German Federal Parliament changes requirements DPOs

18 October 2006

Dr Jan-Peter Ohrtmann

New requirements for the appointment of a Data Protection Officer

Like a few other European jurisdictions, German data protection law provides for a self-governance approach. Instead of extensive registration and authorisation obligations with the data protection authority, German data protection law relies on control by an internal or external appointed officer. Until recently under Section 4f Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG), any company that employed more than four persons that are frequently engaged in working with computers was obliged to appoint a data protection officer (Datenschutzbeauftragter). Such an officer was not subject to the employer's control as regards the fulfilment of his/her data protection compliance duties.

The German Federal Parliament changed the requirements for the mandatory appointment of a data protection officer with effect from 26 August 2006. In order to reduce administration costs and ease administrative efforts for smaller companies the Federal Parliament raised the limit from four to at least nine employees, who must be frequently engaged in working with computers.
At first sight this change makes it easier for smaller companies and international companies with small offices or subsidiaries in Germany. But there remain risks: Historically, the concept of relying on a data protection officer proved to be effective. It ensured that one person in the company took responsibility for data protection compliance. Even if no data protection officer needs to be appointed, companies still must be compliant, e.g. must keep an internal index of all data processing procedures, must take adequate technical and organisation measures, etc. Thus, the change in legislation increases the risk of non-compliance and consequently of sanctions.

In practice, the impact of the change will be limited. A high percentage of work places are equipped with electronic devices in order to process personal data. Thus, most employees will count as employees under Section 4f BDSG. Thus, only very small companies and establishments will be released from the obligation to appoint a data protection officer.

New planned Act for online services

The amendment of the Federal Data Protection Act is most likely to be followed by another, far reaching change in German privacy law. On 14 June 2006 the Federal government decided on to introduce an Act ("Gesetz zur Vereinheitlichung von Vorschriften über bestimmte elektronische Informations- und Kommunikationsdienste") redefining privacy provisions for online services (so-called telemedia services or "Telemediendienste").

Currently, online services are subject to federal and state privacy law depending on the type of service provided. The new Act is neutral as to the underlying technology thus harmonising privacy provisions on a federal level. The provisions protecting the freedom of the press will remain in state legislation, in a treaty between the different States (so called Staatsvertrag für Rundfunk und Telemedien).

The important principles of the current legislation remain unchanged in the draft Act. However, some significant changes are suggested:

  1. In order to combat the increasing cases of misuse and fraud, the draft Act contains a clause allowing the provider to collect and store user data for the purpose of enforcing legitimate rights when the provider has good grounds to assume that the user intends to avoid paying applicable fees (so called "eBay clause", Section 15 para. 8 draft Act). Further, according to Section 14 para. 2 of the draft Act the provider must grant competent authorities in individual cases access to personal data of the users for the purposes of criminal prosecution.

  2. In addition, the draft Act provides for increased protection against spam. Senders of advertising email (which is essentially all commercial communication) must clearly display the commercial nature of the email in the subject field and in the header of the email (comp. Section 6 para. 2 draft Act). Offenders can be fined up to €50,000 per mailing under Sections 16 para. 1, 3 of the Draft Act.

Privacy interest groups strongly oppose the draft Act in particular because providers are entitled to store more personal data on the users. At present it is unclear whether the draft Act will be modified in the legislative process. However it is likely that the draft Act, with any amendment, will be enacted and become effective on federal and state level in 2007.