powers of decision for intervention on the part of the authority against other European subsidiaries. Under the proposed system, the authority with national or local jurisprudence is to consult the “lead regulatory authority” before taking action independently. It is hoped that this will give international corporations the advantage of no longer having to deal in-depth with many different authorities, which often have fundamentally different conceptions of the principles of data protection legislation. It must be emphasized, however, that the details of the “One-Stop Shop” are still being debated.

Reporting obligation for breaches of data protection

The GDPR will usher in a general obligation for reporting data protection breaches to the responsible authority. This goes far beyond the previous reporting obligations pursuant to Section 42a of the German Data Protection Act, which only apply to certain types of data. Many companies will face the necessity of having to institute formal reporting management since the drafts of the German IT Security Act and European Network and Information Directive contain far-reaching reporting obligations which, in practice, will overlap to a large extent with the reporting obligations of the GDPR.

Risk analysis, assessment of data protection consequences, and consultation with the data protection supervisory authority

In many cases, the GDPR will also introduce obligations in the future for performing comprehensive risk analysis and a “privacy impact assessment” which must take into account the overall lifecycle management of personal data. The draft of the Council, which no longer compellingly requires a data protection officer, additionally demands consultation with the responsible data protection supervisory authority in cases where the privacy impact assessment demonstrates a high risk for the affected data subjects.

Information obligation

An information obligation is intended to ensure that the affected persons are better able to assert their rights against the data processor. According to the current drafts, it appears that the information on data processing that is common on the internet as part of “privacy policies” will in future also be required in purely “offline” situations – provided no exceptions apply. Article 14 GDPR, which sets the standard, is no longer in dispute. In any case, the drafts still reveal major disagreement with regard to the details of the list of exceptions for Art. 14 GDPR. In addition, according to the draft of the Commission, standardised information measures, including pre-defined “icons” that refer to certain  legal data protection risks are to be additionally used. According to a study by the German Federal Office of Statistics that only focuses on several articles of the GDPR, German companies face implementation costs for these alone totaling 1.5 billion EUR; of which the costs due to the information obligation from Art. 14 GDPR account for the lion‘s share.

What will remain of the diverse, existing national data protection standards?

Significant aspects of the effects of the GDPR on German data protection legislation only become apparent, however, when one considers that many “achievements” of German data protection legislation will be lost in light of the direct applicability of the Regulation. In terms of applicability, the GDPR takes precedence over any national standards that differ from it.

Regulations under German Data Protection Act to lapse

This applies to several standards established in the German Data Protection Act, which have no direct correlate in the drafts. For example, large parts of Sections 28 et seq. German Data Protection Act could become obsolete. The so-called list privilege set forth in Section 28 Para. 3 et seq. German Data Protection Act, which, within certain parameters, allows data to be used for advertising without prior consent, has no correlate in the GDPR and will therefore lapse in future. According to the current drafts, the same applies to Sections 28a and 28b of this Act in their entirety. This reintroduces the atmosphere of legal uncertainty with regard to the transmission of data to credit agencies that prevailed before the most recent reform of the Act in 2009. Furthermore, in light of the impending GDPR, a scoring reform bill proposed by the Greens was refused: in May 2015 the Great Coalition decided to not deal with an issue that would “be obsolete again within several months” as a result of the GDPR.

National data protection regulations remain intact in the Telecommunications Act (TKG)

In addition to several other regulations in the BDSG, other laws will also be affected. One exception will likely be the data protection regulations in the Telecommunications Act, which are based on Directive 2002/58/EC. This is because the GDPR drafts explicitly order that large parts of this directive are to remain unaffected in terms of application. And yet, the devil is in the details, once again. Since implementation of the Telecommunications Act goes beyond Directive 2002/58/EC in some areas and the standards from Sections 90 et seq. Telecommunications Act are not all prescribed by the directive in every regulatory aspect, in this case as well a precise evaluation must take place as to which standards will have to yield to the precedence of the GDPR.

To be struck: Sections 11 et seq. Telemedia Act

The data protection standards from Sections 11 et seq. Telemedia Act, however, which are not based on European law, will fall victim to the harmonisation of data protection legislation. The consequences of this can hardly be imagined as yet. For instance, the question of what will happen in Germany in terms of implementation of the so-called “Cookies” Directive must be considered from an entirely different perspective. To date, the German legislative authority has adopted the position that implementation is not necessary, since Section 12 Telemedia Act contains sufficient provisions. It appears likely that this position will be harder to defend in future. Hard times are coming for issues concerning personalised advertising online and in apps as well as all types of digital re-targeting, since it appears that the option of pseudonymised user profiles pursuant to Section 15 Para. 3 TMG will no longer be available.

Conclusion

Overall it is clear that the most serious changes to be expected from the GDPR in Germany will be, primarily, the lapsing of established German regulations. Yet companies will also face challenges in the form of new requirements, such as reporting obligations and risk assessments. In turn, these will once again expose a range of established business models to legal uncertainty, which in many cases had been overcome years ago. The legal uncertainty takes on an even graver dimension in light of the high probability of a dramatic increase in potential fines. The long period before the entry into force of the GDPR should therefore be taken advantage of as early as possible to adapt the areas in need of change as robustly as possible before any fines are incurred.