German DPAs propose GDPR amendments

German Federal and State Data Protection Supervisory Authorities announced this week that while the GDPR has largely proved a success, some uncertainty remains and there are shortcomings when it comes to implementation. Some authorities are unduly burdened by the number of complaints and data breach notifications, and are therefore unable to concentrate on compliance checks.

In their Report, Experience Gained in the Implementation of the GDPR, agreed in November, Germany’s federal and state DPAs propose several changes to the GDPR in order to tighten the legal framework, and make it easier to apply.

There should be changes to the GDPR in relation to direct marketing, they say. The DPAs also call for clarifications on profiling. In addition, they point out that Data Protection by Design and Default has not really taken off. They propose adding the concept of ‘producer’ to make producers of hardware and software subject to the GDPR when developing new products.

Other issues mentioned include DPA sanctioning practice, notification of data breaches, and purpose limitation. The EU is due to finish its 2-year review of the GDPR by 25 May 2020.

Privacy Laws & Business has organised a one-day conference on German data protection developments, and interpretation of the law: Germany’s Data Protection Law: Trends, Opportunities & Conflicts, on 11 March in London.

See the German DPAs’ report published in German and English. The report includes a declaration on Artificial Intelligence.