Data protection has recently featured highly in German press releases. Headlines such as “Thieves nicked 17 million T-Mobile customer records” and “Gigantic data leak” are not just used by the tabloid press; in fact they reflect a national and international phenomenon: the deliberate or unintentional mishandling of personal data. The attention given to data protection breaches by the media has sparked a public interest in data protection issues. Lobbyists as well as politicians are demanding the tightening of data protection laws. Although there are strong arguments that existing data protection laws are sufficient, the German legislator has already taken specific steps to amend the law. The most important legislative projects are summarised below.
Credit reference agencies (Auskunfteien) and scoring
In October 2008, the government introduced a bill into the German Bundestag to amend the Federal Data Protection Act in respect of credit reference agencies and scoring.
The draft bill concerns the introduction of requirements regarding the transmission of both positive and negative data to credit reference agencies as well as the calculation and usage of (credit) scores for decisions regarding the initiation, realisation or termination of a contractual relationship. Such scores shall display the trust- and creditworthiness of an individual in a particular situation. The calculation of the score is based on an analysis of the individual's personal data (e.g. credit report information) combined with relevant statistical data.
Notably, the draft bill provides that the scoring entity shall be obliged to communicate the basic facts and considerations upon which it bases its scoring calculation to the person concerned. If this proposed provision becomes law, the doors will be open for manipulation of the scoring. This would bring about the danger that the scoring entity would be disabled from effectively evaluating its risks, even if it is obliged by law to carry out a risk assessment by means of scoring.
Data protection audits
In February 2009, the government introduced a bill into the German Bundestag concerning a Data Protection Audit Act (Datenschutzauditgesetz). According to the proposed Act, data controllers as well as providers of data processing systems and programmes (information technology facilities) may have their data protection concepts and information technology facilities, respectively, assessed and controlled in order to obtain a "Data Protection Audit Seal".
However, the particular requirements regarding the content and scope of the data protection audit are still outstanding. The draft bill does not determine any such requirements but provides that the "Guidelines for the Improvement of Data Protection and Data Security" that shall determine the requirements are to be prepared by a Data Protection Audit Committee. This Committee has not yet been founded; it shall consist of twelve representatives from public authorities as well as six representatives from private companies and their associations.
Whether the stated objective of the Data Protection Audit Act, to create transparency and economic incentives for the improvement of data protection and data security, can be achieved with the proposed Act is questionable. The draft does not grant any specific privileges to audited companies. Thus, any competitive advantage may only be conceivable, if at all, if the Data Protection Audit Seal itself evolves into a sign of quality.
Further changes to data protection law
The draft introducing the Data Protection Audit Act also proposes further changes to German data protection law. These changes include:
- the introduction of an obligation to report data leaks concerning specified categories of personal data in certain circumstances;
- the strengthening of the position of data protection officials in companies by means of an increased protection against dismissal;
- an increase in the level of fines for breaches of the Federal Data Protection Act. Furthermore, any fines shall be determined in such a way that they exceed the economic advantage of the breach, going beyond the scope of fines provided by the Act where necessary;
- the quasi-abolition of the so-called "list privilege". Under current legislation, certain types of personal data compiled in lists can be used (and transferred) for advertising as well as market and opinion research purposes without the consent of the data subjects (including the sale of addresses). The draft intends to introduce a general requirement to obtain the data subjects’ prior, explicit and written consent. However, following discussions on the pre-draft by different economic groups, the draft now contains some exemptions to this general requirement, in particular concerning the use of personal data by the data controller:
- if such use is required for advertising or market or opinion research purposes provided that the advertising or market or opinion research is directed at self-employed persons using their business address;
- if such use is required for advertising or market or opinion research purposes of the data controller’s own advertising provided that the data controller collected the data directly from the data subject; and
- in connection with a contractual relationship between the data controller and the data subject.
Other demands by interest groups or politicians did not, however, find their way into the current legislative projects. The call for a general obligation to reveal the origin of personal data, for instance, remained unanswered.
Even if it is not yet clear to what extent the legislative proposals will be implemented into German law, or whether the proposed changes are really required or even beneficial to enhance data protection, it becomes apparent that data protection will increase in importance in the future. Companies can profit from the increased perception of data protection if they succeed in using data protection as a marketing tool.