Germany’s Interior Minister Thomas De Maiziere has toned down the language in strict passages of a data protection bill that would transpose an E.U. directive into national law. The changes come shortly before the law is due to be passed by the German Cabinet on Wednesday.
Mr. De Maiziere ordered changes made to those rules which were stricter than the E.U. Data Protection Directive had called for. The directive is intended to aid both consumers and the economy. Handelsblatt has obtained a copy of the new version.
German companies are seeking clarity on what awaits them in the law, but a dispute between Federal Minister of Justice Heiko Maas of the center-left Social Democratic Party (SPD) and Mr. DeMaiziere of the center-right coalition partner, the Christian Democratic Union (CDU), had delayed an agreement being reached. Among other issues, Mr. Maas has criticized loopholes in Mr. DeMaiziere’s bill for a new federal data protection law.
But time is short. E.U. member states have until May 2018 to adapt national law wherever it contravenes the new E.U. data protection rules. And with elections coming up in October of 2017, the German federal government is under pressure to agree to appropriate adjustments. Ultimately, the election and subsequent cabinet formation will effectively paralyze legislation for months on end.
Companies will have to make adjustments, and that will be expensive. Tim Wybitul, Data Protection Attorney at Hogan Lovells
According to the latest draft, companies would be obligated in the future to inform clients if they plan to use their data for purposes other than originally intended. But there are a few exceptions – for example, if informing customers “would require disproportionate effort,” as the draft states. However, the company must ensure that customers are informed of the purpose and length of their data storage in a publicly accessible place.
The law would also permit companies to process “special categories of personal data” – for example to provide healthcare, a medical diagnosis or to evaluate an employee’s ability to work. In such cases, the company must take suitable precautions to protect the data by encrypting it or making it anonymous.
In “special data-processing situations,” businesses are accorded much more freedom. These includes data processing for scientific or historical research and for statistical purposes. There personal data can be used “without permission,” if the processing “is necessary and the interests of the person responsible for processing considerably outweigh the interests the person affected might have in preventing that processing.” However, the law also stipulates an obligation on behalf of data processor to take “appropriate and specific measures to protect” the interests of any affected persons.
Experts are extremely critical of the bill’s vague formulations. For Tim Wybitul, data protection attorney at Frankfurt-based law firm Hogan Lovells, the wording is “too imprecise” in many places. In Wybitul’s view, it is likely that the European Court of Justice will revoke individual provisions of Germany’s law within a few years. “Then, companies will have to make adjustments, and that will be expensive,” cautioned Mr. Wybitul. If member states would now begin adopting “overly complex new regulations” on the basis of the European directive, it would not only infringe on current law, but “it would also harm the economy,” he added.
Dietmar Neuerer is a Berlin-based politics correspondent for Handelsblatt. To contact the author: [email protected]