New Employee Data Protection Provisions - Again?
 When reforming the Federal Data Protection Act (hereinafter referred to as the "FDPA") last year, the legislature inserted a new section 32 for the protection of employee data. However, it was already apparent at the time the law was enacted that it could only be an intermediate step.
There was in fact disagreement during the legislative process as to whether there should be a complete reform of employee data protection and, if so, what its details should be. The Grand Coalition was not able to reach any (further) agreement in this area and thus had to make do with a stopgap measure until a long-term solution could be found. A few weeks before the 2009 federal election, the then Federal Minister of Labor, Mr. Olaf Scholz, did in fact submit a draft employee data protection bill; it was, however, already evident at this time that it would not be possible to enact the bill prior to the federal election.
The insertion of the new section 32 in the FDPA had already resulted in several problems of interpretation, which we will not pursue here in detail. Indicative of the "quality" of the new section 32 of FDPA is that there may be scope for interpreting it to mean that an employer cannot greet an employee by saying "Hello, how are you?". This is because data protection is no longer limited to the processing of electronic information and, in addition, an employer is not entitled to know his employee's state of health because this knowledge is not necessary for the carrying out of an employment contract.
The current Federal Government is obviously anxious to completely reform employee data protection law. On 31 March 2010, the Federal Minister of the Interior, Dr. Thomas de Maizière, presented the key points of his plans for employee data protection. Since then the first draft of a new bill has been circulated. The FDPA alone is to have 15 new sections. The provisions will involve fundamental changes, such as the exception provided for in § 32 n, whereby an employee's consent to the processing of his data will only make processing lawful if the FDPA makes express provision for this. This amounts to a reversal of the principle in section 4 of the FDPA according to which the data subject's consent to the processing of his data can always make such processing permissible. In addition, there are a large number of provisions relating to completely new areas, such as the regulation of data acquisition using positioning systems, video monitoring, the collection of data during the recruitment procedure, the conduct of health checks, Internet use in the workplace and the use of data in the detection of crimes. Nonetheless, the latest draft leaves questions unanswered for which it would have been nice to (at last) have an answer. These include, for example, the question of an employer's authority to monitor his employees' use of the Internet when he has given them permission to use the Internet at work for private purposes. On this topic the draft bill makes a brief reference to the applicable provisions.
Legislative proceedings are still in their infancy so that it is almost impossible to foretell what form the Act will ultimately take. If, however, it retains its large number of new provisions, we can predict with a degree of certainty that compliance on the part of businesses will entail a considerable amount of time and money.