German Parliament Passes New Federal Data Protection Act in Preparation for GDPR

The German Parliament has passed a new Federal Data Protection Act (FDPA) intended to adapt current German data protection laws to align with the EU General Data Protection Regulation (GDPR).

Under the GDPR, Member States have some flexibility in passing local laws to further specify the GDPR’s application. Germany is the first to do so, and more EU Member States are expected to follow in their footsteps soon.

Key Provisions:
The FDPA seeks to preserve certain aspects of its predecessor (which has been in place for over 40 years) regarding the protection of employee data. Key provisions include:

Next Steps:
Some authorities, and other outlets, have criticized the law as exceeding the scope of the GDPR and the goals of harmonization. It is therefore possible that the EU Commission could pursue possible infringement proceedings, but this remains speculation at this point.

The FDPA will be subject to approval by the German Federal Council, before final adoption. If approved, it will come into force the same day as the GDPR—25 May 2018. It is quickly becoming apparent that while harmonization is the goal of the GDPR, there are still going to be some local variations among Member States. Therefore, companies will need to focus not only on the GDPR itself, but also on national law, as they prepare their compliance efforts.