Bundestag resolves new Federal Data Protection Act

On April 27, 2017, the Bundestag passed the Data Protection Adjustment and Implementation Act EU. It was only on the previous day that the Committee of Internal Affairs had forwarded its recommendation for the resolution to the Bundestag, which included several amendments to the original February draft. The law still requires the consent of the Federal Council, which is expected to discuss it on May 12, 2017. [Update: The Federal Council has adopted the draft on May 12, 2017.] A key part of the law is a complete revision of the Federal Data Protection Act (Federal Data Protection Act-new).

The EU General Data Protection Regulation ("GDPR") will be directly applicable in Germany from May 25, 2018. As European law, the GDPR will take precedence over national German regulations. With the Data Protection Adjustment and Implementation Act EU, the Bundestag is taking the first step towards adapting existing German law to the GDPR and making provisions for opening clauses in the GDPR for its own national regulations. The following provisions are particularly important for companies:

• Companies must be able to prove compliance with data protection requirements (“accountability”).
• High fines of up to EUR 20 million or 4% of annual global revenue may be imposed, depending on which amount is higher. Violations only affecting German law will be punishable with fines up to EUR 50,000. The provisions are further complicated by the fact that data subjects may also claim immaterial damages (damages for pain and suffering), which is new.
• The duty to appoint a data protection officer remains obligatory for companies with more than nine employees.
• Information and disclosure duties will be less strict for companies processing primarily analog data.
• Employee data protection was regulated much more comprehensively than in today's Section 32 Federal Data Protection Act. The legislature remained, however, largely within the framework that had already developed through literature and jurisdiction up to the current law.

The specific rules and their interactions with the GDPR and other national laws are still to be examined in detail. We will soon present the key items in a special edition of the IT Ticker.

The new Federal Data Protection Act also governs the organization and competence of the national supervisory authority and the representation of the German supervisory authorities in European bodies. The Federal Commissioner for Data Protection and the Freedom of Information criticized in a first statement that the restriction of its powers of control, for example with regard to the Federal Intelligence Service, is unconstitutional and violating European law.

In addition to the Data Protection Adjustment and Implementation Act (EU), Germany must also adapt to the GDPR all applicable national data protection regulations (for example in telemedia law, social law, etc.) until the GDPR is applicable.