Yesterday, the German Parliament (Bundestag) passed a new Data Protection Act (Datenschutz-Anpassungs-und-Umsetzungsgesetz EU – DSAnpUG-EU; the Act), despite major criticism. The Act is available online in German here.

The Act shall adjust the current German data protection laws with the requirements of the General Data Protection Regulation (GDPR), and replace the current Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG).

Scope of the Act

The GDPR will come into force 25 May 2018. It will harmonize the current patchwork of European data protection approaches and have direct effect in all EU Member States.

However, some opening clauses contained in the GDPR allow the national legislators to further specify its application. The Act makes use of the GDPR opening clauses. It includes provisions on:

  • Rights of data subjects
  • Data protection officers
  • Data processing in the employment context
  • Exceptions for processing special categories of personal data
  • Administrative fines
  • Representation of the German data protection authorities in the European Data Protection Board
  • Right of action of data protection authorities against adequacy decisions of the European Commission

Major criticism

The Act has previously gained major criticism. Just a week ago, the European Commission noted that it is not yet satisfied with the Act, and that there is a risk of undermining the harmonisation achieved by the GDPR. The European Commission criticises, in particular, that the Act excessively limits the rights of the data subjects.

Developments in other countries

Germany is the first country to adopt a national legislative act implementing the GDPR. Thus, it seems likely that other EU Member States will follow the German approach. Recently, the drafts of the Dutch and Polish implementation acts have also become publicly available. The Polish implementation act lowers the parental consent age to 13 years (unlike the Act which did not make use of the related opening clause in the GDPR). Thus, there will no harmonization in this regard.

Next steps

The Act is subject to approval by the German Federal Council (Bundesrat), which is expected to vote on the Act 12 May 2017. The Act shall enter into force 25 May 2018. We will come back with an in-depth review of the new provisions of the Act on the Technology Law Dispatch soon.

Companies that want to get ready for the new data protection regime should focus not only on the GDPR, but also on the national laws that will be introduced within the next year, as well as the updated ePrivacy Regulation. There are only 392 days left!