Central data protection supervision and new role of the Data Protection Conference  

The future government is planning to reform the structure of the data protection supervision authorities in Germany. Responsibilities and competencies for the private sector are to be bundled into the Federal Commissioner for Data Protection and Information Security (“BfDI“). Currently, Germany does not have one central supervisory authority for data protection law but authorities in each of the sixteen German federal states (Länder), that are competent for the public and the private sector in the respective state. In addition, there are different supervisory authorities for private broadcasters as well as for public broadcasters. Currently, the BfDI is only competent for the federal public sector and a limited number of private sectors, such as telecommunications.

This change in structure would lead to considerable relief, particularly for companies or groups of companies with headquarters outside Germany or outside the EEA. If the BfDI becomes the responsible authority for the private sector as a whole, there will no longer be any uncertainty as to which national supervisory authority to work with. This is particularly relevant if a company or group of companies has several branches in Germany. Controllers and processors would only have to cooperate with one national supervisory authority and the contact details of the data protection officer would only have to be communicated to the BfDI. In addition, controllers without a lead supervisory authority will no longer be required to report data security breaches to all of the various German supervisory authorities. Currently, controllers without establishment in the EU have to make notifications to the authorities in those federal states where the affected data subjects live – in the future, instead of notifying up to 16 different authorities, they could only notify to one authority, just like in other EU countries.

In addition, the new structure could provide greater legal certainty for both controllers and processors, as currently, each German supervisory authority may interpret the legal requirements differently and pursue varying priorities, for example with regard to enforcement.

However, it remains unclear how this structural reform can be implemented in a legally secure manner. The coexistence of different responsibilities of the federal government and the federal states is an expression of federal structures and thus of the federal state principle safeguarded by the German constitution (the German Basic Law, Grundgesetz).

In addition, the Data Protection Conference (“DSK“), in which all German supervisory authorities are represented, is to be anchored in the Federal Data Protection Act (“BDSG“). In contrast to the current situation, it is to be given the task of creating binding data protection standards. This can ensure that a uniform approach is created, particularly in areas of cooperation between the private and public sectors. At the same time, there is a risk that even non-practical and very dogmatic opinions of this very diverse body in the future will become binding.

Better use of GDPR leeway

The coalition partners also want to make better use of the leeway provided by the GDPR. This means that where the GDPR provides opening clauses for national legislators, new rules shall  be created to relieve the burden on small and medium-sized enterprises as well as for the processing of personal data of and by employees as well as volunteers. Such leeway exists in the GDPR under Art. 23 GDPR, among others. According to Art. 23 (1) GDPR, the extensive transparency obligations under Art. 13, 14 and Art. 15 GDPR could be reduced to an appropriate level for small and medium-sized enterprises. However, no concrete plans have been agreed on yet.

Introduction of the retention of data relating to the civil identity and associated IP addresses

A proposal on data retention (Vorratsdatenspeicherung), which is currently suspended in Germany, has also caused a stir. Specifically, a proportionate three-month retention period for IP addresses and port numbers is to be introduced, in line with European and constitutional requirements, to be able to assign them to the owner of the connection. In this context, the Federal Police is to be authorized to carry out source telecommunication surveillance to combat serious crimes.

As recently as April 30, 2024, the ECJ ruled in Case C-470/21 that data retention is not by itself contrary to European law. However, it remains to be seen whether the future German Federal Government will succeed in finding a regulation that upholds the fundamental rights to respect for family life and the protection of personal data (Art. 7 and Art. 8 of the Charter of Fundamental Rights of the European Union).

Actual effects

The actual effects of the measures set out are not yet foreseeable. On the one hand, the measures set out for the reform of data protection are very vague. Secondly, the coalition agreement itself is not a binding document. The implementation of the intended measures depends largely on the political framework conditions. Several years may pass before the reforms envisaged in a coalition agreement are implemented in law.

The judgment is based on a personal data breach at Facebook. In April 2021, data from over 500 million users was made public on the internet. This data was collected by unknown third parties using scraping.

In the course of this incident, the plaintiff’s data (user ID, first and last name, place of work and gender) was published on the internet. The plaintiff argues that Facebook did not take sufficient and appropriate measures to protect his personal data and is essentially seeking non-material damages for the anger and loss of control over his personal data.

After the plaintiff was awarded an amount of EUR 250 in the first instance instead of the requested minimum of EUR 1,000, he lost in the appeal instance. The court of appeal stated that the mere loss of control is not sufficient for the assumption of non-material damage within the meaning of Art. 82 (1) GDPR. Furthermore, the plaintiff had not sufficiently substantiated that he had been psychologically affected beyond the loss of control.

The appeal to BGH was partially successful. The BGH is of the opinion that even the mere and brief loss of control over personal data as a result of an infringement of the GDPR could constitute non-material damages within the meaning of Art 82(1) GDPR. There is no need for the data to be misused in a specific way to the detriment of the data subject or for there to be any other additional noticeable negative consequences. For the specific case, the BGH has not decided on a particular amount of damages but considers EUR 100 to be reasonable in view of the underlying circumstances. However, it still remains in general the plaintiff’s obligation to present and prove the conditions that are pre-requisites for his claims.

The BGH has now referred the case back to the court of appeal for a new hearing and decision.

This judgment is important insofar as the BGH has taken a position on a legal issue – non-material damages for loss of control over personal data and its amount – that has been controversial and inconsistently handled to date. Back on October 31, 2024, the BGH determined the procedure for the Leading Decision Procedure in accordance with Section 552b of the German Code of Civil Procedure (Zivilprozessordnung – “ZPO”). In such procedures, the BGH can decide legal issues that are relevant to the outcome of a large number of proceedings and thus provide guidance for the courts of lower instance. However, leading decisions are not formally binding. Nevertheless, the BGH judgment sends a signal, as the BGH considers the loss of personal data to be low in relation to the amount of damages.

An update to this post will be made once the judgment is publicly available.