The (Draft) General Data Protection Regulation being a Regulation it not only aims at fully harmonizing the field of law it covers (as some Directives do) but would achieve that goal by simply being the (only) directly applicable law as far as its reach goes. Plus the Commission’s “empowerment to adopt delegated acts”, of course, which is a rather intriguing idea from a democracy point of view. But that’s another story.
One of the very few areas where the member states are given a certain amount of legislative leeway is set forth in Art. 82 of the Draft Regulation.
“Within the limits of this Regulation, Member States may adopt by law specific rules regulating the processing of employees’ personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship.”
That sounds good for our Bundestag who has its own Employee Data Protection Act under way (more or less, that is). But could Germany really have its own law on employee data protection? I’m not so sure.
Undeniably, Art. 82 gives the member states some room ((…) may adopt specific rules (…))”. So yes, Germany could pass a law on this matter. But: Such law would have to keep “within the limits of the Regulation”. What does that mean? The Explanatory Memorandum informs us only that
“Article 82 provides an empowerment for Member States to adopt specific laws for processing personal data in the employment context.”
No kidding. The real juice can, as is so often the case with EU legislation, be found in the Recitals. Recital 124 tells us that
“[t]he general principles on the protection of individuals with regard to the processing of personal data should also be applicable to the employment context. Therefore, in order to regulate the processing of employees’ personal data in the employment context, Member States should be able, within the limits of this Regulation, to adopt by law specific rules for the processing of personal data in the employment sector.”
Recital 34 rules out the idea that the processing of employee data could ever rely on consent:
“Consent should not provide a valid legal ground for the processing of personal data, where there is a clear imbalance between the data subject and the controller. This is especially the case where the data subject is in a situation of dependence from the controller, among others, where personal data are processed by the employer of employees’ personal data in the employment context.”
Hence: Whatever the national legislator does, it may not deviate from the principles or go below the “standards” of data protection established by the Regulation. Nothing in any national law would therefore be able to lawfully limit the Regulation’s effet. That would not only be the end of the current legislator’s idea that employee consent should at least under certain circumstances have the desired effect of permitting the processing of certain data. It would also do away with collective company agreements (Germany’s so called “Betriebsvereinbarungen”) serving as a kind of “collective consent” that allows for the processing of data covered in the agreement. I admit that working with company agreements has never been unanimously sanctioned in Germany. But there is one Federal Labor Court decision supporting the concept, and the latest legislative draft that has been leaked has company agreements set as one way to allow for data processing beyond or different from what the planed Act permits by default.
It’s not all good news for the employee data protection extremists, though. If you look at the Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) vs. Administración del Estado Judgment of the ECJ (Case C-468/10) it, in my option, becomes clear that national legislation based on Art. 82 of the draft Regulation would be barred from adding additional requirements for the processing of data or change the Regulation’s principles with a view to “improving” the employee’s position. In other words: “specific rules” adopted in member states may not lead to a stricter data protection regime for employers, either. It would therefore not be possible to, for instance, completely abolish the “legitimate interests” provision of Art 7 (f) of the Draft Regulation as it would happen were Germany to pass the current draft of its own Employee Data Protection Act.
What remains is the right of the member states under Art. 82 to work on the details. Or does it? After all, it is the Commission who is supposed to fill out the blanks according to Art. 82 (3) of the Draft Regulation, and the Commission seems more than keen to push ahead in all things data protection. What does that really leave for the member states? I’d say next to nothing.
For more updates on German and EU IT law and other IT-related matters please follow us on Twitter @germanitlaw.