Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR). On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction in the EU, the BDSG-New is a critical piece of legislation for companies with EU operations.
Alston & Bird is pleased to provide a five-part, English-language overview of BDSG-New provisions likely to be of significance to companies.
Part 1: Overview, Drafting History, and Scope of Application
Part 2: Re-Use of Data – Secondary Uses, Sensitive Data, and Statistical Processing
Part 3: Within the Company – DPOs and Employee Data Rules
Part 4: Individual Rights
Part 5: Oversight, Sanctions, and Lawsuits
This first installment introduces non-German readers to the BDSG-New. It begins with an overview of the statute, then explain its drafting history, and closes with an analysis of its scope of application. Subsequent installments will focus on BDSG-New provisions likely to affect the way companies may do business or process data in Germany.
These articles are related to a summary of the BDSG-New that Daniel Felz published in Bloomberg BNA Privacy and Data Security Law, 16 PVLR 1190.
Overview of the BDSG-New
Germany’s current BDSG is an institution, whose sections practitioners and companies active in Germany can often recite by heart. For example, companies who retain external German vendors have likely encountered § 11 BDSG, which requires initial vendor due diligence, a detailed processing agreement, and ongoing compliance checks. The BDSG-New is arguably the most significant amendment to the BDSG since it was originally passed in 1990. Although some of the current BDSG’s existing rules remain in place, a great number of its “core” provisions disappear, displaced by directly-applicable rules of the GDPR.
The BDSG-New does not merely implement the GDPR, but also the EU Law Enforcement Data Sharing Directive (2016/680, or the “Law Enforcement Directive”), which permits Member States to pass laws permitting their law enforcement agencies to share data with other countries. Thus, in contrast to existing law, the BDSG-New largely focuses on processing by public authorities. The BDSG-New contains four Parts:
Part 1: General Provisions. Part 1 (§§ 1-21 BDSG-New) contains general provisions that apply to both BDSG-New provisions that implement the GDPR, as well as those that implement the Law Enforcement Directive First and foremost are the BDSG-New’s scope-of-application and definitions provisions. Part 1’s most lengthy and detailed sections regulate the structure and powers of Germany’s Federal Data Protection Authority (DPA). Part 1 also regulates how the unique German system of one federal DPA and 16 state-run DPAs will work together on questions involving multiple EU Member States, and will select who represents Germany in the GDPR-created European Data Protection Board. Companies will be affected by Part 1’s scope provisions, but are otherwise unlikely to find rules that apply to their operations.
Part 2: Implementation Provisions for Processing Pursuant to the GDPR. Part 2 (§§ 22-44 BDSG-New) contains the BDSG-New’s GDPR implementation provisions. For companies, Part 2 is where the action is. Companies will recognize rules elaborating the GDPR’s provisions on processing principles, secondary uses / data re-uses, Data Protection Officers, HR processing, credit reporting, individual rights, processing for scientific and research purposes, lawsuits, and sanctions. It is the only part of the statute that contains provisions directly applicable to day-to-day corporate operations, and this series of articles will cover it in detail.
Part 3: Implementing Provisions for Processing Pursuant to the Law Enforcement Directive. Part 3 (§§ 45-84 BDSG-New) implements the Law Enforcement Directive. As such, its rules apply to public authorities that process data for the purpose of “preventing, investigating, detecting, or prosecuting criminal offences or executing criminal penalties.” Part 3 is a statute-within-a-statute, containing a parallel set of data protection rules that apply exclusively to law enforcement agencies. It contains entirely separate rules on fundamental processing principles (§ 47), privacy by design and default (§ 71), secondary uses (§§ 48-50), individual rights (§§ 56-59), processors/vendors (§ 62), information security (§ 64), breach reporting (§ 65-66), data protection impact assessments (§ 67), and international transfers (§§ 78-81). Some government contractors, especially those in the security sphere, may be indirectly affected by Part 3’s rules, but Part 3 is unlikely to apply directly to most companies.
Part 4: Processing in the Context of Activities that Do Not Fall within the Scope of the GDPR or the Law Enforcement Directive. The BDSG-New’s final Part consists of a single section (§ 85) that contains rules for processing that does fall within the scope of the GDPR or the Law Enforcement Directive – such as transfers for important national defense purposes or for government-led “crisis management.” As with Part 3, most companies should not be affected by this section.
The BDSG-New has a fascinating history involving more debate and controversy than many observers may expect from Germany. Initially, the German government crafted the BDSG-New as a sweeping new privacy regime that would have allowed unrestricted Big Data uses, as well as substantial restrictions on individuals’ privacy rights. This resulted in pushback from privacy advocates and from Germany’s federal and state data protection authorities (DPAs) tasked with supervising privacy laws. At the same time, industry groups weighed in to challenge provisions they saw as onerous for businesses. After rounds of drafting and debate, Germany settled on a modest approach that makes some changes, but preserves a number of existing rules. Lawmakers may have been moved by considerations that – as the former head of Germany’s Federal DPA put it – “we have a reputation to lose,” and that the BDSG-New would set precedents for other Member States.
The public nature of the BDSG-New’s drafting may provide avenues for statutory interpretation and arguments before German DPAs and courts. Many provisions in the final BDSG-New were present in initial drafts; were commented on by both interested third parties and German DPAs; and were often amended – at times significantly – before settling into final form. This can support interpretative arguments, and companies facing novel or borderline cases may be able to turn to the BDSG-New’s drafting materials for assistance.
The BDSG-New was drafted by Germany’s Interior Ministry (Bundesministerium des Innern, or “BMI”). The BMI is one of the German government’s most important Cabinet ministries, responsible for federal police matters, internal security, protection of the constitutional order, and aspects of national security. For US readers, it is as if Homeland Security had worked with the FBI to draft a data protection statute.
By August 5, 2016, the BMI had completed its first draft of a GDPR implementation statute it titled the “Data Protection Amendments and Implementation Act” (abbreviated as “DSAnpUG” for Datenschutz-Anpassungs- und Umsetzungsgesetz), which contained the draft BDSG-New (draft available in German here). Ministry drafts of statutes are secret until they have been approved by the full Federal Cabinet – but in the BDSG-New’s case, the BMI’s August 2016 draft was leaked to the press. The draft contained fundamental changes to German privacy law, such as permitting the government to re-use any data for defense or national-security purposes. Leaked alongside it were formal comments from Germany’s Justice Department, Germany’s Federal DPA, and Germany’s 16 state-run DPAs. The comments revealed significant disagreements between BMI and the DPAs, especially regarding secondary uses and restrictions to individual rights. They also showed that the Justice Department had prevented the draft from proceeding to further steps in the legislative process until certain changes were made.
In mid-November 2016, the BMI published an updated draft containing significant revisions, but still containing fundamental changes to German privacy law – such as permitting companies to make any secondary use of data supported by what they documented as their “legitimate interests” (draft available in German here). The BMI then announced a first round of public comment, permitting approximately two weeks for interested parties to submit written statements. A number of industry groups and privacy experts submitted comments and suggestions for amendments. Following this initial round of comment, the BMI significantly amended a number of the more intensely-debated portions of the draft BDSG-New, and presented the amended draft to the Federal Cabinet of Ministers.
On February 1, 2017, the Cabinet adopted an amended draft (in German), which was introduced as a bill into the German legislature. Within the Lower House (Bundestag), the bill was assigned to the Committee on Interior Affairs. The Committee announced a second two-week round of public comment, following which it held a hearing for subject-matter experts to presented positions. The Committee then made several significant final amendments to the bill before re-introducing it to the full Bundestag, which passed it in April 2017. After the Federal President signed the bill, it was published in Germany’s version of the Federal Register on July 5, 2017 (official published version available in German here). The BDSG-New is thus an enacted statute, but – like the GDPR – almost all of the BDSG-New will not enter into force until May 25, 2018.
The BDSG-New’s Geographic Scope of Application
The GDPR expands the extraterritorial scope of EU privacy law. Article 3 of the GDPR not only subjects companies with an EU presence to EU privacy law, but also any company outside the EU that “offer[s] goods or services” to EU residents, or monitors EU residents’ behavior.
For the BDSG-New, the question was whether German law should adopt the same extraterritorial scope as the GDPR, or take a more limited approach. Early drafts of the BDSG-New followed a German privacy law’s traditional territorial approach, limiting the BDSG-New’s scope to companies with a German establishment. This would have had the consequence that a company without a German presence could potentially be subject to the GDPR through its use of German data – e.g. by profiling German residents – but would not have been subject to the BDSG-New.
By the time of its passage, however, the BDSG-New had adopted the GDPR’s expanded extraterritorial scope for its own. Under § 1(4) BDSG-New, a company – controller or processor – is subject to the BDSG-New to the extent that:
It processes personal data within Germany;
It processes personal data in the context of the activities of an establishment within Germany; or
It does not have an establishment within the EU, but falls within the GDPR’s extraterritorial scope of application – such as by offering goods or services to EU residents, or by profiling EU residents online.
The final prong establishes as a new rule that, if a non-EU company is subject to the GDPR, it is automatically subject to German data protection law. This rule may represent an attempt to ensure that German law, and German DPA supervision, can apply to non-EU companies as soon as they begin processing German data. Still, the rule may have unforeseen consequences in that it potentially subjects companies to German law in the absence of any factors connecting them to Germany. For example, a Florida company marketing to Spanish residents would be in-scope for the GDPR, and thus technically within the scope of German privacy law. Also, the rule may present challenges when a U.S. company is processing data of, for example, both German and French residents – especially if France and other EU Member States adopt the same rule. In such a situation, German courts may resort to classic choice-of-law principles to determine which Member State’s law applies in the individual case.
Companies should be aware that a German DPA’s determination that German law governs particular operations is not binding on German courts. German courts review determinations regarding applicable law de novo, and are not required to afford deference to the DPA’s ruling. In fact, several recent challenges to DPA rulings turned on the question of whether German law applied to the processing at issue, and courts evaluated and at least partially reversed some DPAs’ decision to apply German law. A high-profile example occurred when Facebook Ireland challenged the Hamburg DPA’s order blocking the transfer of WhatsApp user data to Facebook on the basis of German law. Upon review, the Hamburg Administrative Court preliminarily found the application of German law to transfers between WhatsApp (a US company) and Facebook Ireland (an Irish company) to be “questionable”, and it will issue a more detailed decision in the coming months.
The GDPR or the BDSG-New – which Applies?
Some early commentary on the BDSG-New has focused on the question of whether its norms supplant those of the GDPR in areas where they apply. In fact, in some of their more emphatic statements on the BDSG-New’s more debated provisions, German DPAs stated they would refuse to enforce any BDSG-New provision they believed conflicted with the GDPR.
Section 1(5) BDSG-New attempts to resolve this issue, or at least to provide an avenue for avoiding conflicts. It states that BDSG-New provisions “do not have application to the extent that EU law, in particular [the GDPR], directly apply.” The approach appears to be that whenever the GDPR contains a rule that is on point for the circumstances presenting, the GDPR applies; only if no such on-point GDPR rule is present does the BDSG-New come into consideration. Still, companies, courts, and DPAs may have differing conceptions of whether a GDPR provision applies “directly” or “indirectly,” and it remains to be seen whether this provision will provide a workable dividing line between the GDPR and the BDSG-New.
Notable Absences and Future Developments
The BDSG-New does not expressly address some of the more pressing questions of privacy law, such as automotive data, autonomous vehicle data, or data as an asset in distressed companies. It is anticipated that special statutes will be passed to provide issue- and industry-specific privacy rules that supplement the BDSG-New’s general framework. Moreover, given the omnipresence of data processing in governmental and corporate operations, a large number of German statutes already contain privacy provisions, which will need to be updated to accommodate the GDPR. Estimates range from 100 to 300 statutes requiring GDPR updates. This work is likely to begin following German elections at the end of September 2017, and Alston & Bird will report on developments as they arise.
* * * * *
 US audiences may be unfamiliar with the manner in which legislation is drafted and introduced in Germany. In contrast to the U.S., German legislation is drafted within the executive branch. The particular Cabinet ministry into whose remit a piece of proposed legislation most clearly falls generally drafts the new legislation, and owns the draft until it is adopted by the full Cabinet. Once the drafting ministry has completed a first draft, it circulates its draft legislation to other Cabinet ministries and federal agencies whose jurisdiction may be touched by provisions in the draft for comment. After the ministries have reached sufficient agreement, the draft legislation is presented to the entire Federal Cabinet of Ministers for approval. If the Cabinet approves, the draft is now no longer a ministry draft, but a full-Cabinet draft (“Kabinettsfassung”). The Cabinet draft then leaves the German executive branch and is introduced to the German Parliament as a bill for debate and passage.