On May 4, the German Conference of the Federal and State Data Protection Authorities (DSK) published a call for an Employee Data Protection Act. As a reminder, in Germany, data protection is organized by state. There are state data protection authorities for each of the 16 German states and two for Bavaria—one each for public and for private data controllers. Together with the Federal Data Protection Authority of Germany, which is in charge of federal public data controllers, they comprise the DSK.
In their call for a specific employee data protection act, the DSK are referring to the announcement by the German governing parties in the federal coalition agreement of November 2021 that a distinct employee privacy act would be created by the coalition parties that are planning on being in government until 2025.
This act would be in addition to the EU General Data Protection Regulation (GDPR), which applies in Germany, and in addition to s26 of the German Data Protection Act (BDSG), which was enacted in May 2018 along with the GDPR. Currently a single provision of the BDSG regulates the basics of national employee privacy protection, as provided for in Article 88 of the GDPR.
It can be assumed that the discussion on whether a specific employee data privacy act is needed, and what it should contain, will continue over the coming weeks and months. It is further to be expected that draft legislation will be presented by the Federal Ministry of Labor and Social Affairs (BMAS) and possibly the Ministry of the Interior (BMI) in the coming months. Employers in Germany can look forward to—hopefully—greater legal clarity in the future and, presumably, will have to forego some leeway in return.
The Current Legal Situation
As mentioned, at the moment, specific German regulations on employee data protection can be found in s26 of the BDSG, a provision with many general and abstract clauses that are then being interpreted by German labor courts and data protection authorities. Individual questions such as the permissibility of secret video surveillance at supermarket checkouts or social media background checks on new job applicants are currently pure case law based on s26 BDSG as well as on the general principles in the GDPR and the BDSG.
Earlier Regulatory Proposals
Efforts to introduce a more detailed German Employee Data Protection Act have already been made in the past, for example from 2010 to 2013 under the Conservative-Liberal government coalition at that time.
More recently, in January 2022, an interdisciplinary advisory board commissioned by the Federal Ministry of Labor completed a detailed final report on the status of German employee data protection, concluding that specific legislation will be needed. In February 2022, the German Trade Union Confederation (DGB) published a draft of an Employee Data Protection Act. The DGB proposal is a detailed draft of a law for the maximum protection of employee data, including added rules for enforcement, such as an explicit prohibition on using data as evidence if it has been obtained in breach of any data protection rules. It also includes a claim for employees to injunctive relief and a right for unions to start class actions in the event of breaches.
In contrast, the DSK resolution published in May 2022 limits itself for the most part to neutrally listing points in need of regulation and only making few proposals on the content of individual points. Even though the details will not be known until the law is passed, employees and employers can expect regulations on the following points.
Artificial intelligence. The use of AI in the employment relationship should remain possible, according to the DSK statement, but should be regulated more strictly the more severe the possible infringement of fundamental rights. Approval procedures, preliminary checks and requirements for avoiding discrimination are to be standardized. Profiling is to be prohibited in principle even if it is not used for automated decision-making. It remains to be seen whether the federal German legislature will comply with this demand and pass legislation on AI, despite the fact an EU proposal for a law on artificial intelligence was published in April 2021.
Monitoring employee conduct and performance. When monitoring of employee behavior and performance is carried out secretly, it should be allowed only in specific exceptional cases according to the DSK. Concrete regulations are also demanded for the monitoring of employee e-mails, for video surveillance and GPS tracking, and for biometric procedures.
Consent. Employees’ consent as a legal basis for data processing must be viewed critically because of the existing inequality of power in the employment relationship. The DSK states there is a need for legal examples of when the conditions for consent, in particular its voluntary nature, are met.
Collective agreements. It should be clarified, according to the DSK, to what extent collective agreements can constitute an additional legal basis for data processing. This touches on the controversial question among German lawyers of whether data processing that would not be permissible under general data protection principles could nevertheless be allowed on the basis of company agreements.
Sensitive data. The processing of sensitive data of employees should be regulated better than before, the DSK states. At present, it is not clear whether it may also be processed on the basis of general rules on the processing of sensitive data, without introducing further requirements for employee sensitive data, such as a balancing of interests.
No use of unlawfully obtained data as evidence. The DSK expressly supports a statutory prohibition on the use of evidence for unlawfully obtained employee data, similar to the DGB suggestion described above. According to the case law of the Federal Labor Court, so far, evidence obtained in violation of data protection law must be disregarded only if the processing is disproportionate and significantly interferes with the employees’ fundamental rights, such as in the case of locker checks or secret eavesdropping on telephone calls.
Recruitment. Finally, the processing of job applicants’ data needs to be regulated according to the DSK statement. This relates to the employer’s right to ask questions about such things as pregnancy or union membership to background checks as well as to medical examinations and assessment center data. The DSK paper also demands a maximum retention period of six months for job applicants’ data.
The question is whether a special German law for employee data protection is needed. The answer depends on how you look at it. From the perspective of an employment lawyer specialized in data protection law, it isn’t needed. If, on the other hand, the goal is that those subject to the law, who are not lawyers, should be able to understand the legal situation as well as possible by simply looking at the statute, we do indeed need a more detailed and specific act.
However, the approach of introducing a law that is as detailed as possible instead of a few general clauses has a risk: It could quickly become outdated. There is a reason why the EU GDPR has been drafted to be as technology neutral as possible (EC 15 paragraph 1 GDPR). The hope was and is that the GDPR it will remain applicable and relevant in the future, despite rapid technological progress. The explicit regulations now demanded by the DSK, for example, on the monitoring of e-mails or GPS tracking, could be outdated by new technologies in just a few years.
Jessica Jacobi is an attorney with Kliemt.HR Lawyers in Berlin. Kliemt.HR Lawyers belongs to Ius Laboris, a global alliance of law firms that specialize in employment law. © 2022 Ius Laboris. All rights reserved. Reposted with permission of Lexology.