German government's draft scoring regulation violates European law, says Passau-based legal expert
Meinhard Schröder, Professor of Public Law, European Law and IT Law at the University of Passau, was one of the experts heard by the Bundestag's Committee on Internal Affairs on the revision of the German Federal Data Protection Act.
With the revision of the Federal Data Protection Act, the German government intends, among other things, to strengthen the rights of consumers vis-à-vis credit credit information agencies such as the German Schufa. According to the draft, companies will no longer be allowed to use data such as home address, name or personal data from social networks for scoring reports in order to assess the customers’ willingness and ability to pay.
Professor Meinhard Schröder of the University of Passau, who took part in the public hearing of the Bundestag's Committee on Internal Affairs on 24 June via video, addressed the new scoring regulations in his assessment of the draft bill. The holder of the Chair of Public Law, European Law and IT Law explained that, in principle, the draft law was to be welcomed, as an update to a law that was enacted before the European General Data Protection Regulation (GDPR) entered into force. However, according to Schröder, the new regulation is also problematic and, at least in part, does not comply with European law.
Professor Schröder questions the general restrictions on the use of certain data. Whether these are 'appropriate' in the meaning of the regulation seems doubtful. For example, the blanket exclusion of data from social networks seems inappropriate to him at first glance. "If personal data is publicly accessible, it does not deserve more protection than personal data which can be found anywhere else on the 'open internet'," the IT law expert writes in his statement. Moreover, the new wording goes beyond the scope of the EU’s GDPR. "A different wording should be chosen here, which only uses the leeway of the opening clauses and does not try to regulate scoring in general," he states.
Data protection conference: lack of legislative power
The legal expert also criticised the planned institutionalisation of the existing Data Protection Conference (Datenschutzkonferenz, DSK), which is to be enshrined in the Federal Data Protection Act as part of the draft. This is a body of independent German federal and state data protection authorities. Professor Schröder's assessment: "The Federal Government does not have the competence to institutionalise the Data Protection Conference in the planned form".
Professor Schröder was one of ten experts consulted by the Committee on Internal Affairs, chaired by Petra Pau (Left Party, Die Linke), on the draft amendment to the Federal Data Protection Act. The experts agreed on the need for a new regulation. However, scoring reports and the institutionalisation of the DSK were a matter of debate also in other statements.
In February, the Federal Cabinet adopted a bill to amend the Federal Data Protection Act (BDSG), which is currently being discussed by the Committee on Internal Affairs of the Bundestag. One of the reasons for the reform is a ruling by the European Court of Justice (ECJ) on Schufa scoring. The Court ruled that the creditworthiness of consumers may only be checked within narrow limits.
Wissenschaftlicher Ansprechpartner:
Professor Meinhard Schröder
Chair of Public Law, European Law and IT Law
Innstr. 39, 94032 Passau
E-Mail: Meinhard.Schroeder@uni-passau.de
Originalpublikation:
https://www.bundestag.de/resource/blob/1009440/a519887637b438c826a10f10a21db4ce/20-4-450-D.pdf
Weitere Informationen:
https://www.bundestag.de/ausschuesse/a04_inneres/anhoerungen/1008504-1008504 Live recording of the hearing in the Bundestag's Committee on Internal Affairs (in German)