Germany has a data protection landscape that is far more complex than its sister EU member states. Owing to its constitution and federal construct, several political and policy areas, such as education and culture, are decentralized to the 16 state ("Landes") levels.
The challenge for Germany, in a rapidly changing global economy, is its ability to legislate and preside over consistent and unified enforcement policies and decisions for both domestic, as well as international companies. The various DPAs can and have different and diverse views on legal interpretation and its enforcement.
With the advent of the EU General Data Protection Regulation, coupled with the creation of the European Data Protection Board, this has only served to amplify the complexity of the German ecosystem. In terms of the EDPB, the federal data protection authority speaks on behalf of all the other 16 German states and, at least in theory, in cooperation with one of the heads of the other Landes' DPAs (for political reasons still not elected) as selected by the Bundesrat, the second German Parliamentary chamber constituting the assembly of the federal state governments.
So how do the German regulatory authorities speak in one voice — be that in Germany or through the EDPB?
There is the Datenschutzkonferenz — or, in English, the Data Protection Conference — a body that groups the independent German DPAs of the federal and state governments together. Its mission: “to uphold and protect fundamental data protection rights, to achieve uniform application of European and national data protection law and to jointly advocate its further development. This is done specifically through resolutions, decisions, guidelines, standardizations, statements, press releases and determinations.”
Organized as a “nicht-eingetragener Verein,” this means the DSK is not a legal entity in its own right. From a procedural perspective, the DSK is regulated by its own rules and procedure (Geschäftsordnung), with no separate public funding of its own. Discussions do not always run smoothly within the DSK; the recent and very public disagreements and opinions regarding Microsoft's Office 365 laid this fragility bare.
From the EDPB perspective in what concerns Germany, only the federal DPA has a voting seat and, to date, the state DPAs have not designated their non-voting seats in the EDPB. Andrea Vosshoff, the former federal DPA commissioner and predecessor to the sitting Ulrich Kelber, was quite astute in this makeup, so I am told, ensuring that only the federal DPA had a voting seat within the EDPB effectively sidelining the state DPAs. Moreover, while in office, she was able to maneuver a doubling of headcount within the federal DPA without an actual increase in their workload or mandate — quite the feat.
Fast forward to 2019 and with new Federal Commissioner Ulrich Kelber in office, both major political parties the Christian-democratic and liberal-conservative political party and Christian-democratic and conservative political party in Bavaria, as well as the social democratic party, who count Kelber in their political family, reignited the age-old debate and discussion to reform and centralize the data protection regulatory landscape in Germany — or at least to limit the mandates of the Laender DPAs in favor of a single federal German DPA.
In November 2019, this resurgent theme was captured in a report of the German government’s Committee on data ethics with the stamp and approval of regulatory commissioners Marit Hansen, head of the state DPA of Schleswig-Holstein, and Kelber.
In May 2020, purposeful discussions were held in Berlin to examine changes to the federal German data protection law to bring the supervision responsibilities of private sector companies under the Federal Commissioner for Data Protection and Freedom of Information. This resulted in concerns raised by several state authorities, including from Bavaria and Baden-Wuerttemberg over the practicality and legality of such a move.
Presently, there are diverse legal opinions, as well as enforcement stances across the German regulatory territory. In many respects, those differences are a microcosm of the broader picture at the EU level.
Moreover, following a Court of Justice of the European Union ruling in 2010 (which you can find here) the German Länder were obliged to politically reorganize their DPA structure and create fully independent DPA entities. For example, in Bavaria, the DPA was formerly under the remit of the Bavarian Ministry of Economy before obtaining its independent “Landesamt” status. Considering the then-reform, some DPAs subsequently put an emphasis on their independence, which, at times, has hampered a central coordination of views or activities with other DPAs.
Lately, this was noticeable with the Berlin DPA, which in the immediate aftermath of the "Schrems II" ruling, voiced a first and rather stark opinion on the legality of international transfers from the EU to the U.S.
In what concerns international companies, it may be the case that in their determination of operational locations, local DPA positions and policies have influenced those decisions, or more bluntly, locations have been chosen to avoid certain state jurisdictions.
Conversely, there is some but limited evidence to suggest that German companies relocate to Germany based on local DPA practices. What we do see though is that DPAs are a factor for international companies setting up a business in Germany and looking for a location.
In most cases, the DSK does come forward with coordinated guidance and statements that are then applied and enforced by every German DPA. In a typical scenario, one DPA will take the lead for a certain topic and presents a draft that is then discussed between the various state regulatory services; this is somewhat similar to the EDPB's working group approach.
However, the discussions are often drawn out over time, before a common agreement can be published, and there are also cases in which individual DPAs do not support a certain guidance, such as Microsoft 365 most recently.
In a recent workshop held by the BvD — The Association of Data Protection Officers Germany, on the question of centralization in Germany, Kelber put forward a strong case advocating for a more unified and singular entity to create a more uniform interpretation of the GDPR and related data laws. Kelber clearly felt the set up involving 17 bodies was too fragmented to be effective.
In addition, he also stated, controversially, there would be an advantage to have one European entity rather than a variety of EU member state bodies. Kelber welcomed the competition that arises from the federal structure in Germany but had reservations, stating while a local presence eases the accessibility to the DPAs, it waters down the desired effects of the regulator.
Taking account of a strong federal approach for Germany, Kelber suggested that a permanent, federal secretary in Berlin may be of added value all the while maintaining a local presence that would enable the smaller Länder. He added it has been a challenge to get all Länder DPAs to group together on joint communications or positions.
He did praise the recent unity and cooperation among the DPAs regarding the German COVID-19 contact-tracing application — the 18 million downloads are higher than the remaining EU countries combined — but he also cautioned these achievements are rare feats. Echoing the European model of the one-stop-shop mechanism, Kelber pointed out this is usually just a "one-stop." His commitment to a federal approach was clear, insisting the need is urgent.
Iris Plöger, a member of the BDI Executive Board, Federation of German Industries and Germany’s largest German umbrella organization, also spoke at the same BvD workshop. Plöger expressed a similar concern to that of Kelber in that a broad political policy approach across Germany is helpful in some instances, but not in the case of data protection policy. For Germany’s industry to be function efficiently, a single German DPA in the driver's seat is the optimal solution. She cited the recent "Schrems II" case, which has left the industry vulnerable with regards to data transfers, and called for a united and joint application across the collective of state DPAs to address guidance. Inconsistency and legal uncertainty are seen as threats to the growth and development of the German economy.
The federal structure of supervision also has significant advantages. As the proponents of decentralization (and most heads of the German DPAs seem to be in that camp) point out, it helps to ensure differentiation and proportionality as regards the interpretation of data protection laws. Local DPAs are also likely to be more agile and quicker in their turn-around, resulting in faster legal certainty. Above all, having local DPAs has the advantage of proximity to both the business community they oversee as well as the data subjects.
Don’t forget: Every German DPA usually has a rather close working relationship with the major businesses under their mandate, often built over years. Such proximity very often ensures smooth cooperation and enhanced data protection. From a business perspective, this can be a business-critical asset.
Moreover, if one looks at the current decentralized structure from a data subject’s perspective, it is obvious that having a local authority in the data subject’s federal state is easier to address concerns or complaints. Hence, and from a perspective of the EU General Data Protection Regulation, a decentralized approach in a country as big as Germany has some clear benefits.
Having highlighted the pros and cons of a decentralized versus a centralized approach, one wonders how this is going to play out.
Bear in mind we are primarily talking about a political question here. The Bundestag and Bundesrat could independently ratify a decision to transfer the regulatory competency of the private sector to the federal BfDI without state consultation or approval.
It remains unclear to what extent the Länder governments are willing to give up their competencies or, conversely, preserve the current structure. Data protection is certainly not on top of their priority list presently and might even be perceived as a political minefield that some might gladly shift to Berlin/Bonn.
Local state governments are probably increasingly aware of the future importance of data governance and, therefore, one would expect they have an interest in not giving that away. Arguably, from a logistical standpoint, a full centralization and positioning of a new super DPA would not necessarily be practical in the short-term — not to mention the constitutional and other legal challenges that such an approach would face.
In this scenario, a full centralization of both private and public sector competencies would require state government approval.
Against this backdrop, it does seem likely there will have to be a political compromise at some juncture. The current structure of German supervision could essentially remain as is, but with some additional centralized sectorial competences for the BfDI. A new German federal draft cookie law suggests as much and provides for a centralized competence of Berlin for cookie compliance. It also seems likely cooperation and coordination within the DSK structure will be enhanced.
The question around harmonization and centralization is a politically charged debate that continues to play out in Germany. And while it remains an emotive and open issue, many consider it to be a question of time and political will to become a reality.
Thanks to Ulrich Baumgartner, IAPP country leader for the DACH region, Sebastian Kraska of IITR Datenschutz GmbH, and Stephan Lehman, IAPP DACH region enterprise sales consultant, for their inputs and views, as well as the other Germans who gave me a passing insight.
Photo by Christian Wiediger on Unsplash
If you want to comment on this post, you need to login.