Status quo of the legislative procedure for an Employee Data Protection Act - need for employers to take action?
At a glance
- The EU General Data Protection Regulation (GDPR) allows national legislators to adopt provisions that specify data protection requirements in the employment context.
- Germany has made use of the opening clause the GDPR (Art. 88 GDPR) in Section 26 of the Federal Data Protection Act (BDSG).
- However, in response to a ruling of the European Court of Justice (ECJ), the Federal Labor Court (BAG) declared Section 26 para. 1 s. 1 BDSG invalid and inapplicable.
- The responsible ministries have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. A draft announced for the fourth quarter of 2023 has not yet been published.
- So far, the only indication of possible regulations is a position paper published in April 2023 called ‘Proposals for modern employee data protection’.
- The implications of the regulations in the paper would be far-reaching for employers.
- Although the duration of the legislative process cannot be foreseen, employers should take action now by reviewing their data protection documentation and adapt it if necessary.
After several failed attempts in recent decades to summarise and codify the data protection provisions relating to employees and other workers in a single Employee Data Protection Act, the current government is making a new attempt.
Current legal situation in Germany
Currently, employee data protection in Germany is largely determined by case law. The EU (GDPR) allows national legislators to adopt provisions that specify data protection requirements in the employment context. However, Germany has only made very cautious use of this opening clause under Art. 88 GDPR: Section 26 of the Federal Data Protection Act (BDSG) contains specific requirements relating to the protection of employee data. However, many of the requirements and specifications regulated within Section 26 BDSG have been criticised as being too narrow and not going beyond those of the GDPR.
Even more problematic, however, is the fact that numerous provisions of Section 26 BDSG do not meet the conditions set out in the GDPR (Art. 88 para. 2) for national regulations on employee data protection. The European Court of Justice (ECJ) recently specified the conditions set out in Art. 88 para. 2 GDPR (judgment of 30 March 2023 - C-34/21). The Federal Labor Court (BAG) subsequently declared Section 26 para. 1 s. 1 BDSG invalid and inapplicable, as it did not meet the requirements of the GDPR (decision of 9 May 2023 – 1 ABR 14/22). Other individual provisions in Section 26 BDSG could share this fate in the future.
A new approach and actual regulatory objectives
The responsible ministries have taken this situation as an opportunity to expedite the legislative process for the Employee Data Protection Act. However, the draft announced for the fourth quarter of 2023 has not yet been published. So far, the only indication of possible regulations is a position paper published in April 2023 by the Federal Ministry of Labor and Social Affairs and the Federal Ministry of the Interior and Home Affairs called ‘Proposals for modern employee data protection’.
In this paper, the ministries outline the objectives pursued with the bill. For example, the personal scope of application is to be kept as broad as possible in order to also cover solo self-employed platform workers. On the other hand, monitoring measures by the employer, are to be limited in order to avoid constant monitoring pressure. In addition, the conditions under which concealed or open surveillance measures should be permitted are to be regulated. Questions relating to the use of artificial intelligence are also to be addressed in the bill, with particular emphasis on synergy with the EU regulations issued and planned in this regard. Applicants should be better protected with regard to data processing in the recruitment process since this has been identified by the legislator as an area in particular need of protection.
Another aim of the bill is to make the balancing of interests to be carried out with regard to the permissibility of data processing operations more manageable in practice. This will be achieved by shaping the requirements for the voluntary nature of consent. The announced regulations on data transfers within the group are also particularly relevant in practice. In order to further protect employees, data subject rights found in the GDPR are to be extended, with additional rights for employees.
Takeaways for employers
Considering the challenges faced by many companies with regard to requests for information in accordance with Art. 15 GDPR, the announced provisions are likely to result in additional bureaucracy for employers. It remains to be seen what specific changes the Employee Data Protection Act will bring. Employers should take action now: In light of the inapplicability of Section 26 para. 1 s. 1 BDSG and the fact that the enactment of the amendment is not yet foreseeable, they should review their data protection documentation and adapt it if necessary. The ECJ clarified that Section 26 para. 1 s. 1 BDSG is not a suitable authorisation for processing. In this respect, only the provisions of the GDPR can be relied upon.