On December 10, 2008, the Federal Cabinet adopted a draft bill for the regulation of data protection audits and for amending data protection provisions.
The law aims to improve the level of data protection and the transparency of data processing in the non-public sector, and to strengthen citizens' ability to influence the use of their personal data. The impetus for this was the incidents that became known in the summer and again in recent days concerning the commercial trade of personal
data of citizens. To this end, amendments to the Federal Data Protection Act and corresponding adjustments to the Telemedia Act and Telecommunications Act are proposed, which are intended to strengthen the influence of data subjects on the use of their personal data for advertising, market, and opinion research purposes.
The current legal framework permits the exchange of personal data between companies for advertising, market research, and opinion polling purposes, or the provision of one's own customer address lists to other companies for their advertising, all without the data subject's consent or knowledge.
This so-called "list privilege" has led to the widespread trading of citizens' personal data, and – since no consent needs to be presented – the legality of such data trading is difficult to control. The draft law therefore generally subjects the future use of personal data for advertising, market research, and opinion polling purposes to explicit consent. For this, the draft law has been strongly criticized by the business community. However, to avoid disproportionate burdens, companies are granted three years to adapt to the new situation. Furthermore, large parts of address-based advertising remain unaffected by the proposal. For instance, self-promotion using proprietary customer data collected within a contractual relationship will continue to be unrestricted. Also, the common practice of including advertisements from other companies with one's own catalogs, invoices, or packages remains unrestricted. To conduct this self-promotion more effectively, companies can enrich their customer database with additional data to better reach specific target groups. These data can continue to be purchased as before.
[Example: A mail-order company, in a spring campaign for garden furniture, wishes to specifically target
those of its customers who own a garden. It acquires a file of
streets where single-family homes with gardens are located and enriches – provided it has a
customer "known" on that street – its dataset with the characteristic "garden owner".
For tax-privileged donation advertising, particularly by non-profit and religious organizations, the law provides for a legal situation that corresponds to the previous one. These organizations can therefore continue to purchase data without the data subject having given consent. The rationale behind this is that non-profit organizations would otherwise only be able to obtain addresses of citizens who have consented to commercial advertising. However, it is more in line with real-world experience that even someone who has refused consent for commercial purposes would nonetheless not object to, for example, an appeal for help for disaster victims.
Advertising directed at freelancers and businesses is also treated preferentially.
Here, industry-specific information is paramount; responding to advertising messages follows an economic logic, not the laws of consumption.
The future consent solution is flanked by a prohibition on tying for market-dominant companies. Companies may not make the conclusion of a contract dependent on the data subject's consent to the use of their personal data for advertising purposes if the data subject cannot reasonably access equivalent contractual services without consent.
Furthermore, the draft introduces five new penalty provisions for violations of data protection law and expands one existing penalty provision. New penalty provisions are planned, among others, for improved control of automated retrieval procedures, for inadequately commissioned data processing, and for the use of personal data despite an advertising objection.
The fine framework for formal violations increases from EUR 25,000 to EUR 50,000, and for other data protection violations, in adaptation to sector-specific regulations, from EUR 250,000 to EUR 300,000. Additionally, the possibility of skimming off the economic advantage gained by the perpetrator from the administrative offense has been introduced. For this purpose, the fine can also exceed the maximum fine framework.
[Example: A data trader generates 12 million Euros from the illegal sale of several million customer data records.]
To protect data subjects from the enormous damages resulting from data losses at companies, e.g., the loss of customer data along with credit card data, companies will be obliged in the future to inform customers quickly. This also includes bank account data and – because the loss of such data can lead to the creation of behavioral patterns – inventory, usage, and traffic data from telephone and internet use.
Finally, the position of company data protection officers has been strengthened. Their protection against dismissal is extended, and they gain a right to further training. Another component of the draft is the creation of a legally regulated, voluntary, and unbureaucratic data protection audit procedure. Companies can acquire a data protection audit seal if they join a regular data protection compliance control procedure and fulfill guidelines for improving data protection and data security. The guidelines are to be developed by a committee staffed with experts from business and administration, are intended to go beyond legal requirements, and be designed to be industry-specific.
The use of the data protection audit seal should not depend on a one-time control and award process, but rather, in analogy to the proven control system for awarding the organic seal under the Organic Farming Act, as submission to a set of rules whose compliance can be continuously monitored. To ensure the control system is designed with as little bureaucracy as possible, the federal states and, in the area of postal and telecommunications services, the Federal Commissioner for Data Protection and Freedom of Information are to be granted the greatest possible flexibility to delegate tasks to private inspection bodies. In the event of tasks being delegated to private inspection bodies, only their supervision and particularly impactful sovereign decisions are to remain with the competent authorities.
Companies with branches in different federal states are to be controlled by only one inspection body within the framework of the data protection audit procedure. The inspection bodies also have an interest in cross-state activities without having to go through multiple approval procedures. Therefore, to achieve a nationwide uniform control system of high standards, a single accreditation by the Federal Commissioner for Data Protection and Freedom of Information, as a central federal authority equipped with sole decision-making competence, is proposed, analogous to the proven control system for awarding the organic seal.
The data protection audit procedure is intended to create market-oriented incentives for improving data protection in companies. The acquisition and effective promotional use of the data protection seal offer companies the opportunity to gain advantages with consumers and over competitors. In this way, the data protection audit raises the level of data protection within companies and, through the data protection audit seal, creates more transparency for citizens. Thus, the data protection audit combines measures for economic promotion with the advancement of data protection.
The Data Protection Audit Act comes into force on the day after its promulgation to enable the timely establishment of the control system. A data protection audit can be conducted from July 1, 2010.
Retrospective:
On September 4, 2008, a meeting was held at the Federal Ministry of the Interior with ministries and supervisory authorities from the federal government and the states responsible for data protection in the non-public sector. The aim of the discussion was to jointly explore how data protection could be more effectively implemented in the private sector. At that time, the participants largely agreed on four key points for amending the legal foundations, which are now incorporated into the presented draft law:
1. The abolition of the so-called "list privilege," i.e., the legal permission to transmit and use certain "list data" for advertising, market research, and opinion polling purposes without the data subject's consent.
2. The introduction of a prohibition on tying for market-dominant companies.
3. The expansion of penalty provisions for violations of data protection law.
4. The creation of possibilities for skimming off unlawful profits.
In addition, a data protection audit law has been announced - also in view of the data protection problems that have become known in the telecommunications industry - which is also included in the bill that has now been passed.
Source: Press release of the Federal Ministry of Justice of 10.12.2008
Goldberg Rechtsanwälte
Lawyer Michael Ullrich, LL. M. (Information Law)
E-mail: m.ullrich@goldberg.de
