The European Union’s (EU) General Data Protection Regulation (GDPR) is scheduled to take effect on May 25, 2018, and was created to promote greater harmonization of data protection laws across the EU member states. While the GDPR generally preempts similar laws in EU member states, it leaves room for member states to create some of their own rules in very narrow categories or in areas where the GDPR does not reach.
On April 27, 2017, Germany became the first EU member state to pass a new data protection act (German Act) to assist its implementation of the GDPR. The German Act will become effective on May 25, 2018, at the same time as the GDPR. The German Act is intended to align pre-existing German data protection law with the GDPR and applies to fill in gaps in the GDPR where (1) a data controller or processor administers personal data in Germany; (2) personal data is processed in the context of a German-based establishment of a controller or processor; or (3) a controller or processor does not have an establishment in the EU or European Economic Area, but is otherwise subject to the GDPR. The German Act, however, raises concerns that its detailed provisions potentially exceed the scope permitted under the GDPR.
For example, while the GDPR only provides the opportunity to impose fines on companies for violations of the GDPR, the German Act also gives the option to impose fines on individuals, such as managers and employees. Additionally, the German Act requires each company with ten or more employees involved in the automated processing of personal data to appoint a data protection officer, while the GDPR requires the appointment only by public bodies or organizations that systematically monitor individuals or process sensitive information on a large scale, as part of their core activities.
Germany’s actions have introduced a great deal of confusion to conversations regarding implementation of the GDPR and it is rumored that the European Commission objects to a number of the German Act’s provisions. This presents a problem for the EU’s harmonization goal and the speed at which Germany introduced its legislation may influence other member states to do the same. However, critics of Germany’s legislation may convince other member states to wait for guidance from the European Commission and keep their privacy regulations as slim as possible in order to best comply with the GDPR.
The current climate suggests that many EU member states will wait to see how the European Commission reacts to the German Act before instituting their own laws to implement the GDPR. If you have any questions about how the new German Act or the GDPR may affect your business or about the GDPR in general, contact Norbert Kugele, Nathan Steed or your attorney at Warner Norcross & Judd.