Changes to the BDSG and TTDSG - What is changing and what companies need to pay particular attention to

"To improve the enforcement and consistency of data protection, we are strengthening European cooperation, institutionalizing the Data Protection Conference in the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and want to enable it to make legally binding decisions where possible.“, the current government said. The Federal Cabinet has now approved a draft amendment to the BDSG. The intention is to partially implement the coalition agreement with regard to data protection and the results of an evaluation of the BDSG.

The Federal Ministry for Digital and Transport has also presented a draft. The Telecommunications Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz – TTDSG) is to be amended in particular to the extent that "number-independent interpersonal telecommunications services" are obliged to offer their telecommunications services with end-to-end encryption as standard.

This article shows what other important changes are planned and what companies and affected persons need to look out for once they have been implemented.

A. What will change

I. BDSG-Draft

Since the introduction of the BDSG in the 1970s, there have been numerous amendments to the law. In addition to many changes intended to clarify the law, there are now also many specific changes that could have an impact on data controllers and data subjects.

In accordance with the newly introduced Section 16a BDSG-Draft, the Data Protection Conference (Datenschutzkonferenz – DSK) is to be institutionalized in order to dispel any doubts regarding its position as the official representative body of the independent data protection supervisory authorities. Contrary to what was intended in the coalition agreement, however, the resolutions of the DSK are to remain legally non-binding, as otherwise constitutional limits could be affected (mixed administration).

According to Section 40a BDSG-Draft, companies and/or research institutions with transnational projects shall only be subject to a single state data protection authority. These companies should be able to jointly indicate that they are joint controllers. The competent supervisory authority should then be the one in whose jurisdiction the company with the highest annual turnover in the financial year preceding the notification falls. The notification should be made to all supervisory authorities that are responsible for the joint controllers.

For joint controllers who process data for scientific or historical research purposes and for statistical purposes and who are not or not exclusively companies, Section 40a BDSG should apply with the proviso that the authority in which the most people are employed is solely responsible.

The right of access under Art. 15 GDPR will be clarified by Section 34 BDSG-Draft for cases where the information would disclose a trade or business secret of the controller or a third party to the data subject and the interest in confidentiality outweighs the interest of the data subject in the information.

The European Court of Justice (ECJ) ruled on 07.12.2023 - C-634/21 (we reported on this in Data Protection Update No. 161) that Schufa scoring constitutes an impermissible automated decision if it significantly determines whether a third party to whom the score value is transmitted establishes, implements or terminates a contractual relationship with this person. The ECJ ruling also dealt with the question of whether the requirements of the GDPR precluded the application of Section 31 BDSG. The Wiesbaden Administrative Court and the Advocate General of the European Court of Justice expressed "serious concerns", including the infringement of EU law, with the result that the Federal Government would like to remedy this by repealing Section 31 BDSG and replacing it with Section 37a BDSG-Draft.

Section 37a BDSG-Draft is intended to extend the data subject's right under Art. 22 GDPR not to be subject to decisions based solely on automated processing. Section 37a (2) BDSG-Draft is intended to restrict the area in which probability values may be created for the purposes of scoring. In particular, special categories of personal data within the meaning of Art. 9 GDPR may not be processed. In addition to a special right to information under Section 37a (3) BDSG-Draft, data subjects should also have the opportunity to challenge the controller's decision, which is based on a probability value, and to present their own point of view.

II. TTDSG-Draft

In addition to mandatory end-to-end encryption, clarifying and supplementary regulations are also to be incorporated into the law.

For example, "secure end-to-end encryption" is defined as an encryption technology through which telecommunications content is encrypted at the sending end user and only decrypted again at the receiving end user, so that it is unreadable over the entire transmission path, cannot be viewed and the provider of the telecommunications service or third parties cannot obtain the key either.

End users shall be informed about end-to-end encryption by the provider of the telecommunications service. In the event that such encryption is not technically possible, the provider shall provide information about the technical reasons that prevent such encryption.

The newly introduced Section 13a TTDSG-Draft is intended to allow providers of commercially offered telecommunications services to process subscriber data, traffic data and location data insofar as this is necessary to secure and transmit electronic evidence in the event of a European Security Order for electronic evidence in criminal proceedings and for the enforcement of custodial sentences following criminal proceedings.

For the same purpose, according to Section 24a TTDSG-E, providers of commercially offered telemedia that enable their users to communicate with each other or process data in any other way shall be allowed to process subscriber data and usage data, provided that the storage of data is a defining component of the service provided to the user. This shall also apply to providers of Internet domain name and IP numbering services such as IP address allocation and domain name registration services, providers of domain name registry services and providers of domain name related privacy and proxy services.

Furthermore, two new offenses are to be added to the provision on fines in Section 28 TTDSG On the one hand, end users within the meaning of Section 3 No. 13 Telecommunications Act (Telekommunikationsgesetz – TKG) must be informed about the implementation or possibility of end-to-end encryption. On the other hand, users within the meaning of Section 3 No. 41 TKG should be informed about the possibility of continuous and secure encryption, which ensures that information can only be read by the user provided. The amount of the fines is not to change.

In Section 29 TTDSG-Draft, the powers of the Federal Commissioner for Data Protection and Freedom of Information are to be extended. In particular, he or she should now be able to issue orders and take other measures to ensure compliance with data protection. To date, such a general clause has not been provided for in Art. 58 GDPR. It remains to be seen to what extent this power is limited to the powers specified in Art. 58 GDPR.

It should be mentioned that it should be possible to impose a penalty payment of up to EUR 1 million in order to enforce the measures of Section 29 TTDSG-Draft.

B. What follows

The resolutions of the DSK will remain non-binding. However, the short papers and resolutions continue to provide a reliable point of reference for companies, as it can be assumed that the views of the supervisory authorities will not deviate from them. Nevertheless, a critical look should always be taken, as the views of the authorities are often stricter than those of the courts.

The fact that only one supervisory authority is to be responsible for joint controllers with cross-border projects could create legal certainty for these companies by creating clarity among the supervisory authorities. The same applies to joint controllers who process data for scientific or historical research purposes and for statistical purposes and who are not exclusively companies. However, the way to get there does not exactly speak in favor of reducing bureaucracy.

Companies should pay close attention to the restriction of the right to information. Companies should be aware that information could be refused if a trade or business secret of the controller or a third party would be disclosed and the interest in confidentiality prevails, in order to avoid disclosing information unnecessarily. However, the regulation is ultimately only a clarification of Art. 15 (4) GDPR.

Data subjects, on the other hand, should familiarize themselves with Section 37a BDSG-Draft when it comes to scoring procedures. In future, credit agencies will need to comply with the new requirements of Section 37a BDSG. In particular, they must ensure that sensitive data within the meaning of Art. 9 GDPR is not processed.

With regard to the possible amendments to the TTDSG, there is no increased need for action for most of the service providers concerned with regard to mandatory end-to-end encryption, as this is already offered by many as standard.
However, they must pay attention to the information obligations that could go hand in hand with the obligation, as these are to be included in the fines.

C. Summary

With these two drafts, the legislator intends to keep the promises made in the coalition agreement as far as possible. A key focus here is on better enforcement of data protection and cyber security.

It may take a while before the two drafts become reality.

While the draft of the new BDSG still requires the opinion of the federal states and readings in the parliament before the law is promulgated and enters into force, the new TTDSG is already scheduled to enter into force on April 1, 2025. The amendments to the BDSG are due to come into force on the first day of the quarter following its publication, meaning that changes to the law can be expected before the end of the year.

Until then, companies should familiarize themselves with the upcoming changes and take remedial action if necessary.