Germany's planned implementation of the EU General Data Protection Regulation is riddled with holes and illegalities, according to one of the country's leading privacy associations.

The government's interior ministry produced a new draft of the law in late November, inviting various stakeholders to provide input. According to Thilo Weichert, the former head of the data protection authority in the state of Schleswig-Holstein and a current board member of the German Data Protection Association (DVD), the government withdrew an earlier draft after pushback from the privacy community.

However, the DVD said in a submission to the government last week, the new draft is also heavily flawed. What's more, because Germany will hold federal elections sometime in the third quarter, and the implementation of the GDPR will need to be in place ahead of the EU law coming into effect in May 2018, the law will need to be finalized by mid-2017. So the current draft will almost certainly be the basis for the new law.

One of the main problems with the draft, according to the DVD, is that it provides overly broad exemptions for data subjects' right to access, as laid out in Article 15 of the GDPR. These include a security exemption, an exemption where access might hinder the purpose of the data processing, and an exemption where business secrets might be concerned.

Weichert noted that the German government was allowed to specify exemptions under Article 23 of the GDPR. However, he said: "These exemptions go much further than the exemptions in [Germany's] current data protection law. It's not proportionate. It doesn't comply with Article 8(2) of the Charter of Fundamental Rights of the European Union [which says 'everyone has the right of access to data which has been collected concerning him or her']."

There's another way in which the draft would weaken Germany's existing data protection law – it would restrict the powers of DPAs in the field of professional secrecy, for example limiting their ability to probe and sanction breaches in the legal and medical fields. "Social [service] secrecy and medical secrecy are [among] the fundamental activities of supervisory authorities," said Weichert. "If this exemption would be accepted by the Parliament, there would be a loophole for violations of privacy … This would also be a violation of the GDPR."

The former watchdog was uncertain why the draft included this loophole, but noted that the legal profession had long criticized the activities of the DPAs. "Instead of limiting the control limitation to the lawyers, they have made a draft which implies all professional secrets. I think it's idiotic and … the most dangerous regulation in this draft," he said, while conceding that Article 90 of the GDPR does allow the German government leeway on the issue of professional secrecy.

In some respects, the DVD would like the new German law to go further than required by the GDPR. For one thing, the association wants the law to wade into the area of employee privacy – something governments can do under Article 88 of the GDPR, but are not obliged to do.

"Everything in a company which has to do with digitization also has to do with surveillance of the employees, and therefore there is a need for more specific regulation," said Weichert. "There has been a big discussion in Germany for 30 years about having such regulation."

The association also wants the law to boost resourcing for the country's state-level DPAs, which will have a much heavier workload under the new regulation. Weichert pointed out that the Hamburg DPA, which has to deal with companies on the scale of Google and Facebook, only has around 15 staff members. "It must double or even be three times as much," he said.

The DVD also complained that the draft's proposals for selecting which of the regional DPAs would represent Germany on the new European Data Protection Board (Germany is unique among EU countries in the number of its DPAs) was unacceptable. "The regulation foresees that the representation for the state authorities in the [board] is elected by the Bundesrat. That's a political body… which has no understanding of what is necessary and who is the best privacy representative," Weichert complained.

A couple of the DVD's points relate to the BfDI, Germany's federal commissioner for data protection and freedom of information, which is supposed to monitor the federal government, including the intelligence services, and critical infrastructure enterprises such as telecommunications companies.

For one thing, the group is unhappy with the draft's proposed procedures for appointing the commissioner. Article 53 of the GDPR says data protection authorities must be appointed in a transparent fashion, but the draft German law would allow the process to take place in secret. "Also, there are criteria for the nomination of the person which are not in line with the GDPR, such as asking for a minimum age of 35 or [mandating] that the person be a lawyer," said Weichert.

Weichert also complained that the draft would deny the BfDI the ability to issue sanctions over telecommunications surveillance by the German intelligence services. Instead, this would remain the exclusive domain of the Bundestag's small G10 commission.

"Our argument is that there is no possibility to differentiate between telecommunications surveillance on the one side and other surveillance by intelligence services on the other side. We ask that the BfDI is responsible for the whole spectrum of data protection," said Weichert. This would create some overlap between the federal privacy regulator and the parliamentary committee's oversight, but Weichert said it was "necessary to have double control" because the G10 commission does not deal with fundamental privacy rights and also does not have the staff to deal with technical security issues, unlike the BfDI.

In a statement, the BfDI also criticized the draft, but for its exemptions in the area of professional secrecy rather than its intelligence oversight implications. The commissioner's office said the exemptions would "make BfDI's control in many sensitive areas, for example in health insurance funds, job centers or other social services providers … almost impossible." The BfDI said this was unacceptable and "contrary to European law."

Also on the subject of security, the DVD said it strongly opposed a move by the government to increase the use of video surveillance in public areas, combined with facial recognition software, under the justification of increased security. According to Weichert, a DVD board member and the former DPA of the state of Schleswig-Holstein, this would be neither constitutional nor in line with the GDPR because the security criteria "dominate" the balancing act of proportionality.

Tobias Plate, a spokesman for the interior ministry, confirmed that the draft law was currently being discussed. However, he said: "We do not, as a matter of principle, comment on the detailed contents that may or may not be addressed by a piece of legislation at a stage of the process where the exact contents are still being negotiated."

Weichert said his association had a "small hope" that other ministries – particularly justice and consumer protection – would push back against the interior ministry. However, given the speed with which this law will need to be sorted out, "we are not sure about it."

Given that Germany's implementation of the GDPR will likely be one of the first in the EU, will it serve as a model for the others? "For quite a long time German regulation has been very progressive and innovative and therefore has been a model for other countries," said Weichert. "But this time I fear there won't be any good examples by Germany for other countries in the EU. So I don’t think, or hope, that this draft will be copied by other countries."

photo credit: Germany Grunge Flag via photopin (license)