Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR). On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction in the EU, the BDSG-New is a critical piece of legislation for companies with EU operations.
Alston & Bird is pleased to provide a five-part, English-language overview of BDSG-New provisions likely to be of significance to companies.
These articles are related to a two-part summary of the BDSG-New that Daniel Felz published in Bloomberg BNA Privacy and Data Security Law, 16 PVLR 1190, 11311 – click here and here to read.
Introduction: Individual Rights in the BDSG-New
This installment focuses on one of the most important issues for companies from a liability perspective: individual rights. Primarily, the GDPR contains rights to information (Articles 13 and 14), access (Article 15), correction (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21). The GDPR also arguably contains rights for individuals to receive breach notifications (Article 34), and for individuals not to be subject to automated decisions in significant matters (Article 22).
Large organizations who have begun GDPR compliance projects have noticed the complexity involved in accommodating GDPR rights. Often, hundreds to thousands of systems across multiple entities, internal divisions, and countries must be coordinated to ensure that personal data relating to EU citizens can be identified, extracted, restricted, or deleted.
The BDSG-New’s provisions on individual rights primarily contain Germany-specific limitations and restrictions to the rights set forth in the GDPR. During BDSG-New drafting, a significant portion of the criticism directed at the BDSG-New was that it improperly restricted individuals’ GDPR rights.
Despite this criticism, companies should not think that the BDSG-New has limited individuals’ privacy rights in comparison to existing law, or that the German government set out to curtail individuals’ GDPR rights. On balance, individuals will have broader data protection rights under the BDSG-New than they do under current German privacy law. The reason for this is that most of the restrictions in early BDSG-New drafts mirrored existing German data protection law – and current German law contains a number of exemptions to individual privacy rights. However, when placed against the GDPR’s directly-binding rules as a backdrop, these exemptions – despite years of existence in practice – appeared less tenable from a black-letter law perspective. The rights restrictions in early BDSG-New drafts drew sharp criticism from German privacy experts and caution from German legislators. As the former head of Germany’s Federal DPA, Peter Schaar, stated in a formal public comment on the BDSG-New, “the [BDSG-New] draft restricts data subject rights beyond the exceptions contained in the GDPR without providing convincing reasons for doing so” – which he described as “at least in part contrary to EU law” (Mr. Schaar’s comment is available in German here).
The final BDSG-New contains modest limitations to GDPR individual rights that are less in number than the existing limitations of current German privacy law. Nonetheless, some of these will be of interest to companies:
Right to Information / Privacy Notices
Articles 13 and 14 of the GDPR require companies to provide expanded privacy notices to EU individuals. Additionally, and importantly for many companies, the GDPR contains only limited exceptions to companies’ obligations to provide individualized privacy notices – meaning that as soon as companies hold EU individuals’ personal data, they are in principle obliged to provide a privacy notice directly to the individuals whose data they hold.
This rule potentially upends years of privacy notice practice in EU Member States, and Germany is no exception. Current German data protection law contains a number of significant exceptions to the duty to provide privacy notices to individuals. For example, current German law permits businesses to withhold privacy notices whenever (a) data they hold is from “publicly available sources” and sending individualized notices would be “disproportionate,” or when (b) sending a privacy notice would “endanger” the company’s “business purposes” – such as, e.g., requiring network security monitoring firms to notify suspects, or requiring investment banks conducting M&A due diligence to send privacy notices to employees of target companies. More broadly, privacy notices are not required for any data processing expressly “provided for” by statute, meaning that regulated consumer-facing industries often may not need to provide individualized notice. Current German law even has a privacy-notice exemption for the market and opinion research industry, stating that companies do not need to provide privacy notices if they hold data for conducting marketing or opinion research and providing individualized notice would be “disproportionate.” A similar privilege exists for the data brokerage industry when it holds or receives data in the form of “lists or similarly collated data.”
Early BDSG-New drafts attempted to preserve a number of current German law’s existing privacy notice exemptions. However, thanks to last-minute amendments from the Bundestag’s Committee on Interior Affairs, the final BDSG-New takes a more moderate approach. The as-passed BDSG-New provides one potentially significant and one modest exemption to companies’ obligation to provide privacy notices:
• Confidential Data. Current German law exempts companies from the obligation to provide a privacy notice when doing so would reveal confidential data – which German law defines as any data that, “pursuant to a provision of law or due to their nature, must be kept confidential.” Section 29 BDSG-New was able to maintain this exemption for situations where personal data are collected from sources other than the data subject: In these situations, a privacy notice does not need to be provided to data subjects to the extent that doing so would reveal confidential information. Companies providing network security services may find this exemption useful.
• Exemptions to Follow-On Notices. A lesser-discussed aspect of individuals’ information rights is found in Articles 13(4) and 14(5) GPDR. There, the GDPR points out that if a company makes a secondary use of individuals’ information that was not disclosed in the initial privacy notice, the company must inform individuals about this new use before it begins. Comments to an early BDSG-New draft described this as a “follow-on duty to inform” that accompanies a new, previously undisclosed secondary use.
In its early drafts, the BDSG-New attempted to provide broad protections for companies who may find themselves having to notify thousands of customers about, e.g., a new application or an unforeseen re-use of customer data. The early drafts stated that no “follow-on” notice was required if it would “require disproportionate effort,” or would “endanger the controller’s generally-recognized business purposes.” These exemptions largely tracked privacy-notice exemptions under current German law.
During the debates on the BDSG-New, however, these exemptions were significantly trimmed down. Now, the BDSG-New only exempts companies from providing a follow-on notice if:
– providing a notice would adversely affect the company’s establishment, exercise, or defense of legal claims (e.g. through civil litigation), or
– providing a follow-on notice would endanger public security or order (and in cases where companies collected obtained the data elsewhere than from the affected individuals, a public agency must confirm that providing a privacy notice would in fact endanger public security).
Additionally, to claim these exemptions, companies must (1) balance the data subjects’ interests in receiving notice against its own; (2) document its decision and reasoning for not providing notice; and (3) implement appropriate safeguards, such as posting an updated privacy notice on the Internet. Companies’ litigation-hold and e-discovery processes will need to integrate these requirements to layer proper compliance over preservation, collection, review, and production.
Further Germany-specific exemptions to GDPR privacy notice obligations are expected, if at all, in forthcoming sector-specific legislation.
Right of Access
Article 15 of the GDPR permits individuals to access any personal data that a company holds about them. In recent guidance, the Bavarian DPA described the right of access as the “central” privacy right that, by giving individuals insight into what data is held about them, enables them to exercise further privacy rights such as correction, restriction, or erasure. (The Bavarian DPA’s Right of Access guidance is available in German here.) Within Germany, access rights also interplay with the fundamental right to informational self-determination, first recognized by Germany’s Constitutional Court in 1983.
Even with this background, current German privacy law contains a number of exemptions from individual’s access rights. Much like in the privacy notice context, companies do not have to provide individuals with access to data that (a) they obtained from “publicly available sources” and providing individualized access would be “disproportionate,” or when (b) providing access would “endanger” the company’s “business purposes.”
BDSG-New drafts attempted to retain some of current German law’s existing exemptions from access rights. All BDSG-New drafts prior to legislative committee work permitted companies to withhold data from access requests if production would “substantially endanger” a company’s “generally recognized business purposes” — such as auditors searching for financial irregularities. However, during public comment, experts generally criticized limitations on GDPR rights that went beyond GDPR exemptions as potentially problematic under EU and German constitutional law. Following public comment and just before the final BDSG-New was introduced for passage, the Bundestag’s Committee on Interior Affairs stuck the above exemptions.
Nonetheless, the as-passed BDSG-New retained two exemptions from access rights of potential significance to companies, as follows:
• Confidential Data. As in the privacy notice context, current German law exempts companies from the obligation to comply with access requests when doing so would reveal confidential data – here also defined as data that, “pursuant to a provision of law or due to their nature, must be kept confidential.” The BDSG-New was also able to maintain this exemption. Under § 29(1) BDSG-New, the right of access “does not exist to the extent that granting access would reveal” confidential information. One example of confidential information provided in the statute is “data about third parties.” German law contains a number of statutory duties of confidentiality – bank secrecy and trade secrets are likely the most famous examples – which presumably justify a refusal to provide access.
One question that remains unclear is whether contractual confidentiality or NDA language is sufficient to create “confidential data” which can be withheld from an access request. During public comment, the German Institute of Public Auditors (Institut der Wirtschaftsprüfer) stated that it presumed that contractual NDA language created “confidential data” exempted from access rights, but the commentary to the final BDSG-New did not contain any guidance on the matter. (The Institute of Public Auditors’ public comment on the BDSG-New can be viewed in German here.)
• High-Cost Fulfillment Situations. Current German law exempts companies from providing access in certain enumerated situations where locating and rendering individuals’ data for production would be particularly burdensome. Section 34(1) BDSG-New largely maintained this exemption, such that for German data, companies do not have to provide access to:
– Archived data (defined as data that “stored only because, due to legal or statutory retention provisions, they cannot be deleted”), or
– Backup data (defined as “data are stored exclusively for purposes of securing or safeguarding data”), or data stored exclusively for data protection audits.
To claim these exemptions, companies must implement appropriate measures that ensure the data cannot be processed for any other purposes. Additionally, when withholding archived or backup data from production in response to individuals’ rights requests, companies must (a) internally document their decision to deny access to the data, and (b) provide individual requestors with a reasoned explanation as to why the exempt data was not produced. As with all post-GDPR practice, the internal documentation and explanations provided to requestors should be prepared for DPA scrutiny.
Note that exceptions for archived and backup data may be specific to Germany and may not carry over into Right of Access practice in other EU Member States. For example, in regards to archived or backup data, the UK Information Commissioner’s Office has stated that “you have decided to retain [archive and backup] copies of the data for future reference, you will presumably be able to find the data, possibly with the aid of location information from the requester[, s]o you will be required to provide such information in response to [an access request]” (the ICO’s Subject Access Code of Practice is available here). Thus, as with all GDPR rights, companies may need to build country-specific exemption protocols for reviewing records prior to producing them to individuals.
Breach Notifications to Individuals
Technically speaking, the GDPR does not grant individuals a ‘right’ to receive notices if their data has been affected by a personal data breach. However, Article 34 GDPR does place companies under an obligation to notify affected individuals whenever a personal data breach creates a “high risk” for their privacy that cannot be sufficiently mitigated.
The BDSG-New introduces what appears to be the first Member State exception to the duty to provide breach notifications to individuals. It does so for situations where confidential information would be endangered. As above, confidential data is defined as data that, “pursuant to a provision of law or due to their nature, must be kept confidential.” Under § 29(1) BDSG-New, companies do not have to notify individuals of personal data breaches to the extent that doing so would reveal confidential data.
At the same time, however, the BDSG-New requires companies in breach situations to weigh the interests of affected individuals against confidentiality concerns, and to notify in cases where affected individuals’ interests predominate. As an example, the statute states that notification should “particularly” be made “in light of impending harm.” The statute does not enumerate any harms that would outweigh confidentiality concerns; thus, the scope of this exemption may be uncertain until German DPAs or courts provide further guidance.
Whenever companies employ automated decisionmaking algorithms that have legal effects or “significantly affect” individuals, Article 22 GDPR can require them to obtain prior opt-in consent and offer human appeal mechanisms. While this rule is similar to existing law, the recent proliferation of sophisticated algorithmic decisionmaking applications – along with the increased fines under the GDPR – have brought a new focus on GDPR automated decisionmaking rules.
a. New Rules for the Insurance Context
The GDPR permits Member States to pass laws exempting automated decisions from prior-consent or human-appeal requirements. During the comment period for the BDSG-New, one of Germany’s largest insurance trade associations (Gesamtverband der Deutschen Versicherungswirtschaft) asked that the BDSG-New to support efforts to digitalize claims processing (position paper in German here). Also, it pointed out that due to automated-decisionmaking and sensitive-data rules, health insurers – unlike general liability insurers – could not calculate benefits in an automated manner.
Section 37 of the final BDSG-New thus created exemptions for the automated decisions “in the context of providing services pursuant to an insurance contract.” Here, automated decisions can be employed as follows:
Decisionmaking algorithms can be employed without consent and appeal mechanisms if the individual receives everything he or she is asking for – for example, if an insurance company decides to pay the full value of a claim.
Additionally, in the health insurance context, no prior consent is necessary for automated decisions based on binding fee-for-service tables for medical procedures. Here, if the individual does not receive everything she asks for, the insurer must inform the individual (at the time of full or partial denial) that a human appeal mechanism is in place.
Importantly, § 37(2) BDSG-New permits automated decisions in these scenarios to be based on health and/or medical data. This enables insurers (and potentially their vendors) to digitize health insurance claims and fits with Germany’s current push to digitize its health care industry. At the same time, in order to use health data as the basis for automated decisions, companies must implement the 10 “specific and suitable” safeguards discussed in Part 2 of this Series for companies holding medical data without individuals’ consent, including: (a) internal policies regulating secondary uses; (b) employee training; (c) appointing a Data Protection Officer (DPO); (d) access controls; (e) logging and monitoring; (f) encryption and/or pseudonymization; (g) backups and rapid restore procedures; and (h) periodic security self-audits.
b. Credit Scoring
Credit scoring is a part of many automated decisionmaking processes increasingly used German consumer contracts. Given the potentially invasive nature of the data used for credit scoring, and the significant potential consequences for individuals in being denied credit, jobs, loans, or important purchases, the use of credit scores in algorithmic decisionmaking is an almost perfect fit for Article 22 GDPR’s provisions regulating automated decisions that “significantly affect” individuals.
At the same time, Article 22 GDPR permits companies to employ decisionmaking algorithms without obtaining individuals’ consent when they are “necessary for entering into, or performance of, a contract” with the individual. Current German privacy law contains detailed provisions regulating how credit scores can be used, and the BDSG-New largely maintains these rules. Generally speaking, credit scores can only be used “for the purpose of entering into, performing, or terminating a contractual relationship” with an individual. Section 31(1) BDSG-New contains additional restrictions on how companies can use credit scores in automated decisions, including: (a) only credit scores generated via scientifically recognized statistical methods may be used; (b) scores cannot be based exclusively on address data, and if address data is used to calculate scores, individuals must be notified (and records of this notice must be maintained); and (c) only debts that have been the subject of a judgment, are uncontested, or are seriously delinquent can be used to calculate credit scores.
Often, credit scores from German individuals are obtained from SCHUFA, a private credit bureau supported by creditors. (SCHUFA is short for Schutzgemeinschaft für allgemeine Kreditsicherung, “Protective Association for the Securing of Credit.”) Credit scoring is becoming an ever-more common facet of consumer-facing business in Germany, and international companies who intend to score customers in anticipation of granting credit or permitting purchases should ensure that their scoring procedures satisfy German requirements. Given that disappointed individuals are able to complaint directly to German DPAs – and that automated decisionmaking violations carry the highest level of GDPR fines – credit scoring carries significantly more risk than under current practice.