Hamburg Privacy Office Gains More Powers, Independence

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti

July 15 — The privacy office for the German state of Hamburg had its independence bolstered and will see new enforcement powers under amendments approved to the state constitution.

Hamburg's Parliament amended the state constitution July 14 to place the state's data protection authority (DPA) in a special position where it is outside the direct administration of the state Senate and without any organizational connection to a supervising authority.

The amendment anchors the independence of the DPA at the highest-level of Hamburg's state law, even as there are questions over the future powers of the 16 state German DPAs in light of European Union General Data Protection Regulation (GDPR) that is scheduled to take effect in 2018 (15 PVLR 963, 5/9/16).

The amendment also implements EU law requirements to give the regulator “complete independence,” the DPA said in a July 15 statement.

The amendment to the state constitution also institutionalizes freedom of information laws in Hamburg, in addition to granting the DPA comprehensive legal and organizational independence in the area of data protection, the DPA said.

This puts Hamburg one step ahead with its already pioneering transparency laws, it said.

“In the future, the existence of the freedom of information will be protected by the state constitution itself and can no longer be swept away by a mere statutory law,” the DPA said.

‘Important Modernization.’

“The new provisions represent an important modernization of the constitution of major importance in light of the massive challenges fundamental rights have toward data protection due to digitization of society and the state,” Johannes Caspar, the Hamburg data protection commissioner, said in the statement.

The office will carry more weight with supervisory inspections of the responsible authorities and also bear more responsibility in protecting basic digital rights, according to Caspar.

The creation of central rights for appointments, inquiries and inspections parliament will simultaneously increase the office's democratic legitimacy and transparency, Caspar said.

It is now time for the office to improve its personnel resources so that it can act independently, he added.

Unresolved Jurisdiction Issues

While jurisdictional disputes over privacy enforcement by national DPAs remains a contentious topic, attorneys expect questions of proper jurisdiction will be resolved when the GDPR takes effect May 25, 2018.

In the meantime, they say that the push by the DPAs to enforce orders in spite of the courts not settling jurisdictional questions is part of a trend: that German DPAs have been getting tougher in applying the rules and become more “activist.”

In June, the Higher Hamburg Administrative Court ruled that Facebook could disregard an order from the Hamburg DPA requiring the social network to allow users to register with the site using pseudonyms (15 PVLR 1449, 7/11/16).

The court questioned whether the Hamburg DPA had the proper jurisdiction to issue orders to Facebook because its European headquarters and data processing centers are based in Ireland, even though Facebook's identity policies likely conflict with German privacy laws.

A Belgian court threw out a fine issued by Belgium's privacy regulators on similar jurisdictional grounds on June 29 (15 PVLR 1390, 7/4/16).

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editors responsible for this story: Donald G. Aplin at ; Jimmy H. Koo at

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security