How the GDPR should be changed, according to the German Data Protection Authorities

A few days ago, the German DPAs published their comments on the ongoing evaluation of the GDPR. While their assessment of the GDPR is overall positive, they also recommend some changes. Here is a (non-exhaustive) summary:

• The German DPAs consider the transparency obligations of Articles 13 and 14 GDPR as impractical in some scenarios, e.g. if data is collected during a phone call. They propose a provision that exempts controllers from their information obligations in case of a specified "low-risk" scenario. In such a case, controllers still would have to submit the full data protection notice if requested by data subjects.
• The right to a data copy can lead to scenarios where data subjects request all information about them, for example, a full copy of administrative files kept by an authority. The German DPAs recommend defining more specifically what qualifies as a "copy" in the meaning of Article 15(3) GDPR.
• They consider the obligation to notify DPAs about the appointment of a DPO (Article 37(7) GDPR) as unnecessarily burdensome, both for the DPAs and the controllers and processors. They recommend that this obligation is revoked, but propose to leave the obligation to publish contact details of the DPO (Article 37(7) GDPR) in place.
• The German DPAs criticise that the GDPR led to a very high number of data breach notifications, and want to raise the risk threshold in Article 33 GDPR (pertaining to the risk to data subjects that triggers the notification obligation) from "unless the personal data breach is unlikely to result in a risk" to "if a risk is likely".
• They also propose to change Article 33 GDPR so that not only verified breaches require notification, but also cases where it is possible that a breach occurred if such a breach might have triggered a high risk for affected data subjects. As an example, they refer to a case where a database was accessible in the open internet, but where the controller could not clearly determine whether data was actually accessed.
• The German DPAs mention that controllers use the provision on "further processing" in Article 6(4) GDPR to justify processing that does not have a legal basis, citing Recital 50, Sentence 8 GDPR. They recommend clarifying that all data processing requires a legal basis in the meaning of Article 6(1) GDPR, even where Article 6(4) GDPR already permits "further processing".
• German DPAs recommend that the "data protection by design" requirements of Article 25(1) GDPR should apply also to manufacturers, suppliers, importers and sellers of data processing systems. They recommend adding these groups also to the provisions in Article 82 GDPR that impose a full (joint and severable) liability for damages.
• The German DPA recommend to clarify how exactly they can enforce information disclosure requests. Given that there are two overlapping provisions in the GDPR (Articles 31 and 58(1)(a)), which carry different sanctions, they recommend that the sanctions regime for both provisions is unified.
• Given that traditions relating to direct marketing differ among the EU member states, they recommend adding a provision to the GDPR that provides more details on how a balancing-of-interests-test in the meaning of Article 6(1)(f) GDPR should be carried out.
• The German DPAs criticise that "profiling" is mentioned in many GDPR provisions, but is in fact not subject to additional requirements. In particular, they mention that Article 22 GDPR applies to automated decision making, but not to profiling if it is not part of such decision making. They recommend to introduce stricter rules.
• They mention an ongoing conflict between the German DPAs and the German National Accreditation Body, about the question who is competent to issue accreditations according to Article 41(1) GDPR. Both the DPAs and the German Accreditation Body Consider consider themselves as authorised to do this (the latter on the basis of EU Regulation (EC) 765/2008). The DPAs request that the GDPR should be clarified, to make clear that this power rests with the DPAs.
• They propose to define the term "anonymisation".
• They recommend to unify the catalogues of Articles 13 and 14 GDPR.

In addition, the German DPAs request a considerable number of editorial changes to the GDPR where they consider the wording to be unclear and propose some changes regarding their administrative powers and obligations.

Bottom line: What are the consequences?

Firstly, the proposed changes show that not even the German DPAs are completely happy with the GDPR. It is likely that also other European DPAs will adopt such positions, which would increase the pressure on the EU Commission to actually propose a change to the GDPR. So far, rumours from Brussels indicate that the Commission (at least at the working level) does not favour such amendments. But this may change - possibly as an effect of the new Commissioners assuming their position, or as a result of statements such as this one by the German DPAs.

Secondly, while some of the proposed changes are sound and reasonable, others are quite critical. In particular, the proposed extension of the "data protection by design" obligation to manufacturers, suppliers and importers would have extremely far-reaching consequences.