Germany's Federal Commissioner for Data Protection and Freedom of Information issues Progress Report

The Federal Commissioner Ulrich Kelber has released a Progress Report for 2017 to 2018, covering a wide range of data protection issues. Whilst generally positive about progress made in the first year of the GDPR's application, the Commissioner has criticized the inaction of the legislature in some cases, as well as suggesting a moratorium on additional security laws.

The Commissioner singled out several areas where the federal legislator has failed to substantiate the often nebulous requirements of the GDPR. The report was especially critical in the area of the data protection of employees, arguing that an Employee Data Protection Act is needed as a matter of urgency to regulate, inter alia, data protection in the application process, the use of employee health data, whistleblowing, the private use of company communication tools (and vice versa) and the use of surveillance systems in the workplace.

Furthermore, a lack of legal basis for proper oversight and sanctioning of the intelligence community by the Federal Commission was sharply criticized by the report, with an explicit recommendation that the legislature provide the Commissioner with powers to oversee and sanction the intelligence community. The current system of relying on individuals to enforce claims against the intelligence services results in very limited legal protection in practice.

"Data sovereignity"

Attempts by the current government to further develop a concept of "data sovereignty" were discussed at some length by Commissioner Kelber, who reserved particular criticism for a suggestion by the Ministry for Economic Affairs to amalgamate personal data into a form of central identity database, whereby a data subject would be able to control their personal data from a single point. The Commissioner suggested that this would not only pose a cybersecurity risk, but could also be incompatible with constitutional law.

Automobile Sector and i.a. autonomous driving: guidance by the Federal Commissioner?

Naturally, data protection in the automobile sector, as a cornerstone of German industry, was also examined in detail. Against the backdrop of significant developments in autonomous driving technology, the Commissioner gave some guidelines on potential data protection issues in this area. The underlying GDPR principles of Privacy by Design and Privacy by Default will play an important role in the automotive sector in the future, especially with car-to-car communication becoming the norm as autonomous driving is phased in. The creation of driver movement profiles based on such data must be prevented, making sure that only such data is transferred as is necessary to prevent accidents and serve the legitimate aims pursued by such technologies. Cyber security will also be an area of vital importance for the industry moving forward, with the Commissioner drawing on the example of the obligations on the energy sector with respect to digitalization as a model for future developments in the field.

Commissioner: low crime statistics will not support further security law making

Finally and most controversially, the Federal Commissioner has suggested a moratorium on passing of new security laws. He views the growing number of security laws as standing in stark contrast to the continuing reduction in crime statistics year upon year. The extension of additional powers for security services is not necessary where they have yet to exhaust those competencies which are already available to them. Instead, focus should be placed on deficiencies in technology and a lack of staff, rather than providing ever more competencies to the security Services.

If you have any questions regarding this topic, please feel free to contact Dr Axel von Walter and Sam Cross, LL.M.