Data Protection: Federal Government Wants Small Changes with Big Impact
The black-red federal government has sent almost 20 pages of reform ideas for the GDPR to the EU Commission. Some of them would have far-reaching consequences.
(Image: peterschreiber.media/Shutterstock.com)
In Brussels, intensive work is currently underway on the so-called Digital Omnibus Law: many minor amendments to legal acts are intended to tidy up regulation somewhat and relieve the economy of unnecessary obligations. What the German federal government wants from the EU Commission regarding data protection in this process has been transmitted by the Federal Ministry of the Interior as the federal government's wishes to Brussels. Two amendment ideas in particular could have major implications.
Thus, the federal government proposes, among other things, that "Recital 40" be formulated even more clearly: all legal bases for permissible data processing should therefore be explicitly placed on an equal footing again. This applies to the consent of the data subject as well as – and this is the most relevant part in practice – the so-called "legitimate interest", which numerous providers very gladly use to collect data. The paper from the Federal Ministry of the Interior states that this is actually already intended in the GDPR – but supervisory authorities and courts have, in reality, given priority to consent over the other grounds in Article 6 of the General Data Protection Regulation. The Ministry of the Interior is aware that this seemingly small amendment idea could have massive consequences in practice – and that is exactly what it wants to achieve.
Sunday should be Data Breach Notification-free
It is somewhat surprising that the Federal Ministry of the Interior, which is responsible for cybersecurity in addition to data protection, wants to change the notification obligations for leaked data, so-called data breaches: the strict 72-hour deadline is "problematic", especially on weekends, according to the BMI paper. Therefore, Berlin would prefer to stipulate "3 working days" in the General Data Protection Regulation, which under German law only excludes Sunday, as Saturday is a regular working day.
Furthermore, supervisory authorities are to be obliged to use a technical reporting channel for "Data Breach Notifications". This – and also the fact that the sometimes overlapping reporting obligations between the GDPR and the NIS2 Directive should be harmonized – is likely to meet with general approval and little resistance.
Pseudonymization and anonymization to be specified more precisely
The second potentially far-reaching amendment proposal is hidden in further ideas that the BMI has sent to Brussels. These are probably no longer to be included in the Article Law, referred to as the Digital Omnibus, but are to be addressed during this legislative period. A proposal to amend Article 4 of the GDPR gets to the heart of the matter: the question of the extent to which pseudonymization and anonymization are to be specified more precisely.
Videos by heise
Here, the federal government proposes two ways to clarify that anonymous data are considered exempt from the General Data Protection Regulation and do not constitute personal data. What sounds tautological is of great relevance: it is repeatedly disputed what anonymization actually means in the sense of the General Data Protection Regulation. The European Court of Justice also already introduced "relative anonymization" into the discussion in its binding interpretation of the GDPR, where de-anonymization would be theoretically possible with the help of additional data not available to the processor.
Guarantee declaration for data protection compliance in the supply chain?
Further wishes from the federal government primarily concern – from the government's perspective – potentially abusive information requests, general considerations concerning a further differentiated risk model for data processing. They also include a new obligation for manufacturers and suppliers to comply with European law regarding data protection.
Here, the BMI wants to introduce a new obligation, analogous to the AI Regulation and the Cyber Resilience Act. The government had already extensively communicated its wishes regarding the AI Regulation in a second paper.
(nen)
