On August 14 and August 26, 2015, the Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder) issued a detailed position paper (“Position Paper”) and a press release on the main issues for the trilogue negotiations on the proposed EU General Data Protection Regulation (the “Regulation”). In the Position Paper and press release, the participating German Data Protection Commissioners (“German DPAs”) request the trilogue partners to focus on the following issues:
To limit interferences with fundamental rights, the Position Paper asserts that it is essential to limit the collection of data to only what is necessary to achieve legal and legitimate purposes. The Position Paper notes that unlimited collection of data creates numerous risks for individuals, including the risk of profiling individuals based on the acquisition of data from different aspects of an individual’s life. As such, the German DPAs request that the principle of data minimization be kept in the final version of the Regulation, as opposed to the Council’s version of June 2015.
The Position Paper asserts that the individual’s consent must remain his/her expression of self-determination and autonomy with regard to the processing of his/her personal data. Contrary to the Council’s proposal – which makes unambiguous consent sufficient – the German DPAs believe that only opt-in consent should be accepted as compatible with data protection principles.
Data Subjects’ Rights
The Position Paper maintains that in order to ensure effective implementation of the data subjects’ rights, actions taken per requests must be free of charge. This view is in opposition to the Council’s approach, which only explicitly provides the absence of fees for the right of access, therefore leaving the exercise of other rights uncertain. The execution of all data protection rights should instead be encouraged by the absence of fees, according to the German DPAs.
In the Position Paper, the German DPAs suggest that purpose limitation strengthens the rights of individuals by ensuring transparency of data processing and helping to prevent data from being further processed in a way that is incompatible with the initial purposes for which the data was collected. In contrast, the Council’s approach allows the possibility to process data for reasons other than the purposes for which personal data was collected initially. The German DPAs indicate their opposition to the Council’s approach, which they believe would considerably weaken the principle of purpose limitation and put the individuals’ rights at risk.
The German DPAs consider the proposed rules on profiling in Article 20 of the Regulation to be inadequate to protect individuals effectively against the creation of personality profiles. As such, the Position Paper notes that by not making profiling itself subject to special requirements, but only to decisions based on automated processing or measure based processing, the provisions as proposed are inadequate to protect individuals. More specifically, the Council’s approach only covers a specific result of data processing, but not the essential questions relating to profiling, according to the Position Paper. In this context, the German DPAs propose that the following points be covered by the Regulation:
- an approach covering all profiling or measures based on profiling, rather than only automated decision making;
- a clear definition of the exceptions from the prohibition of profiling;
- a high-level transparency and awareness of data subjects accompanying the processing of personal data for profiling purposes; and
- the anonymization or pseudonymization of the data used to create and evaluate profiles as early as possible in the process.
Data Protection Officers
The Position Paper reiterates the importance of a concrete level of data protection in businesses and government agencies. To reach this level and create a sufficient local data protection culture, the German DPAs suggest the designation of mandatory Europe-wide data protection officers.
Cooperation among Data Protection Authorities (“DPAs”) in Europe
In the Position Paper, the German DPAs indicate their support for the so-called “one-stop shop, a consistency mechanism and a European Data Protection Board,” providing for the election of a lead DPA as a single point of contact for a business. The German DPAs, however, also ask the stakeholders involved in the trilogue to define practical rules for the model proposed, arguing that it is currently too complex for the supervisory authorities, particularly regarding time limits and administrative assistance between the DPAs.