Background: Full harmonization with opening clauses
The GDPR provides for a uniform, comprehensive and directly applicable regulation of European data protection law (“full harmonization”). At various points (in so-called Opening clauses), however, provides – not always immediately clearly – for a complementary legiferation of the Member States. Some examples are
- Art. 6 para. 2 – Data processing in the public domain
- Art. 8 par. 1 – Minimum age for consent
- Art. 9 para. 2 – Permissibility of processing special personal data
- Art. 14 par. 5 – Exceptions to the obligation to provide information
- Art. 23 – Limitations to the rights of the data subject
- Art. 84 – Sanctions
- Art. 85 – Freedom of expression and information
- Art. 88 – Employee data protection
It is therefore accepted that the goal of harmonization is restricted in favor of a certain flexibility. However, national legitimizing competences are interpreted restrictively. The principles of the Judgment of the ECJ in the case of ASNEF will be applicable on the merits, as expressed therein, inter alia, in para. 35:
Directive 95/46 contains provisions characterized by a degree of flexibility, leaving it in many cases to the Member States to regulate the details or to choose between options (see Lindqvist, paragraph 83). It is thus important to distinguish between national measures providing for additional conditions modifying the scope of a principle contained in Art. 7 of Directive 95/46, on the one hand, and national Measures that specify only one of these principleson the other hand. The first mentioned type of national measures is prohibited. Only in the context of the second type of national measures do the Member States have discretionary powers under Art. 5 of Directive 95/46.
The DSAnpUG-EU
Against this background, the German Bundestag already passed the draft for a future Federal Data Protection Act (BDSG) on April 27, 2017, under the title “Draft law on the adaptation of data protection law to Regulation (EU) 2016/679 and the implementation of Directive (EU) 2016/680″ and the abbreviation “DSAnpUG-EU” (for “Data Protection Amendment and Implementation Act EU”). (Link – PDF).
The DSAnpUG-EU is intended to initially common rules which only apply outside directly applicable EU law, in particular outside the GDPR. In addition special provisions for the design of the GDPR (“Part 2”) with the following regulatory focus (and clear echoes of the existing German BDSG, e.g., in the provisions on employee data protection and scoring):
- Legal basis for the processing of special data
- Admissibility requirements for processing for other purposes by public and non-public bodies and for data transfers by public bodies
- Regulation of other special processing situations
- Rules on the rights of data subjects
- Imposition of fines for violations of the GDPR.
Sections 29 and 32 et seq. on the restriction of data subjects’ rights are also worth mentioning, in addition to the special provisions for employees (Section 26), for consumer loans (Section 30) and for scoring and creditworthiness information (Section 31). §§ Sections 41 et seq. then concern liability and sanctions, which according to the wording of the DSAnpUG-EU are not limited to companies, but can also affect natural persons.
As was to be expected, the draft of the DSAnpUG-EU has come in for criticism, namely from representatives of the EU Commission at an event organized by the Stiftung Datenschutz, as heise.de has reported:
According to the insider, the commission is also chafing at the fact that the federal government has failed to comply with the ordinance’s Wants to restrict the rights of the persons concernedThe company is entitled to inspect data stored about it and, if necessary, have it corrected or deleted. She understands the approach of wanting to allow Industry 4.0 to do as much as possible, including with personal information. However, the “right to be forgotten” is clearly defined in the regulation. Nikolay therefore made it clear that the Commission would “continue to engage in dialog” with the German bodies, but that there was also a “risk of infringement proceedings”.
The German Bundesrat will decide on May 12, 2017 whether to approve the draft. If it does so, the law can enter into force together with the GDPR on May 25, 2018.