Germany Strengthens Data Protection Act, Introduces Data Breach Notification Requirement
In July 2009, the German legislature passed various controversial amendments (the "Amendments") to the Bundesdatenschutzgesetz, Germany's Federal Data Protection Act ("BDSG" or the "Act"). While these Amendments were not as extensive as many had initially hoped or feared, a few of the Amendments will undoubtedly have an immediate impact on companies doing business in Germany.
The Amendments cover a range of privacy and business issues, including marketing use of data lists, administration of employee data, and contractual provisions in data transfer agreements. They also increase the maximum fines for violating data protection laws and grant greater powers to data protection authorities ("DPAs"). The most significant change, however, is a new requirement to provide notification for data breaches that is similar in scope to state statutes in the United States.
The BDSG prohibits the collection, processing, and use of "personal data," unless the affected individual (the "Data Subject") expressly consents to, or German law specifically authorizes, the activity. Under the BDSG, "personal data" is broadly defined as any information concerning the personal or material circumstances of a natural person. One of the widely disputed activities permitted by the BDSG is the "list privilege" exception.
Under the previous "list privilege" exception, personal data such as a person's name, address, job title, and year of birth may be used for a company's own advertising and marketing purposes and transferred to third parties (such as direct marketing companies) for similar purposes without the prior consent of the Data Subject, provided that such data is pooled in a list covering a group of people. Data Subjects are entitled to object to such activities, but they rarely do. Many privacy advocates believe that this exception allows for large volumes of personal data to be sold at relatively low prices, particularly over the internet. Accordingly, the amended BDSG requires the individual or legal person who is collecting, processing, or using personal data (the "Data Controller") to obtain consent from Data Subjects when engaging in any of these activities for the purpose of marketing or selling personal data, unless certain relatively simple conditions are met.
In recent years, Germany experienced a dramatic increase in data breaches and scandals involving the illegal trade of address lists and bank account information. In addition, some of the largest German companies in key industries, including transportation, finance, automotive, retail, and health care, have been accused of encroaching on employees' constitutional rights to privacy, e.g., by monitoring the personal data and activities of their employees. Media coverage of these developments sparked widespread public interest among politicians, trade unions, and consumers on the mishandling of personal data. Consequently, a number of legislative proposals earlier this year centered on a complete abolition of the "list privilege."
In the face of looming German federal elections, however, many lawmakers were hesitant to institute any major legislative changes. Certain interest groups also claimed that data protection limitations on direct marketing would seriously harm entire industry sectors and lead to a higher unemployment rate, which was politically unacceptable. As a compromise, the German legislature passed the Amendments to impose tighter restrictions on the commercial use of personal data while keeping the "list privilege" mostly intact. Most noteworthy among the Amendments is the introduction of a data breach notification requirement.
Data Breach Notification
Under the Amendments, Data Controllers must notify Data Subjects and DPAs of any unauthorized access or unlawful transfer of personal data, if the incident "threatens significant harm" to the rights and protected interests of the Data Subject. The Act does not specifically define "significant harm," which means that companies are given a certain amount of leeway to determine whether an unauthorized or unlawful activity meets this threshold. Nonetheless, if "significant harm" is threatened, then notification must be provided "immediately" after measures have been taken to secure the data and ensure that criminal investigations will not be adversely affected. This notice requirement is limited to a breach of certain kinds of data or data elements, such as bank or credit card information, "sensitive information," or information that is subject to professional or official confidentiality protections. The Act defines "sensitive information" as any information concerning an individual's race, ethnic origin, political opinions, religious or philosophical beliefs, membership in a trade union, health, or sex life. By contrast, in the United States, notification is typically triggered by unauthorized access or use of a Data Subject's name along with another identifying element, such as government-issued Social Security number, certain banking information, personal health information, or other personal information that can be used to commit identity theft. Thus, the Amendments require only a single trigger for notification while most U.S. state statutes require two.
The Amendments also provide guidelines for delivery of data breach notifications. For example, in cases where individual notification of an incident that affects a large number of Data Subjects is too burdensome, notice must be made via at least a half-page advertisement in at least two daily national newspapers or by other means that would provide similar exposure. This requirement is similar to the substitute notice requirements under many U.S. state statutes. Companies should carefully consider the reputational and public relations impact of making such a notification via newspaper or other media before doing so.
Although public disclosure of data breaches in Germany will probably bring to light many objectionable activities that may otherwise go unreported, the new notification requirement will add costs to companies operating in Germany or maintaining data that falls under German jurisdiction. In 2008, the average cost of a data breach in Germany was more than €2.41 million (approximately $3.5 million) per breach and €112 (approximately $165) per compromised record, which includes the average cost of notifications at €80,000 per breach or €4 per record. These figures are low relative to data breach costs in the United States because the previous BDSG did not require notification to Data Subjects or publication of data breaches. In the United States, where the majority of states require some form of data breach notification, the average cost of a data breach in 2008 was more than $6.6 million (approximately €4.5 million) per breach and $202 (approximately €137) per compromised record. These costs are expected to grow in future years, particularly in connection with the anticipated increase in data protection or privacy litigation. In general, the U.S. legal obligations and industry best practices related to a data breach—e.g., notification to individuals and state agencies, legal and reputational risk containment, and technical remediation—have proven to be more costly to businesses than other data protection and privacy safeguards required by U.S. law. Such differences between the two countries suggest that the costs associated with a data breach in Germany, at least those related to providing notification, are likely to rise under the new BDSG.
Further, it is important to note the possibility of a domino effect that Germany's data breach notification requirement may have on the European Union and its Member States. The history of data breach notification requirements in the United States began when one state, California, enacted a data breach notification law in 2003. Since then, a majority of U.S. states have followed suit, and the U.S. Congress is now considering a national breach notification statute.
While the implementation of the E.U. Directive on Data Protection by individual Member States has made the European Union one of the most highly regulated jurisdictions in the world with respect to protecting personal data, the European Union still has no general data breach notification requirement. There is evidence, however, that the European data protection landscape may be changing. The E.U. Council is in the process of amending its telecommunications directives to include an industry-specific data breach notification obligation for communication services providers. Some neighboring non-E.U. jurisdictions, such as Norway, already have laws requiring notice to DPAs of data breaches. The United Kingdom has a de facto notification law imposed through the U.K. independent data protection agency's recommendation that companies notify it of "serious" breaches, which may explain why there is ongoing debate on whether to adopt legislation and the U.K. Parliament has considered such laws but declined to pass them. These conditions, along with Germany's recent Amendments to its BDSG, suggest that E.U. Member States, or the European Union as a whole, may be moving toward a more comprehensive data breach notification regime.
Other Amendments to the BDSG include:
Protection of Employee Data. Any processing of employee data is permissible only if the processing is necessary for the administration, i.e., establishment, maintenance, or termination, of the employment relationship. For the purposes of investigating employee offenses, employee data can be collected only where (1) the data substantiates the suspicion that the employee has committed an offense in the context of employment, (2) the collection, processing, and use of the data is necessary for the investigation, and (3) the type and scope of the collection, processing, and use of the data is proportional to the employee's protected rights and the circumstances of the investigation.
Contractual Requirements for Outsourcing. If a company outsources its direct marketing to a third party, the contracting entities must enter into a written agreement concerning the processing of the personal data. This agreement must meet 10 new conditions to be valid and legally enforceable. These conditions include, for example, scope, purpose, security measures, obligations, subcontracting rights, return or disposal of data, and the requirement to audit the third party. Failure to conclude such a contract exposes each of the parties to a potential fine. Practitioners believe that DPAs are likely to enforce this provision quite vigilantly because (1) the German public consistently expresses concern about direct marketing activities in Germany, and (2) DPAs can quickly determine whether parties are in compliance with this requirement.
Protection of the Data Protection Officer. A company's internal data protection officer ("DPO"), who ensures the company's compliance with Germany's data protection laws and acts as a contact person for employees on privacy matters, may be dismissed only for cause. This special protection extends until one year after the end of employee's term as the company's DPO, unless management has "important grounds" for terminating the DPO. Companies must also permit and finance the continued education and training of their DPOs on data protection matters. A natural, though probably unintended, consequence of this new provision is that many companies will invariably prefer an external DPO over an internal DPO. External DPOs are specifically permitted under the Act and are less cumbersome to remove.
Increased Power of DPAs. DPAs can order companies to remediate compliance, technical, or organizational failures relating to the collection, processing, and use of personal data. Depending on the circumstances of the violation, they can also implement special data processing procedures or prohibit companies from collecting, processing, or using personal data.
Stricter Punishments. The maximum fine for failure to comply with data protection laws is now €50,000 (previously €25,000) for ordinary offenses, e.g., failing to appoint a DPO, encrypt a data transfer, or ensure that a third-party service provider meets the technical or organizational measures prescribed by the Act, and €300,000 (previously €250,000) for serious offenses, e.g., accessing, collecting, or processing data that is not publicly available, processing or using data beyond the scope of their authorized purpose, or failing to inform Data Subjects of a breach that may cause them "significant harm." Moreover, if the Data Controller made profits that exceed €50,000 or €300,000, respectively, by violating data protection rules, then the authorities may raise the fine proportionally.
These revisions became effective September 1, 2009, although data collected prior to this date for marketing purposes will be subject to a transition period under which the previous rules are effective until August 31, 2012.
Europe, like the United States and other countries around the world, may be developing a trend for adopting data protection laws that include a general obligation to notify government agencies, individuals, or both of the unauthorized access or use of personal data. The Amendments reflect a growing awareness of data protection issues among the European public and the potential for increased enforcement of data protection laws by European DPAs. For example, in September 2009, nearly 25,000 people took to the streets of Berlin to demand better protection of personal data, and Germany's new coalition government—which will be formed by the end of October 2009—has declared that it intends to pass legislation specifically concerning data protection for employees and in the workplace. These activities suggest that any infringement of data protection rules will become riskier.
To ensure compliance with the Amendments and likely future legislation in the European Union, companies should at minimum:
- Establish standard policies and operating procedures for data breach investigations, remediations, and notifications related to personal data, which include data beyond that which would trigger notification under U.S. law;
- Assess and restructure the use or transfer of data lists and other personal data; and
- Review and consider renegotiating service, employment, and other data-related contracts.
In making these changes, companies may want to take advantage of the opportunity to evaluate their overall data protection practices and consider implementing a more holistic approach to data protection compliance that anticipates subsequent legislation in this area. To avoid business risks, including fines, audits, and reputational damage associated with legal noncompliance, companies must properly focus their compliance efforts. Companies should consult with legal counsel for assistance in handling these matters.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.
Mauricio F. Paez
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the author and do not necessarily reflect those of the Firm.
 Bundesdatenschutzgesetz [Federal Data Protection Act], Dec. 20, 1990, BGBl. I at 2954, as amended.
 "Data breach" is a generic term encompassing any event that results in the compromise of the security or integrity of personal data.
 In the United States, 45 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information, although the triggers for and the recipients of any notification vary on a state-by-state basis. States with no data breach notification law are Alabama, Kentucky, Mississippi, New Mexico, and South Dakota. State Security Breach Notification Laws, National Conference of State Legislatures, available at http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx (all web sites herein last visited October 20, 2009).
 "Collection" means the acquisition of data on the Data Subject. BDSG § 3 para. 3.
 "Processing" means the storage, modification, transfer, blocking, and erasure of personal data. BDSG § 3 para. 4.
6] "Use" means any utilization of personal data other than processing. BDSG § 3 para. 5.
 BDSG § 4 para. 1.
 BDSG § 3 para. 1. By contrast, like many other U.S. states, California more narrowly defines "personal information" as a prescribed combination of specific categories of data:
'personal information' means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social Security number.
(2) Driver's license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account.
(4) Medical information.
(5) Health insurance information.
California Computer Security Breach Notification Act, Cal. Civ. Code Ann. § 1798.82(e) (2009).
 BDSG § 28 para. 3 (previous version). It is legal to transfer or use personal data for purposes of marketing and advertisement if the data, compiled in lists or otherwise combined, concern members of a group of persons and are restricted to:
- the Data Subject's membership of this group of persons,
- occupation or type of business,
- academic degrees,
- year of birth,
and if there is no reason to assume that the Data Subject has a legitimate interest in his data being excluded from transfer. Id.
 BDSG §§ 6 para. 1, 28 para. 4.
 Jochen Lehmann, Amendments to Federal Data Protection Law: Analysis, Cecile Park Publ'g, Aug. 2009.
 Similar to the E.U. Data Protection Directive, see infra note 34, the BDSG defines "Data Controller" broadly to refer to any person or body collecting, processing, or using personal data on his or her own behalf or commissioning others to do the same. BDSG § 3 para. 7.
 BDSG § 28 para. 3.
 Consent is not required if the data is necessary for: (1) marketing the Data Controller's own goods and services; (2) advertising in a business context, e.g., for professional services; and (3) advertising for charitable donations. Aggregated personal data, e.g., data lists, can also be transferred without consent if (1) both the sender and the recipient keep records of the transfer for two years, and (2) the advertisement clearly identifies the original collector of the data. BDSG § 28 para. 3, § 34 para. 1a.
 Privacy and Data Protection Law: European Developments, Ernst & Young, July 2009. For example, Deutsche Telekom lost personal data for about 17 million T-Mobile Germany customers in the spring of 2006 when thieves got their hands on a storage device containing personal data, such as names, addresses, cell phone numbers, birth dates, and email addresses (including some for high-profile German citizens). T-Mobile Germany said it has taken multiple steps to shore up its security since the breach, including tighter restrictions on who has access to information, more complex passwords, and increased monitoring of security systems. "T-Mobile Lost 17 Million Subscribers' Personal Data," Information Week, October 6, 2008, available at http://www.informationweek.com/ news/security/attacks/showArticle.jhtml?articleID=210700232.
 Grundgesetz [Constitution of the Federal Republic of Germany], arts. 1, 2. Articles 1 and 2 of the German Constitution provide for the respect for "human dignity" and "personal freedoms" that have been interpreted by German courts to include the right to be free of employer monitoring, unless specifically provided for under the employment contract.
 Privacy and Data Protection Law: European Developments, Ernst & Young, July 2009. Some of these activities include: (1) screening the workforce for corruption and automatic filtering, deletion, and control of private emails of employees; (2) spying on employees by compliance teams; and (3) illegal storage and transfer of medical data of employees. Id.
 German federal elections took place on September 27, 2009.
 BDSG § 42a.
 BDSG § 3 para. 9.
 See, e.g., California Computer Security Breach Notification Act, supra note 8.
 BDSG § 42a.
 See, e.g., California Computer Security Breach Notification Act, CAL. CIV. CODE ANN. §§ 1798.29(g)(3), 1798.82(g)(3) (2009).
 The average cost is a composite of cost factors, which include:
- outlays for breach detection, escalation, notification, and response;
- fees for legal, investigative, and administrative services;
- losses due to customer defections, opportunity cost, and reputation management; and
- expenses associated with customer support, such as information hotlines and credit monitoring subscriptions.
See Cost of Data Beach, Germany 2008 Annual Study, Ponemon Institute, available at http://www.encryptionreports.com/costofdatabreach.html. Data breaches with mobile devices are more expensive: Lost or stolen laptop costs averaged €123.63 per data record compared with €106.85 for other data breaches. Id.
 See supra note 3.
 See Cost of Data Beach, United States 2008 Annual Study, Ponemon Institute, available at http://www.encryptionreports.com/costofdatabreach.html.
 Since 2005, the cost of a data breach has grown by nearly 40 percent or more than $64 on a per-victim basis. Id.
 See Cost of Data Beach, United States 2008 Annual Study, Ponemon Institute, available at http://www.encryptionreports.com/costofdatabreach.html.
 A "Member State" of the European Union is any one of the 27 sovereign states that have acceded to the European Union. A complete list of the current E.U. Member States is available at http://europa.eu/abc/european_countries/index_en.htm.
 California Computer Security Breach Notification Act, Cal. Civ. Code Ann. § 1798.82, et seq. (2009).
 See supra note 3.
 S. 1490, 111th Cong. (2009) (entitled, "A bill to prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information").
 Council Directive 1995/46, 1995 O.J. (L281) 31 (EC), at http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
 Resolution on the Common Position Adopted by the Council with a View to the Adoption of a Directive of the European Parliament and of the Council Amending Directive 2002/22/EC on Universal Service and Users' Rights Relating to Electronic Communications Networks, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No. 2006/2004 on Cooperation between National Authorities Responsible for the Enforcement of Consumer Protection Laws, Eur. Parl. Doc. (TA 360) 6 (2009), available at http://www.europarl.europa.eu/ sides/getDoc.do?type=TA&language=EN&reference=P6-TA-2009-0360.
 Personal Data Act 2000, § 27 (Nor.), available at http://www.legislationline.org/ download/action/download/id/1102/file/2e3d6bb37cf550acba8549d9759d.pdf.
 The Information Commissioner's Office does not specifically define what constitutes a "serious" breach but provides general guidelines and examples for making such an assessment; important factors for determining a "serious" breach include potential of harm to individuals and the volume and sensitivity of compromised data. See Information Commissioner's Office, Notification of Data Security Breaches to the Information Commissioner's Office, Mar. 27, 2008, available at http://www.ico.gov.uk/ upload/documents/library/data_protection/practical_application/breach_reporting.pdf.
 See, e.g., Tom Espiner, "Data Breach Law: IT Managers Say 'No,'" ZDNet UK, June 5, 2008, available at http://community.zdnet.co.uk/blog/0,1000000567,10008370o-2000331828b,00.htm.
 See, e.g., House of Commons Justice Committee, First Report, 2007-08, H.C. 154 (recommending data breach reporting requirements under the Data Protection Act 1998), available at http://www.publications.parliament.uk/pa/cm200708/cmselect/cmjust/154/154.pdf.
 BDSG § 32.
 BDSG § 11 para. 2.
 BDSG § 43 para. 1 no. 2b.
 BDSG § 4f para. 3. The Act requires (1) all companies that have more than nine individuals regularly involved with automatic data processing, (2) all companies involved in the commercial transfer of personal data, and (3) companies involved with the commercial transfer of personal data for market research or opinion research purposes to appoint DPOs in Germany.
 BDSG § 43 para. 3. Ordinary violations are enumerated in BDSG § 43 para. 1; serious violations are enumerated in BDSG §§ 43 para. 2, 44.
 BDSG § 43 para. 3.
 Outside of the United States and the European Union, countries such as Australia, Canada, and Japan have laws directly imposing data breach notification obligations. Alana Maurushat, Data Breach Notification Law Across the World from California to Australia, Univ. of New S. Wales L. Research Series (Paper No. 11), Apr. 2009, available at http://law.bepress.com/cgi/viewcontent.cgi?article=1153&context=unswwps. "25,000 March for More Privacy from Authorities," The Local: Germany's News in English, at http://www.thelocal.de/society/20090913-21897.html.