D: Modification proposal of the Federal Council of Germany on the BDSG

Statement of the German Federal Council regarding the Federal Government's amendment draft of the Federal Data Protection Law and Data Protection Audit Law.

The Federal Council is of the opinion that the law amendment draft on changes of the Federal Data Protection Law does not sufficiently consider the current data protection issues of commercial enterprises.

In the commentary, dated 13/02/2009, the Federal Council asked the Federal Government to considerably tighten the "draft of a law on regulating data protection audits and on amending data protection regulations", dated 01/01/2009.

1. Consumer Protection:

The objective of the Federal Council is to develop the federal data protection law as a consumer protection law. The rights of the involved parties and the transparency of data processing shall be strengthened.

2. Duties to Inform:

Based on recommendations of the Federal Council, the involved parties shall be informed by the authority responsible regarding data processing and any data recipients.

3. Expertise of the Data Protection Representative:

In addition, a higher level of expertise shall be required of the data protection representatives. Having amended the law regarding expertise to accommodate the necessary requirements in 2006, political discussions are now focused on extended knowledge requirements for data protection representatives. The Federal Council recommends an adequate and continued education, as well as examinations, as means of verification of expertise in its statement.

4. Technical and Organizational Security:

Regarding the technical and organizational requirements in accordance with § 9 BDSG and corresponding addendum, the Federal Council recommends not to demand any specific measures, but to integrate IT security objectives, confidentiality, integrity, availability and authenticity, as well as the objectives of traceability and transparency into the wording of the law, to accommodate the steadily changing IT demands.

5. Technical and Organizational Security:

The Federal Council views the segments on contract data processing as outlined in § 11 BDSG as a central problem of data protection. Citing violations in call centers as an example, the Federal Council points out that a written contract award is usually missing. As a precautionary measure, a monetary fine for missing written contract awards is demanded.

6. List Privileges:

Unlike the Federal Government, the Federal Council does not view list privileges as a central data protection problem. In fact, the Federal Council requests the continued permission of privileged list data processing. It is however requested that the involved party shall be informed prior to the first disclosure of personal data to third parties or prior to the initial utilization of data on behalf of third parties for direct advertising purposes. This awards the involved party the opportunity to contest this form of data processing. This regulation would also be in compliance with article 14 of the European Privacy Policy. In return, the Federal Council is opposed to enclosed advertisements that are used to advertise other products to existing customers.

7. Agreement:

Written agreements shall still be required, but in exceptional cases, they may be electronically requested if the responsible institution ensures that the agreement is documented and the involved parties may access its contents at all times. This regulation facilitates the agreement in electronic commerce, but precludes it altogether in telephone contact.

8. Cross-linking ban:

The Federal Council strongly endorses a complete cross-linking ban. The restriction of monopolists is not deemed sufficient by the Federal Council. Agreements for data processing therefore may not be a requirement for the conclusion of a contract in any event.

9. Rights of the Supervisory Authority:

The cross-linking justly remarks that the supervisory authorities currently are unable to prohibit illegal data processing. Only data processing in non-compliance with technical standards may be prohibited. The Federal Council aims to eliminate this deplorable state of affairs and to grant extensive prohibition rights to the supervisory authority.