THE RIGHT TO BE FORGOTTEN IN GERMANY
III- THE GERMAN IMPLEMENTATION OF THE GDPR AND THE “RIGHT TO BE FORGOTTEN”
A-The Door Opener for Domestic Data Protection Restrictions
As stated in recital 10 of the GDPR, the level of protection of the rights and freedoms of natural persons with regard to the processing of personal data should be equivalent in all Member States in order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of such data within the EU. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. This pursued harmonisation of data protection law throughout the EU is exactly the reason why the EU legislator has chosen the regulation as a form of legislative action: the regulation shall have general application, shall be binding in its entirety and directly applicable in all Member States (Art. 288 TFEU) without any implementing acts that could lead to a different application of data protection law as well as legal uncertainty (as was the case under the 1995 Data Protection Directive regime).
However, according to Art. 23 GDPR, the rights of data subjects provided by the GDPR can be restricted by Member States (or Union) legislation, when such a restriction is a necessary and proportionate measure to safeguard private rights35 and public interests.3637 So the GDPR rather is a mixture of a regulation and a directive. This may have ensured the possibility of achieving consensus about the GDPR between the Member States. But Art. 23 relativizes the GDPR’s harmonisation goal at the expense of legal certainty.
Nevertheless, the harsh critique38 of this door opener
35 For example the protection of the data subject or the rights and freedoms of others or the enforcement of civil law claims (Art. 23 para. 1 lit. i and j).
36 For example national security, defence, public security, the prosecution of criminal offences or the execution of criminal penalties or other important objectives of general public interest of the Union or of a Member State (cf. Art. 23 para. 1 lit. a-h).
37 Cf. Enrico Peuker, ‘Kommentierung von Art. 23 DSGVO’ in Gernot Sydow (ed), Europäische Datenschutzgrundverordnung.
Handkommentar (Nomos 2017).
38 With regard to the precedent clause Ulrich Dammann and Spiros Simitis, EG-Datenschutzrichtlinie. Kommentar (Nomos 1997), Einleitung para. 37, 46: ‘excessive accumulation of
PART 1: THE DOMESTIC IMPLEMENTATION OF THE GOOGLE SPAIN CASE
THE RIGHT TO BE FORGOTTEN IN GERMANY
p 039
¼
https://blogdroiteuropeen.com clause has to take several points into account: Firstly,Art. 23 GDPR takes up the precedent provision in Art. 13 of the 1995 EC Data Protection Directive as well as the requirements of the CFR and the European Human Rights Convention in the interpretation by the ECJ and the European Court of Human Rights. Secondly, the allocation of competences between the EU and the Member States can explain some of the restriction goals in Art. 23 – the EU has no competence to regulate issues of national security for instance. Finally, the possible restrictions on data subjects’ rights based on Art. 23 GDPR are restricted themselves by the essence of the fundamental rights and freedoms and the fact that they have to be a necessary and proportionate measure in a democratic society (Art. 23 para. 1).
B-The Reformed German Federal Data Protection Act of 2017
As one of the first EU Member States, Germany has passed an implementation act for the GDPR39 that reforms the German Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) and enters into force in May 2018 – together with the application of the GDPR.40 The implementation act fulfils Member States’ regulatory obligations stated in the GDPR and makes use of some door opener clauses provided by the GDPR. The German government explicitly stated that they wanted to keep the existing German data protection rules under the GDPR regime as far as possible. The coexistence of European and domestic data protection rules makes the data protection law quite complex because the legal situation only arises when one reads both the GDPR and the domestic implementation or restriction norms together. And the fact that a domestic restriction of GDPR’s clauses has to cite the GDPR clause does not really enhance the readability of these norms.
The German implementing legislator has passed some restrictions of data subject’s rights based on Art. 23 GDPR. Restrictions on the right to erasure provided in Art. 17 GDPR are stated in § 35 BDSG. According to para. 1, there is no right to erasure, if – in cases
wilfully widely formulated general terms’, ‘dissimulation of data processing’, ‘lip service to fundamental rights based data protection.’
39 Gesetz zur Anpassung des Datenschutzrechts an die Verordnung (EU) Nr. 2016/679 (DSGVO) und zur Umsetzung der Richtlinie (EU) 2016/680, Bundesgesetzblatt Jahrgang 2017, Teil I, Nr. 44, S. 2097.
40 For an overview Holger Greve, ‘Das neue
Bundesdatenschutzgesetz’ (2017) Neue Zeitschrift für Verwaltungsrecht 737.
of lawful non-automatic processing of personal data (i.e. paper-based archives or other analogue storage media) – the erasure would require an unreasonable effort and if the data subject has only a little interest in erasure. In this instance, a right to restriction of processing (Art. 18 GDPR41) supersedes the right to erasure. The same is true according to para. 2, if the controller may assume that the erasure would infringe the data subject’s interests. Finally, according to para. 3, there is no right to erasure, but a right to restriction of processing, if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed but cannot be erased because of retention periods provided by statutes or contracts.
C-Legal Review of the Reformed 2017 Federal Data Protection Act
Since the reformed BDSG has not yet entered into force, there is no case law dealing with it. However, since the BDSG is one of the first Member State’s implementation acts of the GDPR, the European Commission is likely to supervise the German implementation act and its application, especially with regard to the restriction of data subject’s rights.42
IV-CONCLUSION
The “right to be forgotten” is a fancy buzzword, but not an elaborated legal concept. Beyond that, it has only little heuristic function unless it only refers to the wishful thinking that people shall forget some issues of a person’s life. Thus, legal scholarship is well advised to concentrate less on the label of “the right to be forgotten” but rather on the interpretation of positive law (such as the GDPR, that unfortunately boosts the
“right to be forgotten” by headlining Art. 17 with it). The same holds especially true for courts. German case law shows how to handle the ECJ’s rulings by integrating them into an elaborate dogmatic concept without referring to a shapeless “right to be forgotten”. In the end, the demand for concrete legal terms is not only an obsession of legal scholarship, but has two concrete reasons: On the one hand, concrete legal terms are the basis for supervisory authorities’ action against
41 See Enrico Peuker, ‘Kommentierung von Art. 18 DSGVO’ in Gernot Sydow (ed), Europäische Datenschutzgrundverordnung.
Handkommentar (Nomos 2017).
42 Cf. Holger Greve, ‘Das neue Bundesdatenschutzgesetz’ (2017) Neue Zeitschrift für Verwaltungsrecht 737 who reports about a possible infringement procedure against Germany.
PART 1: THE DOMESTIC IMPLEMENTATION OF THE GOOGLE SPAIN CASE
THE RIGHT TO BE FORGOTTEN IN GERMANY
¼
https://blogdroiteuropeen.com p 040controllers. According to Art. 58 lit. para. 2 lit. g GDPR, the competent supervisory authority can order the erasure of personal data pursuant to Art. 17 para. 1 GDPR and the notification of such actions to recipients to whom the personal data have been disclosed pursuant to Art. 17 para. 2 GDPR. On the other hand, according to Art. 83 para. 5 lit. b GDPR, infringements of the data subject’s right to erasure (or notification) can be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
PART 1: THE DOMESTIC IMPLEMENTATION OF THE GOOGLE SPAIN CASE