An English-Language Primer on Germany’s GDPR Implementation Statute: Part 2 of 5

Over the past year, the German government has been working on legislation to implement the EU’s General Data Protection Regulation (GDPR).  On July 6, 2017, Germany did so by passing a statute titled the Data Protection Amendments and Implementation Act. The Act repeals Germany’s venerated Federal Data Protection Act (Bundesdatenschutzgesetz, or BDSG) and replaces it with an entirely new BDSG, aptly referred to as the “BDSG-New.” Germany becomes the first EU Member State to pass a GDPR implementation statute. Given Germany’s reputation as one of, if not the, most serious privacy jurisdiction in the EU, the BDSG-New is a critical piece of legislation for companies with EU operations.

Alston & Bird is pleased to provide a five-part, English-language overview of BDSG-New provisions likely to be of significance to companies.

• Part 1: Overview, Drafting History, and Scope of Application
• Part 2: Re-Using Data- Secondary Uses, New Regime for Health Data, and Research and Statistical Processing
• Part 3: Within the Company – DPOs and Employee Data Rules
• Part 4: Individual Rights
• Part 5: Oversight, Sanctions, and Lawsuits

These articles are related to a summary of the BDSG-New that Daniel Felz published in Bloomberg BNA Privacy and Data Security Law, 16 PVLR 1190 – click here to read.

This second installment focuses on the BDSG-New’s provisions governing re-uses of data.  Many companies are discovering that data can be among their more valuable assets.  But data monetization and big-data solutions often rely on secondary uses of data that could not have been anticipated at the time the data was collected.

During BDSG-New drafting, one of the most intensely debated topics was the extent to which German law should permit companies to make new secondary uses of data.  German political leaders expressed hope that the BDSG-New would serve as a platform for what they described as competitive data uses.  At a 2016 IT conference, Chancellor Angela Merkel stated that the BDSG-New should “not make everything so restrictive again” such that “big data management isn’t possible after all.”  This statement, and early BDSG-New drafts which appeared to embody it, evoked resistance from Germany’s Data Protection Authorities (“DPAs”) and privacy groups.

This installment focuses on three BDSG-New provisions directed towards data re-uses: (1) BDSG-New provisions governing secondary data uses; (2) provisions governing re-use of sensitive data; and (3) provisions governing scientific research and statistical processing.

Secondary Uses of Data

Article 6 GDPR generally prohibits any secondary processing of data that is incompatible with original collection purposes – unless a Member State passes a statute regulating such secondary use.  Initially, the BDSG-New attempted to implement this exemption to permit expansive secondary uses of company-held data.  A November 2016 BDSG-New draft (in German here) would have permitted companies to make any secondary use of data that was “necessary to pursue the controller’s legitimate interests,” regardless of the effects on individual privacy.  Additionally, companies could re-use any data that was “publicly available.”  These derogations potentially permitted companies to repurpose data in any way that fit their business models, or could be accomplished via purchased data sets.  They evoked strong opposition from DPAs and privacy groups.

The final BDSG-New took a significantly more moderate approach, essentially persevering limited secondary uses already permitted under current German law.  Under § 24(1) BDSG-New, secondary processing is permitted to

1. defend against threats to state security or public safety;
2. prosecute crimes; or
3. establish, exercise, or defend against civil claims.

For most companies, only the civil-litigation exemption is likely to be of interest because of its application to US discovery.  In fact, almost any company that has processed data located in Germany in response to US litigation has already relied at least in part on existing secondary-use exemptions for litigation-related processing.

But although the litigation exemption tracks current German law and is already in use, companies should be cautious in determining that preserving, collecting, reviewing, or transferring data to the US for litigation purposes is per se permitted.  Thanks to a last-minute amendment from the German Parliament’s Committee on Internal Affairs, companies’ ability to reuse data for litigation is now limited to “civil claims” – raising questions as to how far companies can collect and review German data in response to U.S. criminal or administrative subpoenas.

Furthermore, a German DPA’s idea of the amount of data that is “necessary” to pursue or defend against US civil claims may differ from what a US judge considers necessary (although the recently-enacted proportionality requirements under Federal Rule of Civil Procedure 26 may help close the gap).  DPAs will now have substantially increased fining power under the GDPR, and can construe any not-strictly-necessary disclosure of EU residents’ data to US litigants or US government agencies as intentional privacy violations.

As a practical matter, this may require amendments to works council agreements and collaboration with works councils – a topic that will be covered in more detail in Part 3 of this Series.  Much of the data affected by litigation-related processing is likely to relate to employees.  For companies with German employees, regulating litigation-related processing in a works council agreement can provide a more robust basis for collecting and reviewing employee-related ESI in both civil and other contexts.  Such agreements may require up-front work with the Works Council, including initially communicating with ESI custodians through Works Council representatives, or obtaining signed consents and/or acknowledgements from employee custodians.  But under the GDPR’s increased fines, and given potential DPA sensitivity to US-facing disclosures, collaborating with the Works Council can be a productive and preferable alternative – otherwise companies risk dissatisfied employees placing a call to their local DPA.

Companies may also want to use this opportunity to revisit their litigation-hold and ediscovery procedures for integration into information governance and privacy compliance. Reviews of EU and German data will be expected to document that companies took all appropriate privacy-protective measures.  For example, the quantum of ESI that needs to be reviewed for relevance may be large, but only a subset may be considered “necessary” to transfer to the US to establish or defend claims.  Local Germany- (or at least EU-)based reviewers who can both (a) conduct responsiveness review and (b) redact away any non-essential personal information prior to production may become a requirement for conducting significant ESI reviews.

New Regime for Health and Medical Data

In contrast to its general secondary-use rules, the BDSG-New introduces new permissions for companies to collect and use – and re-use – individuals’ medical and health data.  Article 9 of the GDPR generally requires companies to obtain express opt-in consent from individuals in order to collect or process sensitive categories of data, such as medical or health data, genetic data, or biometric data.  But the GDPR also permits Member States to pass legislation permitting processing without consent to serve public health interests.  Many EU and Member State institutions are currently looking into ways to leverage medical data to improving medical care, pharmaceuticals, and public health.  As one example, after a lengthy consultation process, the European Medicines Agency recently started granting public access to clinical reports for new medicines.

The BDSG-New takes advantage of the GDPR’s allowances to create a number of situations where health care, medical, or pharmaceutical companies can collect, use, and re-use medical data without obtaining individuals’ prior consent.

1. Processing for Medical Treatment Purposes

Under § 22(1)(1)(b) BDSG-New, companies can process medical or health data for the following purposes without obtaining consent, so long as medical personnel – or anyone with equivalent duties of confidentiality – is responsible for the processing:

• Preventive medicine;
• Medical diagnosis;
• Providing care or treatment in the health-care or social-services fields;
• Managing systems or services in the health-care or social-services fields;
• Determining employees’ working capacity; or
• Any processing pursuant to a contract between an individual and a health professional.

This provision derives directly from Article 9(2)(h) GDPR, and fits into Germany’s ongoing efforts to digitalize its health care industry under its recently-passed eHealth Act (which is successively requiring providers to accept digital infrastructure, details in German here).  The elimination of prior-express-consent requirements is a practical fit with efforts to migrate individuals’ medical data to individual patient chip cards, which are read by care providers in treatment situations.  Medical technology vendors who can supply privacy-friendly IT infrastructure capable of maintaining the security required in point d. below may find demand for their services supported by provisions like § 22 BDSG-New.

2. Pharmaceutical and Medical Device Uses of Health Data

In addition to the above, § 22(1)(1)(c) BDSG-New permits medical or health data to be processed without prior express consent “to ensure high standards of quality” both (a) “within the health care industry” and (b) “for medicinal products and medical devices.”

These new permissions could be of strong interest to internationally active companies that supply the medical and care-provider industries.  As an example, medical device manufacturers – and their newer devices – may benefit from § 22(1) BDSG-New.  Newer medical devices often rely on data feedback loops between the device, care providers, and the device manufacturer, which provide data for treatment purposes as well as to monitor the device’s safety and performance.  Increasingly – including in Germany – regulators require device manufacturers to monitor devices and to promptly report qualifying incidents.  Current law can require patients to enter into detailed consents, revocable at will, permitting these uses of device-generated data.  It can be challenging for the multiple entities involved to assign controllership, manage consents, and enforcing withdrawals.  Section 22 BDSG-New would appear to move towards a more integrated regime for device-generated data that rests on a non-revocable basis, which may permit uses of device data beyond treatment – e.g. monitoring, performance improvement, and reporting – in the interest of improving public health.

3. Re-Uses and Secondary Uses of Health Data Permitted  

Importantly, § 24(2) BDSG-New specifies that the data uses permitted in points a. and b. above may conducted even if they are secondary uses that are incompatible with the purposes for which health data were initially collected.  This may mean that health care, pharmaceutical, and device companies holding German data can use their existing data to start.

4. The Requirement: Strong Security and Privacy Controls

The BDSG-New’s “deal” for companies holding health data under the new regime is that prior express consent is no longer required for the above-described uses – but in exchange, companies must implement “suitable and specific” safeguards for the data.  These safeguards must be appropriate in light of “the state of the art,” along with “the costs implementation” and “the likelihood and potential harm of risks associated with the processing.”  Section 22(2) BDSG-New sets forth 10 potential safeguards that DPAs will likely expect to see in place, including (a) internal policies regulating secondary uses; (b) employee training; (c) appointing a Data Protection Officer (DPO); (d) access controls; (e) logging and monitoring; (f) encryption and/or pseudonymization; and (g) periodic security self-audits.

Also, § 22(2) BDSG-New shades closer to treating health data as a “critical asset.”  Back in 2015, Germany passed a cybersecurity statute designating health care as a critical industry, and requiring providers large enough to be considered “critical operators” to install state-of-the-art-security to ensure “the availability, integrity, authenticity and confidentiality” of their IT systems.  Within the BDSG-New, § 22(2) BDSG-New indicates that companies who hold health data should ensure the “ability, confidentiality, integrity, availability and resilience of” their relevant IT systems – as well as “the ability to rapidly restore availability and access in the event of a physical or technical incident.”  The statute seems to signal to companies that hold health data that they should install cybersecurity that, while it might not have to implement the state of the art, could be measured against the state of the art.  German DPAs have recently hired health care privacy specialists and are already indicating that GDPR violations involving sensitive data are more likely to lead to fines – more on this in Part 5 of this Series.  Section 22(2) BDSG-New’s security provisions may usher in HIPAA-like practice where data breaches involving health data create heightened sanction risks.

Scientific Research and Statistical Purposes

The GDPR contains a number of provisions that work together to permit secondary uses of data for scientific research or statistical purposes.  Stated briefly, when a company processes data for, e.g., statistical purposes, the GDPR lifts the purpose limitation that would otherwise confine the company’s ability to process the data to the purposes originally stated in the company’s privacy notice.  All other GDPR requirements for processing must still be met – e.g. the processing must have a legal basis, the data must be secure, and the data can only be retained for an appropriate time – but the “statistical” processing purpose is deemed legitimate.  Article 9(j) GDPR permits sensitive data to be re-used for scientific research or statistical purposes if Member States pass laws requiring “suitable and specific” safeguards for the data.

Section 27 BDSG-New takes advantage of this clause to permit companies to re-use sensitive data for scientific research or statistical purposes, without needing to ask for express opt-in consent, if following requirements are met:

• The envisioned processing must be “necessary to” the scientific research or statistical purposes, and the company’s interest in processing the sensitive data must “substantially” override the individual’s interest in stopping the processing;
• The company must implement “suitable and specific safeguards,” 10 of which are suggested in § 22(2) BDSG-New; and
• The sensitive data must be anonymized “as soon as this is possible according to the research or statistical purposes,” and until then, identifying information must be stored separately from the remaining data sets.

If a company meets the above requirements, the BDSG-New limits the rights that individuals can assert vis-à-vis the research and/or statistical data sets.  For example, under § 27(2) BDSG, individuals cannot assert rights of access, correction, restriction, and objection if doing so would “make the research or statistical processing impossible or seriously impair it.”

While the above may interest some companies, a word of caution is warranted.  The GDPR and BDSG-New do not confer a processing privilege upon all research, but only on scientific research.  Within Germany, corporate research and analytics are unlikely to constitute “scientific research” within the meaning of the GDPR and BDSG-New.  Germany has a tradition of requiring research to be completely independent of any corporate influence to be considered “scientific.”  Independence is generally understood as the research staff having full autonomy in determining both the object of study and the methods of inquiry, as a paradigmatic research scientist would have within her own laboratory.  While this is not impossible within a corporation, it generally removes many common corporate research interests – such as market research, business intelligence, process improvement, or product/service optimization – from the scope of privileged “scientific” research.

If anything, companies may be able to qualify corporate research or analytics as “statistical” processing, as EU privacy authorities have expressed some support for extending privileges for statistical processing to big-data analytics.  But doing so requires adhering to traditional EU guidelines for conducting statistics, such as anonymizing data (or if that is not possible, pseudonymizing data), as well as “walling off” statistics from operations, i.e. ensuring that the results of analytics cannot be used to support any decisions affecting particular individuals.  However, the BDSG-New does not itself contain the rules stating when processing qualifies as privileged “statistical” processing, and companies interested in re-using data under a statistical theory would be well advised to discuss project structure with counsel.

Conclusion

The BSG-New initially attempted to user in expansive possibilities for re-uses and/or secondary uses of company-held data.  However, most of these initial attempts did not survive the public-comment and legislative process.  In the end, most avenues for secondary uses under the BDSG-New track those already available, with the significant exception to this result being the BDSG-New’s new regime for health data.

 *                      *                      *                      *                      *

Alston & Bird and its Brussels-based EU Privacy Team is closely following GDPR implementation in the EU Member States.  For more information, contact Jim Harvey, David Keating, or Daniel Felz.