New German Federal Data Protection Act Passed by German Parliament; Provisions Could Conflict with GDPR Undermining Uniformity
On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.
Some of the provisions in the new BDSG simply mirror the equivalent GDPR provision. For example, like the GDPR, the new BDSG allows data subjects to claim non-pecuniary damages.
However, the new BDSG also contains a number of provisions which are additional to or divergent from GDPR requirements including, for example:
- Retaining most of the provisions concerning the protection of employee data that are found in the old German Data Protection Act.
- Having a number of specific provisions regarding the processing of personal data in specific circumstances such as video surveillance.
The new BDSG and EU law
The new BDSG has been criticised for being overly complex. It is also possible that the new BDSG exceeds the scope set by the GDPR which may lead the European Commission to start infringement procedures against Germany. Equally concerning is the possibility that German courts may refuse to apply the new BDSG where it conflicts with EU law. This could increase legal uncertainty at a time when many companies are seeking clarity to help them design and implement GDPR compliance programs.