German Bundestag enacts New Federal Data Protection Act

German data protection law is aligned to the EU General Data Protection Regulation (GDPR). On the 27th April the German Parliament, “Bundestag”,  passed the “Data Protection Adaption and Implementation Law EU (“Datenschutz-Anpassungs- und -Umsetzungsgesetz EU” (DSAnpUG-EU)).

The law repeals national rules that are now incorporated in the GDPR, specifies the application of the GDPR in some parts and in addition implements the new data protection Directive for the police and criminal justice sector. It will replace the current Federal Data Protection Law (BDSG) completely.  It is expected that the Bundesrat – the second legislative body representing the sixteen federal states in Germany – will confirm the law on the 12th May. 

“Germany is frontrunner in adapting its data protection legislation to the EU General Data Protection Regulation” says Bitkom‘s Director for Data Protection and Security Susanne Dehmel. “The future legal framework for data processing by companies in Germany is largely set. So companies have clarity with regards to the legal data protection framework that will apply starting with the 25th of May 2018. If they have not already started they should hurry now to get their procedures adapted to the requirements of the GDPR.

Bitkom has cautioned EU member states to keep the national privacy regulations as slim as possible, to not undermine the European harmonization process. This has only partly succeeded, as German legislators stick to some former privacy rules. Problematic is that the BDSG-new adds some new burdens e.g. to the rules on data processing in the employment context.

The national law provides some specific restrictions on the rights of data subjects which are however neglectable. The simultaneous specification of the GDPR and implementation of the Directive, as well as the creation of data protection rules for non-EU areas, such as intelligence services, have also made the German law very complex and difficult to read. It also concretizes processing rules for specific categories of personal data, such as health data.”

The changes in the area of data protection law are not completely finished with the expected coming adoption in the Bundesrat. Bitkom points out that in the coming legislature period several special laws and regulations on data protection still have to be adapted. In Brussels, the e-privacy Regulation is also currently negotiated, which should contain additional rules for electronic communications data.