German legal experts have poured scorn on a pre-election proposal by Angela Merkel's Christian Democratic Union that would weaken the principle of data minimization in the country.

Earlier this month, a CDU strategy paper discussed how best to turn "big data" into "smart data." The key to this alchemy, the paper suggested, was the abandonment of data minimization as a general guideline. The principle, which essentially refers to processing only the personal data that you need to process, "reduces opportunities for new products and services and progress" and hurts Germany's international competitiveness, the paper said.

The CDU's strategy paper added that the "appropriate exploitation" of personal, continuously connected data would have to be on an anonymized basis, in order to engender enough trust from the subjects' side — Germany is, of course, a famously pro-privacy country thanks to its history.

"What the CDU is maybe trying to do is make themselves seem as the economy party." — Tim Wybitul, CIPP/E, of Hogan Lovells

The proposed shift was welcomed by industry representatives, who have long been calling for data minimization to be set aside. However, legal experts have a very different take on the matter.

"What the CDU is maybe trying to do is make themselves seem as the economy party," said Tim Wybitul, CIPP/E, a data protection lawyer at Hogan Lovells. "But at the end of the day, it's pretty simple: The GDPR supersedes national laws, full stop." 

The General Data Protection Regulation is due to come into effect in May next year, and Germany is updating its national privacy legislation to prepare for the new pan-EU law.

Germany's federal elections are set for September, after the summer recess that takes place in July and August. The CDU is almost certain to come out of the election as Germany's largest party again, though its legislative agenda will to some extent depend on which party signs up as its junior coalition partner.

However, even if that coalition partner is fine with watering down data minimization, the GDPR won't allow it. As Wybitul pointed out, Article 83 of the regulation threatens fines of up to 20 million euros or up to 4 percent of global turnover for violating the basic principles for processing, as set out in Article 5 — and data minimization is very clearly one of those principles.

"Personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimization')," Article 5 reads.

According to Stefan Brink, the data protection and freedom of information officer for the state of Baden-Württemberg, the CDU is missing the point of the GDPR. Under Germany's existing data protection law, he said, data minimization has been a legal goal and little more.

"This principle was never enforced by any administrative fine or any administrative action — it was just a principle," Brink said. "What [the CDU doesn't] see at all is that the idea data minimization in the GDPR is a very different one. If you look at Article 5 of the GDPR, you can clearly see this is not just a theory, but also one of the main principles that is [heavily] enforced by Article 83, with very clear consequences regarding infringement of these basic principles.

"You can see that Article 5 is really enforced to the maximum, and this is absolutely clear and understandable because data minimization has the idea that any data processing has to be measured regarding the purpose of the processing, and it's not the idea of data austerity [minimization], but it's the principles of necessity that's enforced by this. This is the nucleus of data protection by the GDPR."

Wybitul, too, highlighted the close link between the GDPR's principle of data minimization and purpose limitation. He suggested that this already meant data minimization was not an absolute, but something that has to be judged relative to the purpose of the data processing. "The litmus test is: 'Do I need all that data?'" he said. 

As for the paper's call for big data to be anonymized before exploitation, this does not seem to conflict at all with the GDPR's data minimization principle — indeed, truly anonymized data would fall out of the regulation's scope, as it would no longer qualify as personal data.

Does this mean that the industrial data processing that the CDU is trying to promote doesn't actually require minimization anyway? "I couldn't agree more," Wybitul said.

According to Brink, the CDU strategists are also missing the GDPR's innate encouragement of commercial data use. "The goals of the GDPR are not only data protection but also the free flow of information," he said. "There has always been a very effective economic part of the GDPR — it's a really big difference to the German laws of data protection. They have just one goal and this is data protection. … The GDPR is a big step forward for many companies in Germany and the whole of Europe."

Will the CDU's plans come to anything? "This won't be much more than noise because the GDPR is clear on [data minimization]," Brink said. "Big data must not be a black box. If you're not able to explain the purpose of your processes, you won't be able to measure or to decide if the processing is legal or not. So it's absolutely fundamental that the processors can explain their purposes, and that these purposes are measured regarding the principle of necessity."

photo credit: More pictures and videos: connect@epp.eu IMG_7424 via photopin (license)