On July 5, 2017, the German parliament passed the new German federal data protection act (“FDPA”), setting the stage for the General Data Protection Regulation (“GDPR”) coming into force in Europe in May next year. The new law reveals that Germany is no longer interested in keeping the title for having the strictest data protection practices in Europe:  Whilst Germany used to go beyond harmonized standards, it has now relied on the opening sections in the GDPR, which allow member states to introduce additional national provisions to further specify the application of the GDPR, to soften the GDPR’s regulatory impact in Germany.

For insiders, this development does not come as a surprise. German industry wants to play a leading role in “industry 4.0,” i.e., the digitization of manufacturing technologies, which requires the management of big data volumes. As reported before, over the last few years, members of the German government indicated on several occasions that they do not want to cut off European companies from big data management by introducing overly restrictive data protection rules and advertised not to apply the GDPR too restrictively. With the amended FDPA, Germany took a first step in this direction.

Among other things, the new act clarifies that informed consent can also be “freely” given in an employment relationship under certain criteria (taking into account an existent dependency and the specific circumstances)—a principle that was controversial under the application of the old rules. The new FDPA also eases the conditions for the collection of health, biometric and generic data, an amendment that will certainly be well received in the pharma and life science sectors. The processing of sensitive data for scientific or historic research and statistical data can even be done without consent as long as the researcher’s interest outweighs the individual’s interest and appropriate and specific measures are in place to safeguard the data subject’s interests.

Part of the data protection community has criticized the new FDPA for diluting rights of data subjects. From an industry perspective, however, the new FDPA must be considered a step in the right direction as it clarified some critical aspects of the old law, such as the preconditions for employees’ consent. It remains to be seen whether the other member states will follow Germany’s approach when amending their own national legislation or set their own standards. Chancellor Merkel already indicated last week in Berlin that Germany will closely collaborate with France to clarify undefined terms in the GPDR and to provide recommendations for specific industries.

The new FDPA will come into force on May 25, 2018. Potential conflicts with provisions of the GDPR are resolved in the favor of the latter:  Section 1(5) of the new act stipulates that its provisions do not apply to the extent that the laws of the EU, in particular the GDPR, are directly applicable. But, in the light of the previous criticism, it must be anticipated that some sections of the amended FDPA will be subject to challenge before the German and/or European Courts.

Germany’s approach also shows that despite the EU’s harmonization efforts, there will remain differences in the individual jurisdictions of the member states in the field of data protection law.