German Privacy Chiefs Seek EU Regulation Changes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

Aug. 27 — A coalition of German data protection authorities has issued demands to amend several provisions of the European Union's proposed data protection regulation—the General Data Protection Regulation—saying stronger data minimization and purpose limitation are necessary to ensure that legal protections afforded to German data subjects aren't weakened by the planned new regime.

“It is of the utmost importance that compared to the existing legal status, the General Data Protection Regulation guarantees an improved standard, or at the least a standard of protection of fundamental rights, which is equivalent to the current one,” the Conference of German Federal and State Data Protection Commissioners said in an Aug. 26 statement.

The proposed regulation, which is being negotiated in a trialogue between the European Parliament, the Council of the European Union and European Commission, aims to unify data protection rules for the 28 EU member states. Negotiations are scheduled to conclude by the end of 2015.

Data Minimization, Purpose Limitation, Consent 

The DPAs called on negotiators to ensure the planned legislation “lays down explicitly” the principles of data economy and data reduction in light of big data analytics, which involves the processing of larger quantities of data than ever, the statement said.

The DPAs also cried foul over the weakening of the principle of purpose limitation, which sets limits on how data controllers are able to use data. The group focused on the EU Council draft version of the regulation, saying it “would permit modifications of the purposes to such a wide extent that the principle of purpose limitation contained in the European Charter of Fundamental Rights would be relinquished.”

The DPAs also criticized the consent rules in the EU Council draft, which proposed that declarations of consent only have to be unequivocal instead of explicit. That would “open the path for an opt-out scenario as a general term of consent,” the German DPAs said.

Profiling, Privacy Officers 

The group also called on negotiators to ensure “thorough” and “efficient” rules governing profiling. They called for strict rules outlining when compiling and analyzing an individual's personal data would be allowed. Provisions in the draft regulation “are falling short” of required narrow limits, they said.

The DPAs noted the effectiveness of Germany's system of requiring data protection officials for public and private organizations and called on negotiators to make it an EU-wide requirement under the regulation.

The group challenged restrictions on information available to individuals to allow them to assess the scope and risk posed by data processing, saying their “implementation must be free of charge for the data subjects.”

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at