Key data protection points for the trilogue on the General Data Protection Regulation

Conference of the Data Protection Commissioners of the Federal Government and the Federal States (Länder)

I. Preliminary remarks

After the Justice and Home Affairs Council adopted its position on the General Data Protec- tion Regulation on 15 June 2015, since late June the European Commission, Parliament and Council have been discussing their positions on the Regulation in what is known as the trilogue, with the aim of reaching an overall agreement and adopting the legally relevant act by the end of 2015.

Since the Commission presented its proposals in January 2012, the conference of Germany’s data protection commissioners of the Federation and of the Länder has repeatedly made public its position on data protection reform. It presented its opinion on the entire package on 11 June 2012 and on individual aspects of the data protection reform in a series of resolu- tions and opinions.1 From the beginning, the conference supported the Commission’s aim of building “a modern, strong, consistent and comprehensive data protection framework for the European Union”,2 all the more so as the Commission explicitly focused on individuals’ fundamental right to privacy, which the reform is intended to serve.

This is why it is extraordinarily important for the conference of federal and state data pro- tection commissioners that the General Data Protection Regulation should ensure better or at least the same level of protection of fundamental rights as current law, which is largely determined by Directive 95/46/EC. The reform of European data protection law must abso- lutely not result in a lower level of data protection than is currently in place. The conference emphasizes that the fundamental principles of data protection based on Article 8 of the EU Charter of Fundamental Rights and Article 16(1) of the Treaty on the Functioning of the Eu- ropean Union (TFEU) should therefore not be open to discussion. There are still no specific requirements governing high-risk data processing, such as profiling or with regard to video surveillance. And the Regulation still allows data to be processed for advertising purposes without the data subjects’ consent. Precisely in this era of Big Data and global data pro- cessing, the autonomy of the individual, the transparency and lawfulness of data processing, purpose limitation and the accountability of controllers are just as important for safeguard- ing fundamental rights as strong supervision of data protection and effective sanctions.

These issues and others addressed in the following are the most important points which the conference of federal and state data protection commissioners believe the participants in the trilogue should especially concentrate on.

For ease of use, this paper is oriented on the structure of the current drafts of the General Data Protection Regulation.

II. The individual proposals 1. The scope of the General Data Protection Regulation

a. The household exemption must not be expanded!

The Council has expanded the household exemption in Article 2(2)(d) of the Regulation by crossing out the words “without any gainful interest” and “exclusively” in the Commission’s proposal.

The Council’s proposal is formulated in a way that would exempt a substantial part of the processing of personal data by natural persons from the scope of data protection law even if the fundamental data protection rights of third parties were significantly infringed upon. As formulated by the Council, even if the processing for personal or household purposes repre- sented only a minor purpose when considering the whole, it would still fall under the house- hold exemption and would therefore no longer be subject to data protection law. Users of a social network or operators of a private website would be exempt from the law, even if they published large amounts of personal data without restriction on the Internet, as long as they declared they were doing so (also) for personal or household purposes. Such expansion would be unacceptable. Nor can the intention to make a profit serve as a criterion for apply- ing data protection law, because the degree to which data processing interferes in privacy does not depend on the profit motive. Expanding the household exemption too far would conflict with the fundamental right to privacy guaranteed by primary law and therefore can- not be implemented in secondary law.

Full article available at (link is external)