May 32017

New German Federal Data Protection Act Passed by German Parliament; Provisions Could Conflict with GDPR Undermining Uniformity

William RM Long and Thomas Fearon
, , ,

On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.

Key provisions

Some of the provisions in the new BDSG simply mirror the equivalent GDPR provision. For example, like the GDPR, the new BDSG allows data subjects to claim non-pecuniary damages.

However, the new BDSG also contains a number of provisions which are additional to or divergent from GDPR requirements including, for example:

  • Retaining most of the provisions concerning the protection of employee data that are found in the old German Data Protection Act.
  • Having a number of specific provisions regarding the processing of personal data in specific circumstances such as video surveillance.

The new BDSG and EU law

The new BDSG has been criticised for being overly complex. It is also possible that the new BDSG exceeds the scope set by the GDPR which may lead the European Commission to start infringement procedures against Germany. Equally concerning is the possibility that German courts may refuse to apply the new BDSG where it conflicts with EU law. This could increase legal uncertainty at a time when many companies are seeking clarity to help them design and implement GDPR compliance programs.

William RM Long

London

wlong@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.