On February 7, 2024, the German Federal Cabinet approved a draft law (“the Draft Law”) amending the Federal Data Protection Act (“BDSG”). The Draft Law will now go to the Bundesrat (the legislative body that represents the sixteen Länder (federated states) of Germany at the federal level ) for its opinion and then to the Bundestag (the federal parliament) for discussion and, potentially, adoption.
The Draft Law aims to address the issues highlighted in the 2021 Federal Ministry of the Interior and Home Affairs BDSG evaluation by amending Part 1 and 2 of the BDSG. Other legislative projects will address further amendments. In addition, separately but in parallel to the changes to the BDSG, the German Federal Cabinet is also proposing changes to the Telecommunications and Telemedia Data Protection Act (“TTDSG”), which we will not cover in this blog post.
The following is a summary of the main changes the Draft Law proposes to bring to the BDSG.
- The Draft Law institutionalizes the Data Protection Conference (“DSK”), the body of independent German federal and state data protection supervisory authorities, in the BDSG. However, the DSK’s decision remain legally non-binding.
- The Draft Law amends the BDSG so that companies and institutions that process personal data for scientific, historical or statistical purposes and act as joint controllers may be subject to the supervision of one German SA, rather than all the SAs where the companies and institutions are located. To this end, the companies and institutions concerned should notify all the competent SAs that they are joint controllers and that they wish to be subject to the supervision of the SA in which the company or institution with the highest annual turnover in the previous financial year is located.
- The Draft Law amends section 34 BDSG (which provides for data subject access rights) to clarify that business and trade secrets constitute rights and freedoms of “other persons.” According to the explanatory memorandum to the Draft Law, it is intended to clarify that, within the scope of the exceptions to the right of access (Art. 15 para. 4 GDPR), the controller is also covered by the protection of “other persons” and that certain data to be disclosed enjoys legal protection. Hence, the amendment would allow data controllers to rely on an exception when the interest in the confidentiality of business and trade secrets outweighs data subjects’ right of access.
- Further to the judgement of the CJEU C-634/21 dated December 7, 2023, the Draft Law creates a (new) legal basis for scoring. It deletes the current Section 31 on “protection of commercial transactions with scoring and credit reports” and proposes to add a new section (provisionally numbered 37a BDSG), which would serve as an exception to the prohibition of automated decision-making under Article 22(1) GDPR. More specifically, it would allow the creation and use of scores (i.e., probability values) for the purpose of: (i) predicting a certain future behavior of the individual to decide on the establishment, performance, or termination of a contractual relationship with that individual; or (ii) predicting an individual’s ability and willingness to pay through credit agencies. However, the exception comes with some limits, such as the prohibition of using the following personal data to create scores: (i) special categories of personal data, (ii) the name of the data subjects or personal data from their use of social networks, (iii) information about incoming and outgoing payments to and from bank accounts, and (iv) address data. In addition, the creation and use of the scores may not affect minors and must be calculated on the basis of a scientifically recognized mathematical-statistical method, amongst others.
- The Draft Law introduces a new section 40a BDSG which is intended to enable joint controllers who are subject to the supervision of different supervisory authorities to designate a supervisory authority that is competent for both joint controllers. The supervisory authority that is to be competent for the company that generated the largest annual turnover in the financial year preceding a notification of all affected supervisory authorities is to be competent for both joint controllers.
***
The Covington & Burling LLP team continues to monitor developments on EU data protection laws, and we currently advise the world’s top technology companies on their most challenging regulatory and compliance issues in the EU. We are happy to assist with any queries you may have about the Draft Law amending the BDSG or other tech regulatory matters.
(This blog post was written with the contributions of Alberto Vogel.)