German Printed paper 17/11325

17th electoral term 06. 11. 2012

Motion tabled by the Members of the Bundestag Dr Günter Krings, Dr Hans-Peter Uhl, , , Michael Grosse-Brömer, Günter Baumann, , , , , , Dr Franz-Josef Jung, Günter Lach, Stefan Müller, Ar- min Schuster, , , and the CDU/CSU parliamentary group and the Members of the Bunestag Gisela Piltz, Dr , Hartfrid Wolff, Manuel Höferlin, , Serkan Tören, , Sebastian Blumenthal, , Rainer Brüderle and the FDP parliamentary group on the proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with re- gard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) COM(2012) 11 final; Council document 5853/12 here: Position of the German Bundestag pursuant to Article 23 (3), first sentence of the German Basic Law

The Bundestag is requested to adopt the following motion:

I. The German Bundestag notes:

The German Bundestag welcomes the European Commission’s goal of compre- hensive reform of European data protection legislation. The regulation proposed on 25 January 2012 on the protection of individuals with regard to the pro- cessing of personal data and on the free movement of such data (“General Data Protection Regulation”, COM(2012) 11 final) aims to further harmonise data protection law in the European Union.

The current Data Protection Directive 95/46/EC has been implemented differ- ently by the different Member States with the result that to date no uniform level of protection inside the European Union has been achieved. In addition to this, the way the directive has been interpreted and enforced by the Member State’s data protection watchdogs has not been uniform either. The lack of har- monisation in the (non-public) sphere of the economy results in distortions to competition in the internal market and allows enterprises to deliberately select their location according to the most favourable regulations and enforcement environment (forum shopping). Greater harmonisation in the non-public sector Printed paper 17/... - 2 - German Bundestag – 17th electoral term would therefore not only lead to greater clarity and fairer competition at the European level, it is also a precondition for European data protection standards being more able to assert themselves in competition with providers from third countries. The German Bundestag underscores that German data protection legislation alone will not be able to provide effective protection against compa- nies acting out of third countries and welcomes the proposal’s applicability towards providers in third countries. It also welcomes the fact that the legal instrument of a regulation has been chosen for the field of private individuals.

The data protection stipulations in force since the 1995 Directive 95/46/EC do not provide a sufficient response to many of the questions arising in today’s digital age. The technological progress made over the past decade in virtually all areas of everyday life gives rise to a special need for change. In particular, the widespread use of the Internet calls for current data protection law to be adapted. The proposed General Data Protection Regulation must therefore also be judged on the basis of to what extent it achieves this without impeding the innovative potential of the Internet. It must set boundaries and at the same time preserve the opportunities of networked societies in the information age. Safe- guarding the rights and freedoms of individuals on the Internet and in the “tradi- tional” areas of communication requires differentiated data protection rules. Legitimate business models must not lose their foundation in data protection law.

The EU General Data Protection Regulation proposed by the European Com- mission does not, however, apply only to online data protection. It is of primor- dial importance, therefore, to ensure that this does not lead to unsuitable stand- ards being imposed on traditional non-digital business and industry. When shap- ing new EU data protection law, it must be ensured that balanced regulations be established which can be implemented in practice online and offline alike.

The German Bundestag also emphasises that the draft put forward by the Euro- pean Commission still gives rise to many questions, in particular on undefined legal terms, and to a considerable need for discussions of a fundamental nature. It hopes for a broad and careful public debate.

II. The German Bundestag adopts the following position on the proposals pur- suant to § 9 Act on Cooperation between the Federal Government and the Ger- man Bundestag in Matters concerning the European Union (EUZBBG):

The German Bundestag calls on the Federal Government

1. to advocate and work towards creating modern data protection legisla- tion at European level which provides effective protection for the rights and freedoms of the individuals concerned in all forms of com- munication, taking into account the legitimate concerns of all stake- holders and guaranteeing a high level of protection,

2. to endeavour to ensure there is a clear distinction between data pro- cessing in the public sphere on the one hand and in the non-public sphere on the other which takes the different foundations in constitu- tional law duly into account, according to which the state is the duty bearer of fundamental rights whilst citizens are the holders of funda- mental rights, Printed paper 17/... - 3 - German Bundestag – 17th electoral term

3. through greater harmonisation to aspire to a competitively level play- ing field for the non-public sphere in Europe which is technologically and sectorally neutral,

4. to advocate and work towards standardised data protection law which boosts the competitiveness of European enterprises by reducing red tape and ensuring the right balance is struck between individuals’ in- terest in protection and bureaucracy especially for less risky data pro- cessing, in particular for smaller and medium-sized enterprises,

5. in the public sphere in particular, to endeavour to ensure that national regulatory freedom is preserved so as to be able to maintain or adopt national regulations in the field of sector-specific data protection,

6. to advocate and work towards rules which duly take into account the relationship between the fundamental right to informational self- determination and potentially conflicting fundamental rights such as freedom of opinion, freedom of information, the freedom of the press, entrepreneurial freedom or freedom of research and the right to prop- erty,

7. to make it clear in the negotiations that the current regulations on data processing in the interest of third parties will be preserved in accord- ance with the tried and tested data protection legislation in ,

8. taking into account the great importance of the voluntary nature of prior consent, to ensure rules on consent and objection are tailored to the field of practice and at the same time to also take into account the fact that even in the event of an imbalance between contractual par- ties, effective consent is not automatically ruled out,

9. to endeavour to ensure that the current principle of non-conditionality remains in place in national law,

10. to continue to bear in mind protection when particularly sensitive data is being processed, for instance in the health and social field and to endeavour to ensure that the high level of protection in Germany not be compromised.

11. to advocate and work towards company agreements and collective bargaining agreements within individual sectors counting as grounds for data processing in addition to the consent and statutory authorisa- tion standards provided for to date,

12. to work towards the inclusion of a comprehensive regulation on cor- porate group data protection and, whilst maintaining a high level of data protection, to also take into account the internal transfer of data within a company or group in and out of third countries for interna- tional companies, Printed paper 17/... - 4 - German Bundestag – 17th electoral term

13. to work towards the European Commission’s competencies relating to the adoption of delegated acts and implementation restrictions being significantly reduced and ensuring especially that they satisfy the stip- ulations of Article 290, (1), clause 2 of the TFEU (the principle of es- sential elements) and that the use of undefined legal terms be avoided as far as possible,

14. to advocate a procedure geared towards uniform enforcement in the European Union whilst, however, also being practicable and not bur- dening supervisory authorities with excessive bureaucracy, and which does not leave the interpretation of the legislative act solely up to the European Commission but instead maintains the independence of the data protection authorities,

15. to advocate and work towards the concept of having one single con- tact, which we welcome, being implemented in a practicable way and at the same time ensuring legal protection in the interests of citizens,

16. to work towards the inclusion of stipulations on designing data pro- cessing systems and processes to use a minimum of data and other mechanisms, in particular technical data protection such as anonymisation, pseudonymisation, personal and system data protec- tion and at the same time it being possible to apply both established and new standardisation and certification procedures,

17. to advocate and work towards developing appropriate self-regulation instruments, data protection impact assessments and certification pro- cedures which are key to modern data protection and which are men- tioned in the EU General Data Protection Regulation,

18. to advocate and work towards rules which distinguish appropriately between forms of data processing which pose greater and lesser threats to the individual rights and freedoms of those concerned, for instance by making explicit consent or a legal basis the prerequisite for compiling extensive personality profiles,

19. to advocate and work towards rules geared towards a fair balance of interests between consumer interests and competition interests and to design the right to data portability in a way that takes the legitimate interest in preserving company and trade secrets duly into account whilst at the same time not impeding innovation,

20. to advocate rules which are practicable and represent a real improve- ment compared to the current entitlement to have data deleted which already exists in national law,

21. to oppose proposals through which the tried and tested German system of data protection officers in enterprises and administration would be endangered, in particular raising the threshold as of which there is an obligation to appoint a company data protection officer in enterprises from currently ten to 250 employees, Printed paper 17/... - 5 - German Bundestag – 17th electoral term

22. to work towards an amendment to the proposed regulation so as to maintain the tried and tested system of company self-regulation with the company data protection officer conducting prior checks for risky data processing,

23. to advocate and work towards scoring being taken into account in the General Data Protection Regulation, so that both the principle of di- rect data collation and the consumer interest in information, compre- hensibility and protection against undue disadvantage as well as the economic interest in this procedure are given due consideration,

24. to oppose the introduction of representative legal action for data pro- tection authorities and associations,

25. to advocate and work towards ensuring the European Union institu- tions are treated in the same way as the national public institutions, so that different legal standards do not apply to national and European institutions,

26. to advocate and work towards an appropriate entry-into-force and transition regulation which gives all stakeholders sufficient time and legal certainty.

Berlin, 6 November 2012

Volker Kauder, Gerda Hasselfeldt and the CDU/CSU parliamentary group Rainer Brüderle and the FDP parliamentary group