Out-Law / Your Daily Need-To-Know

Out-Law News 3 min. read

Data protection clarity needed says expert as German watchdogs outline reform wish list


Businesses waiting on the outcome of negotiations over new EU data protection laws would accept tougher rules than currently apply so long as they set clear and achievable requirements for compliance, an expert has said.

Munich-based IT and data protection law expert Marc L. Holtorf of Pinsent Masons, the law firm behind Out-Law.com, made the comments after data protection authorities in Germany made recommendations on what rules should be laid out in the proposed new General Data Protection Regulation. EU law makers are currently in the final stages of negotiations on the wording of the Regulation.

The recommendations were approved at a conference of Germany's federal data protection authorities and published by the data protection supervisor in the state of Hesse. The paper contained proposals on how 'personal data' should be defined under the Regulation, what the legal standard of consent should be for the lawful processing personal data and also addressed issues such as purpose limitation, appointment of data protection officers and how compliance with the new regime should be supervised and enforced.

"The new Regulation is supposed to deliver a harmonised approach to data protection and enforcement across the EU and this, if it can be delivered, would be welcomed in particular by businesses that operate across national borders," Holtorf said. "However, businesses will be hopeful that negotiations between the European Commission, European Parliament and Council of Ministers on the Regulation do not lead to the use of compromise language that could complicate the Regulation and create uncertainty."

"I think most businesses would prefer clear data protection rules even if they were strict and differed from country to country in the EU over a harmonised framework that no one, perhaps not even the data protection authorities and courts, would know how to interpret," he said.

Data protection laws only apply to the processing of personal data. According to the Hesse watchdog's paper, Germany's data protection authorities want 'personal data' to be defined broadly. It said "identification numbers, location data, online identifiers, IP addresses and other specific factors should in principle be considered personal data".

Businesses should require consumers' "explicit consent" to process their personal data if they are relying on consent as a lawful basis for processing that information, the German watchdogs said. They also said companies should be banned from demanding that consumers give their consent to the processing of their personal data to gain access to services.

"Germany's data protection authorities and courts have almost always taken the view that businesses need 'opt in' consent to process personal data," Holtorf said. "However, this approach presumes that consumers are not well informed people and that there needs to be a check on business to ensure privacy."

"This approach is not reflected in other areas of EU and German law, such as unfair competition and general terms and conditions law, where the starting point of the law is that consumers making purchasing decisions, for example, are reasonably well informed, reasonably observant and circumspect people. Data protection law should reflect this too, so a requirement for 'explicit consent' would not be necessary so long as it is clear that consent is given," he said.

In their paper the German data protection authorities also warned against writing rules into the new Regulation which could give businesses the freedom to change the purposes of their processing without having to reaffirm the lawfulness of that processing.

"Given the invisibility and extent of data processing, data subjects must have confidence that their personal data are processed only for the purposes for which they were originally collected," they said.

The German authorities also outlined their desire for the Regulation to impose a requirement on many businesses and public bodies to appoint a data protection officer. They also laid out their views on how compliance with the new data protection regime should be regulated. It said it favours proposals which would see a lead authority serve as "a single point of contact for a business in the place where its main establishment is located" but said other data protection authorities in the EU should be able to step in if lead authorities fail to take action over non-compliance.

"It is necessary to create a provision allowing the member states’ supervisory authorities, if their citizens are affected, to demand that the lead authority take action and to require the European Data Protection Board to immediately conduct a review if the lead authority refuses to take such action," the German watchdogs said.

Holtorf said: "The data protection authorities fear that they will lose influence over businesses that operate in Germany but which are perhaps based elsewhere. However, even in Germany at the minute there are many different data protection authorities interpreting data protection rules in different ways and so if the 'one stop shop' mechanism can align the way data protection law is enforced then that will be welcomed by businesses."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.