by Michael D. Sarlo, EnCE, RCA, CBE, CCLO, CCPA
International privacy laws have been an unwieldy beast for years now, and only continue to evolve at a faster pace as time goes on. One of the greatest examples of this perpetual shift can be found in Germany, where lawmakers are poised to make several relatively massive changes.
American law firms and corporations that do business in Germany will need to comply with several pieces of data protection and privacy legislation, all of which are relatively young, but two that should be on everyone’s radar:
- Bundesdatenschutzgesetz (BDSG): Also known as the Federal Data Protection Act, this is the national law of the land that was just revised in April.
- E.U. General Data Protection Regulation (GDPR): Another relatively new set of laws, at least in this form, all E.U. member states will need to comply with this set of rules, and Germany is an active party in the scaling up of the regulations involved.
Let’s break down each of these matters and their implications through the perspective of American-based corporations and law firms.
BDSG – The big headache
In an article published on Lexology, Hogan Lovells explained that the four-decade-old BDSG has been replaced by the new set of rules passed by the German Parliament in April. The firm stated that this is somewhat of a controversial bill because of how complex and arguably convoluted some of the statutes are, as well as the fact that it apparently goes beyond the boundaries of the GDPR.
Hogan Lovells stressed the fact that the GDPR cannot be trumped by the BDSG, as courts in the nation are already obligated to favor the former should opposing statutes come into play. This is another way in which the BDSG is giving corporations and law firms both within Germany and outside of it some major headaches.
In terms of the major points that will impact firms, Hogan Lovells pointed toward certain highlights such as maximum fines of €20 million or up to 4 percent of annual revenues for certain violations, much more complex documentation obligations, and far heavier breach notification standards. Additionally, any entity that processes personal data will be obligated to place a greater emphasis on crime monitoring and proven compliance with the laws, while also abiding rules specific to certain types of information, such as surveillance-related data, the firm noted.
One thing is abundantly clear – any law firm or corporation that intends to do business in Germany will need to ensure they are managing the full scope of compliance demands covering people, processes, and technology immediately. Timing wise, the BDSG should be the highest priority in the short-term.
E.U. GDPR – 1 year warning
First, remember here that German courts – as well as all courts in E.U. member states – are obligated to follow GDPR above all else with a few notable exceptions. In some situations, the GDPR actually demands that individual countries write their own statutes. Pinsent Mason LLP’s Stephan Appt noted that one example is information related to staff members, which member states will govern autonomously.
You can bet that Germany will likely have some of the harshest ones of all, especially considering some of the BDSG’s components on the topic. For example, the BDSG notes that employees can seek reparations for financial damages caused by privacy failures.
However, there are plenty of components of the GDPR that will supersede BDSG and other state statutes in instances of conflicting standards. Because the GDPR kicks in on May 18th, 2018, now is a good time to get moving on policy overhauls and adjustments to strategies to ensure all activities in Germany are within the guidelines of law.
Appt actually argued that the BDSG, at its heart, is really meant to supplement the GDPR, filling in the aforementioned blanks. So, some of the main points in the former that will need to be covered as soon as possible – though with the deadline being one year from next Thursday – include the following:
- Data transfers going from an E.U. member state to a nation on the outside need to be looked at carefully to make sure that no laws are being broken. Notably, this can vary from corporation to corporation depending on pre-existing contractual clauses with employees, how their data is currently stored at a jurisdictional level, and how individual states within Germany look at data privacy, and enforcement. Statutes related to how data processing is carried out between data controller, data processor, and the individual whose data is being processed will also play a major role.
- Individuals have far more legal protections over their own personal data rights, including a right to review their data, Appt noted.
- Many businesses will need to bring aboard data protection officers to function within E.U. member states. Appt pointed out here that “businesses whose ‘core activities’ consist of data processing” will absolutely be expected to have such officials on hand.
A year might seem like a long time, but it will almost certainly come quickly as regulatory overhauls tend to do. Considering the scope of the regulations and their complexity, make sure your organization is taking proactive steps today.
Obliging all requirements
One important matter to remember is that the E.U./Swiss-U.S. Privacy Shield agreement, which replaced Safe Harbor, is already in effect. Though more focused on eCommerce-related matters, it does contain statutes related to the collection, storage, and sharing of sensitive information between the U.S. and Europe. Make sure that, if your firm is covered by this regulation, it has adequately aligned policies with the statutes therein.
Germany is one of the greatest economic powerhouses in the world, and is also a battleground for competing law firms and corporations from the U.S. As such, any firm doing business there needs to make compliance a top priority. As mentioned above, the BDSG – though complex and somewhat controversial – is in effect right now, and must be followed.
As those statutes are clarified and become a bit more solid, the GDPR will be coming into effect. Because a large portion of compliance is going to depend upon technologies – most specifically data security, processing, and governance tools – a firm that feels like a fish out of water should always seek out support from expert vendors and service providers.
Do not allow these new statutes to fly under the radar any longer – strive toward compliance today.
Michael D. Sarlo is HAYSTACKID’s Vice President of eDiscovery & Digital Forensics