Plans for stricter data protection in Germany

28 November 2013

Dr Fabian Niemann, Oliver Zöll

The anticipated new German government issued yesterday a paper on its plans for the next legislative period. It contains data protection initiatives which are only mentioned in a general manner without details yet, but which – if indeed implemented – will lead to stricter, industry unfriendly data protection law in Germany. It is therefore important for the industry to evaluate the plans and explain to the German government the negative economic effects of their plans.


After the September elections for the German Federal Parliament (Bundestag), the German conservative parties (CDU/CSU) and the German labor party (SPD) have now decided to form a government and agreed on a so-called "coalition agreement" on 27 November 2013 which sets out their plans for the next legislative period. The paper contains a number of plans in relation to data protection. Against the background of the NSA/Snowden affair it is not surprising that most of the initiatives are advocating a stricter data protection and may have an adverse effect on the industry in general and the IT, communications and internet industry in particular.

The most important items are:

Planed new EU General Data Protection Regulation
Germany shall support a uniform EU data protection standard in particular promoting a fast finalization of the EU General Data Protection Regulation, which is planned to come into force in 2014 and which will – being applicable directly in all EU Member states – replace, to a great extent, the existing national laws on data protection. The coalition agreement states that the German government shall support an increase of the data protection standards to ensure that the – often higher – current German standards are met in the ongoing discussions between the European institutions regarding the finalization of the new general Data Protection Regulation. Whether this means that the German government would rather prefer to further postpone the implementation of the regulation, to enforce a stricter standard than other member states may lobby for in the Counsel of the European Union remains to be seen.

Employee Data Protection Law
The coalition agreement reinforces the often announced commitment of the German government to pass a specific bill on employee data protection (if not sufficiently covered on the European level). However, there is no concrete timeframe and given the long history of this highly disputed topic, we do not assume that this will be implemented in the very near future. Nevertheless, it is important for German companies to closely monitor the topic, as it may potentially lead to substantial obstacles and costs for German based companies.

Consequences of the NSA affair / obligations to communications providers
Expressly referring to the “NSA affair”, the coalition agreement states that the German government shall oblige European communications providers (i) to encrypt its communication data at least in the EU, and (ii) not to disclose the data at all to foreign secret and intelligent services. The paper does not explain how the German government shall impose the obligation not only on German, but on European providers. This is probably a drafting error. Nevertheless, it is a clear sign and to be seen in connection with recent initiatives of German politicians and data protection authorities to establish a German or European communication infrastructure which is as far as possible disconnected from Non-EU countries, in particular the US.

Information requirements for international transfers
Germany shall push for European-wide information duty for companies which transfer personal data from the EU to countries outside the European Economic Area without the express consent of the individual. Obviously, this would lead to big administrative burdens and it hardly would be realizable in all cases in practice.

Safe Harbor and SWIFT
Germany will urge the European Union to renegotiate the Safe Harbor and SWIFT agreements with the US.

Liability of IT manufactory and service providers
Not only IT service providers which may process personal data, but even manufacturers of IT infrastructure and products shall be made liable for data protection and IT security breaches, related to their products/services. There are no details in the coalition paper, but the potential impact is obvious.

Privacy by Design and Privacy by Default
These methods shall further increase.

Anonymization, pseudo-anonymization and data minimizing
There shall be binding rules established which lead to consequent anonymization, pseudo-anonymization and data minimizing where possible.

EU Directive on Data Retention (Vorratsdatenspeicherung)
Germany still has not implemented the Directive 2006/24/EC. Previous implementations have been annulled by the German Constitutional Court. The coalition agreed to now (again) try to implement the Directive.

IT security
Generally, the German government shall take care of a promotion and binding minimum requirements of IT securities in particular in the internet and cloud infrastructures, combined with a strategy against cybercrime. As far as Federal Government Agencies are concerned, they shall be obliged to spend ten percent of their IT budget for security systems. If this is implemented, this may possibly become a market standard in Germany and be also required from other companies by their customers (which may have a substantial impact on IT spendings).

Although being not very concrete, there are many points in the paper which are obviously very relevant for many, if not all, companies. The issues should be addressed in time to avoid an industry unfriendly legislation.