German Parliament voted ‘Yes’ on new Data Protection Act to implement the GDPR

Yesterday, the German Parliament (Bundestag) passed a new Data Protection Act (Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – DSAnpUG-EU; the Act), despite major criticism. The Act is available online in German here.

The Act shall adjust the current German data protection laws with the requirements of the General Data Protection Regulation (GDPR), and replace the current Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

Scope of the Act

The GDPR will come into force 25 May 2018. It will harmonize the current patchwork of European data protection approaches and have direct effect in all EU Member States.

However, some opening clauses contained in the GDPR allow the national legislators to further specify its application. The Act makes use of the GDPR opening clauses. It includes provisions on:

  • Rights of data subjects
  • Data protection officers
  • Data processing in the employment context
  • Exceptions for processing special categories of personal data
  • Administrative fines
  • Representation of the German data protection authorities in the European Data Protection Board
  • Right of action of data protection authorities against adequacy decisions of the European Commission

Major criticism

The Act has previously gained major criticism. Just a week ago, the European Commission noted that it is not yet satisfied with the Act, and that there is a risk of undermining the harmonisation achieved by the GDPR. The European Commission criticises, in particular, that the Act excessively limits the rights of the data subjects.

Developments in other countries

Germany is the first country to adopt a national legislative act implementing the GDPR. Thus, it seems likely that other EU Member States will follow the German approach. Recently, the drafts of the Dutch and Polish implementation acts have also become publicly available. The Polish implementation act lowers the parental consent age to 13 years (unlike the Act which did not make use of the related opening clause in the GDPR). Thus, there will no harmonization in this regard.

Next steps

The Act is subject to approval by the German Federal Council (Bundesrat), which is expected to vote on the Act 12 May 2017. The Act shall enter into force 25 May 2018. We will come back with an in-depth review of the new provisions of the Act on the Technology Law Dispatch soon.

Companies that want to get ready for the new data protection regime should focus not only on the GDPR, but also on the national laws that will be introduced within the next year, as well as the updated ePrivacy Regulation. There are only 392 days left!

More GDPR questions answered: new guidelines on DPIAs

Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published Guidelines on DPIAs and on determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (Guidelines) to assist controllers in implementing DPIAs. The Guidelines explain not only what should be included in DPIAs but also, importantly, how they can be used effectively. Rather than defining DPIAs, the GDPR states they are required in “high risk” situations and thus the Guidelines explain ‘high risk’ and specify, to the extent possible, the circumstances in which DPIAs are mandatory. Although the Guidelines do not provide a complete picture of how DPIAs will work in practice, several key questions have been addressed.

What does a DPIA entail?

While the form and structure of DPIAs are flexible so as to suit a variety of controller practices, they must, at a minimum, include:

  • a description of the envisaged processing and the purposes of the processing;
  • an assessment of the necessity and proportionality of the processing in relation to the purpose;
  • an assessment of risks posed to data subjects’ rights and freedoms; and
  • measures envisaged to address these risks and to demonstrate GDPR compliance.

The WP29 envisages sector-specific DPIA frameworks being developed and implemented at a later date.

When is a DPIA needed?

A DPIA is mandatory if the processing operation is “likely to result in a high risk to the rights and freedoms of natural persons”. A DPIA must be carried out prior to the processing in order to assess risk.

As well as providing a list of situations where DPIAs will be relevant, the Guidelines provide a non-exhaustive list of processing criteria to consider, and confirm that the occurrence of usually two criteria (but sometimes only one) could give rise to the requirement for a DPIA. The list includes:

  • evaluation or scoring (including profiling and predicting);
  • systematic monitoring of data subjects;
  • large-scale processing; and/or
  • matching or combining types of data.

The Guidelines recommend that where it is unclear whether a DPIA is required, controllers should act with caution and carry out a DPIA regardless. They also include a list of circumstances where a DPIA is not required, as well as a detailed checklist of “criteria for an acceptable DPIA”.

What happens next?

Next steps are dependent on the outcome of a DPIA. Where a DPIA identifies risks that cannot be sufficiently mitigated by the controller, the controller must consult the supervisory authority. It is recommended that DPIAs are published once completed (although this is not compulsory). Looking further ahead, while the WP29 envisages that DPIAs are carried out continuously, revisiting them every three years is recommended even if a processing operation has not changed substantially.

Why should controllers act now?

As this requirement will apply to many processing operations after 25 May 2018, the WP29 advises that DPIAs are carried out prior to this date. An organisation’s failure to comply with any aspect of the DPIA requirement could result in administrative fines of up to €10 million or up to 2 per cent of its total worldwide annual turnover for the preceding financial year, whichever is the higher.

Importance of State AGs in Privacy in the United States – Interview of CT AG George Jepsen by Professor Danielle Citron at IAPP Privacy Bar Section Forum

Notwithstanding potential changes to privacy regulation at the federal level, state attorneys general (AGs) will continue to be robust and influential privacy policymakers and enforcers in the United States – that was the key takeaway of an interview by University of Maryland Law Professor Danielle Citron of Connecticut Attorney General George Jepsen at the IAPP Privacy Bar Section Forum today in Washington, D.C.


Citron’s scholarship has focused on privacy and the key role of the states, culminating in a law review article, THE PRIVACY POLICYMAKING OF STATE ATTORNEYS GENERAL, published this past December in the Notre Dame Law Review. She interviewed Jepsen, and many other AGs, for her article, and the two discussed her findings and recommendations to a sold-out crowd of the IAPP Privacy Bar Section.  Continue Reading

Data Privacy and Security Legal Reform, and Plaintiffs’ Bar White Paper the Focus of IAPP Panel

A panel on legal reform in the area of privacy and data security at this week’s IAPP Summit provided an opportunity for a discussion between businesses and regulators, as well as for the launch of a white paper on the activities of the plaintiffs’ bar in this area that Reed Smith prepared for the U.S. Chamber Institute for Legal Reform (ILR).

The panel, “Lessons in Liability: The US Privacy Landscape and Proposals for Reform,” featured Tanya Madison, Chief Privacy Counsel at TD Bank; Howard Beales, Professor of Strategic Management and Public Policy at the George Washington School of Business, and former Director of the Bureau of Consumer Protection at the Federal Trade Commission; and Oriana Senatore, Vice President of Policy & Research at the U.S. Chamber of Commerce Institute for Legal Reform.

Continue Reading

Germany’s approach against criminal content on social networks faces resistance by stakeholders

On 5 April 2017, the German Federal Minister of Justice’s new bill aimed at improving enforcement of rights in social networks (Entwurf eines Gesetzes zur Verbesserung der Rechtsdurchsetzung in sozialen Netzwerken; Netzwerkdurchsetzungsgesetz – NetzDG, the Bill; see our previous blog) has, in a slightly revised version, been adopted by the Federal Cabinet (Bundeskabinett) and is now ready for discussion by the German Parliament.

As we reported earlier, a number of concerns surrounding the Bill were raised after its announcement. Now, as an immediate response to the Federal Cabinet’s adoption of the Bill, a number of stakeholders – including industry associations, net activists, lawyers and journalists – have formed an alliance to oppose the Bill. The alliance has issued a joint ‘Declaration on Freedom of Expression’ (Declaration), which is available in the English language here.

  • The Declaration emphasizes the essential role of the freedom of expression, which is a fundamental right under Article 5(1) of the German Constitution (Grundgesetz).
  • Notwithstanding this, the Declaration acknowledges that it is important to effectively sanction criminal and illegal content.
  • The Declaration stresses that each individual’s fundamental right of freedom of expression shall not be affected by the existence of unlawful or criminal content being dealt with, which shall in particular be the case in relation to content which is in a gray area. The Bill would create a risk that social networks would, in order to avoid any exposure to fines under the Bill, decide to utilize a “fall-back” position, i.e. to delete content in cases of doubt.
  • In the view of the signatories to the Declaration, the Bill does not meet the requirements necessary to adequately protect the freedom of expression, and the government should instead pursue a comprehensive political strategy to curb the proliferation of hate speech and fake news on the internet.

We expect a highly heated debate in the German Parliament, and, at the same time, an equally animated discussion in political, financial and legal circles.

‘Once in a generation’ legislative changes: the ICO’s strategy for GDPR challenges

Information Commissioner Elizabeth Denham has recently given some valuable insights into the Information Commissioner’s Office’s (ICO) General Data Protection Regulation (“GDPR”) strategy. Addressing the House of Lords EU Home Affairs Sub-Committee, she made clear that numerous pressures face the ICO as a result of the substantial workload created by the GDPR.

Commissioner Denham emphasised that the approach of the UK to data protection must be global. This goes beyond adjusting to the European landscape after Brexit. The ICO has been meeting with international data protection authorities in Asia, and has plans to meet the U.S. Federal Trade Commission during 2017. Denham stated that “data knows no borders”, making it important for countries to work together to achieve cohesive international data protection rights. The growing prevalence of data transfers within multinational companies makes international data regulation a key point of interest for data protection authorities.

Despite the ICO being one of the world’s largest regulators, the GDPR presents it with a number of challenges. The ICO’s plans for readiness include recruiting 200 additional staff within the next three years, and formulating a new funding model. The ICO has historically relied on the data controller registration fee to fund its work; however, the GDPR will remove this requirement, cutting off a vital revenue stream.

One of the ICO’s key roles is to educate controllers and the general public. The regulator will continue to develop and release new guidance in the run up to the GDPR coming into force, and will also provide valuable insights into the UK’s regime post-Brexit. Look out for our future posts for helpful summaries of ICO guidance.

Man vs. machine: the ICO provides guidance on use of Big Data

As the European data protection framework evolves, big data remains a hot topic. Often, what makes up these large data sets is personal data, so it has clear data protection implications.

The Information Commissioner’s Office (“ICO”) has therefore issued guidance on “Big data, artificial intelligence, machine learning and data protection.” This recent guidance provides helpful emphasis on accountability, transparency and how to evidence compliance with the General Data Protection Regulation (“GDPR”), which is due to come into effect from 25 May 2018. The ICO’s guidance explains the ways that accountability can be evidenced by organisations (such as, through documentation, algorithms, ethics, etc.).

Continue Reading

State Attorneys General Gather to Discuss Privacy Enforcement

A panel at a meeting of the National Association of Attorneys General highlighted data breaches and privacy in the context of new technology, signalling that state regulators are focused on consumer protection in this area.

The panel at the Southern Regional Meeting in Charlottesville on April 4 was devoted to emerging technologies, privacy concerns, and how attorneys general should respond. The panel featured senior enforcement officials from the Texas, Virginia, and South Carolina attorneys general offices. Representatives of attorneys general offices in nine attended the discussion, including the attorneys general of the District of Columbia, Mississippi, New Jersey, Tennessee, and Virginia. Virginia Attorney General Mark Herring moderated the panel.

Common themes on the panel included data breach and data use, as well as how attorneys general may use state unfair and deceptive acts and practices (“UDAP”) laws to regulate not only practices expressly mentioned in state laws, but also privacy practices that are broadly unfair or deceptive. New trends that the panelists identified as emerging consumer privacy exposures included connective devices, self-driving cars, and “always-on technology.”

The panel continues the trend of state attorneys general focusing on privacy and consumer protection. While federal privacy enforcement may currently be in flux, especially with the status of Federal Trade Commission leadership undetermined, states will step in as strong regulators – and businesses must be ready for it.

Panel Photo Herring

Germany updates competition rules to deal with digital markets

The upcoming ninth amendment of the German Act against Restraints of Competition (Gesetz gegen Wettbewerbsbeschränkungen, ARC), which has already been approved by the German Federal Parliament (Bundestag) and the German Federal Council (Bundesrat), is expected to enter into force shortly. The new law is tailored to adapt German competition law to the specific features of digital markets, for instance, when assessing the market power of digital platforms. The traditional turnover-based concepts proved inadequate in capturing the relevance of these businesses in the market, in particular in the light of commercially exploiting big data. The growing relevance of big data, with consumers nowadays “paying” for the services digital platforms provide “free” of charge, has created the need to refine the ARC. Read more on our sister blog Global Regulatory Enforcement Law Blog.

Defamation and Data Protection: a twin-barrelled approach to claims against publishers

In the recent case of Prince Moulay Hicham v Elaph Publishing Limited, the Court of Appeal held in a unanimous decision that a claimant could include an action under the UK Data Protection Act 1998 (‘DPA’) as an alternative means of redress.

To read our full client alert in relation to this judgment, please click here