D: No Data Protection Audit Act - list privilege with restrictions shall continue to apply

The Internal Affairs Committee reaches a compromise for amendments to the Data Protection Act - Data Protection Audit initially as pilot only

According to a German Federal Parliament report, the Internal Affairs Committee "has given the go-ahead for the much discussed amendment of data protection regulations. With the CDU/CSU and SPD coalition factions' votes, the Committee approved a corresponding Federal Government draft bill (16/12011) in a version amended by the coalition factions on Wednesday morning. Accordingly, the forwarding of personal data, such as addresses, shall be permitted with the customer's prior consent, whereby the relevant passage, for example in the wording of a contract, shall be clearly emphasized. Lists of data, such as name, occupation, address, year of birth or title, may be forwarded without permission, provided that the parties concerned are informed of the source of the information. This shall enable them to effectively object to their personal data being forwarded or used by others. The Government's draft bill had originally intended that the use of personal data for advertising purposes or for market and public opinion research should only ever be permitted in future with the express consent of the parties concerned. Instead, self-marketing using a company's own customer information gained from a contractual relationship shall still be possible.
Furthermore, data security shall be increased by enforcing regulations on encryption using anonymization and pseudonymization procedures. Additionally, the intention is to strengthen the position of the in-house data protection officers for whom extensive employment protection regulations shall be provided. Moreover, in the case of a breach of the data protection regulations, the regulatory agencies shall in future not only initiate penalty proceedings, but also have the authority to order the party concerned to cease committing the violation. The penalties for violations against data protection regulations shall also be considerably increased, whereby the possibility of confiscating profits shall also be provided for in such cases. The originally planned regulations for the introduction of a Data Protection Audit have however been canceled. Upon the coalition's request, an initial three-year pilot project for one business sector should be introduced."
Even if the list privilege restrictions do not seriously affect the companies involved as feared in respect of the Federal Government draft bill, companies should still be prepared for numerous and major amendments. The higher penalties and the possibility of profits being confiscated lead to increased risks for the companies. The necessity for using pseudonymous and anonymous data may help companies to use information without encroaching upon the data protection rights of those concerned. Companies may pseudonymize and anonymize data in order to reduce the costs of data protection. In such cases, appropriate counseling can result in immediate cost savings.

Even if the list privilege restrictions do not seriously affect the companies involved as originally feared in respect of the Federal Government draft bill (dated 2/18/2009), companies should still be prepared for numerous and major amendments. The higher penalties and the possibility of profits being confiscated lead to increased risks for the companies, should the legal provisions be violated. The use of pseudonymous and anonymous data is recognized as a "good practice" for using information without encroaching upon the data protection rights of those concerned. Companies should therefore focus more intensely on pseudonymizing and anonymizing data in order to eliminate the risk of costly data protection violations, if possible from the outset. In such cases, appropriate counseling can result in immediate cost savings.