What does the new law regulate?
The DSAnpUG-EU represents a comprehensive reform and restructuring of German data protection law. The focus of the redesign is the comprehensive revision of the current Federal Data Protection Act (BDSG), which is intended to supplement and concretize the EU GDPR that will apply in Germany from May 2018. The 85-paragraph law presented in the draft is much more comprehensive than the previous BDSG. The underlying regulation is directly applicable as a European regulation. However, it is supplemented by the new BDSG. As a result, companies will have to comply with both sets of rules in the future. In addition, there are sector-specific regulations in specialized laws, which must also be within the framework of the EU GDPR regulations that have priority.
Criticism from experts and data protection authorities
The draft of the DSAnpUG-EU adopted by the Federal Cabinet is – like the previous drafts – in part considered to be contrary to European law and misguided. Many opening clauses are repeated in the draft of the new BDSG, which lacks the necessary concretizing regulation. In addition, the room for maneuver granted to the member states is being overstretched in some cases, so that regulations are being created that are not covered by the opening clauses of the EU GDPR. For example, the German supervisory authorities criticize that the rights of data subjects in particular would be unduly restricted. Overall, this would jeopardize the intended harmonization of data protection law in the EU and unlawfully lower the level of data protection provided for by the EU GDPR. Due to the many exceptions and references in the draft of the DSAnpUG-EU, an opaque thicket had been created especially for companies subject to German law. This would make the application of the new data protection law considerably more difficult and thus counteract the EU’s efforts to standardize and simplify data protection law for companies throughout Europe.
Finally, the draft in its current form leaves open the extent to which additional regulations are necessary with regard to the numerous sector-specific data protection provisions in Germany. Accordingly, there is a risk of an inconsistent data protection structure in Germany with partly contradictory regulations. The legal practitioners are simply overwhelmed with this situation and considerable legal uncertainty is created by the draft law.
It remains to be seen in what concrete form the draft will actually be promulgated as law after the vote in the Bundestag and Bundesrat and whether the points of criticism raised will be taken into account. In any case, companies are advised to keep a close eye on the legislative process and deal with the largest data protection reform in Europe now, otherwise they will face severe fines of up to EUR 20 million or 4% of the previous year’s global turnover as of May 25, 2018. On March 10, the Federal Council is expected to discuss the new law.
Services of KPMG Law
Our team of highly specialized attorneys advises international and national corporations, small and medium-sized enterprises, public corporations, as well as financial investors and start-ups comprehensively in the area of information management (data protection and IT security), especially in the identification, analysis and evaluation of existing legal documentation and internal processes for handling personal data (“Privacy Impairment Check”) as well as their optimization.
In addition, we provide creative advice on the introduction of information and data management in compliance with data protection requirements, as well as on the development and market launch of products (“Privacy by Design”).
Of course, we also advise you on an ad hoc basis in internal or external investigation proceedings, e.g. following a “data loss incident” in the event of a crisis, and represent you in all official or court proceedings (legal representation). Feel free to contact us at any time about our consulting services!
© 2023 KPMG Law Rechtsanwaltsgesellschaft mbH, associated with KPMG AG Wirtschaftsprüfungsgesellschaft, a public limited company under German law and a member of the global KPMG organisation of independent member firms affiliated with KPMG International Limited, a Private English Company Limited by Guarantee. All rights reserved. For more details on the structure of KPMG’s global organisation, please visit https://home.kpmg/governance.
KPMG International does not provide services to clients. No member firm is authorised to bind or contract KPMG International or any other member firm to any third party, just as KPMG International is not authorised to bind or contract any other member firm.