The implementation of the NIS-2 requirements (Network and Information Security Directive 2 of the EU) into German law is stalling. As indicated in a recent article, the government draft for the law concerning the Federal Office for Information Security and Information Technology Security of Institutions (BSI Act, BSIG), dated October 2nd, 2024, has not been passed. This legislative gap requires a complete re-initiation of the process following the recent elections.
The NIS-2 directive offers clear and detailed regulations; however, the law-making process is currently bogged down despite extensive discussions with stakeholders. While the legislative proposal (BSIG-RegE) had advanced, the impending elections stalled the progress significantly. The expectations are that the core obligations will remain unchanged when the legislative process resumes.
This article underscores the existing parallels and differences between the BSIG-RegE and the General Data Protection Regulation (GDPR). For instance, both legal frameworks necessitate protective measures to ensure data security, specifically according to sections 30 and 31 of BSIG-RegE, and Article 32 of GDPR. Additionally, the laws impose reporting requirements if the established safety measures fail, as outlined in section 32 of BSIG-RegE, and Articles 33 and 34 of GDPR.
However, not all provisions are aligned. The BSIG-RegE introduces a unique registration obligation under section 33, absent from the GDPR. Similarly, the requirement for management to conduct training (section 38 of BSIG-RegE) does not find a counterpart in GDPR, highlighting a distinct approach in the German law framework compared to the EU's broader regulations.
Moving beyond the NIS-2 discussion, the broader context of data protection in Germany is a pressing issue. As outlined in another keenly observed piece, Germany’s restrictive data protection strategy starkly contrasts the EU's push for innovation via the European Health Data Space (EHDS). The same article details how almost every German law related to health data consists of its own data protection stipulations, adding layers of complexity to the legal landscape.
In Germany, cloud service providers must recently demonstrate compliance with a C5 certification or equivalent security standards per section 393 of the Social Code V (SGB V). Additionally, digital health applications (DiGA) face rigorous hosting mandates, restricting health data storage to within the EU/EEA boundaries. Transfers to third countries are only permitted under strict regulatory measures.
Furthermore, Berlin's hospitals are bound by section 24 of the State Hospital Act, confining health data processing to either within the hospital or through cooperative agreements with other hospitals. External service providers must be reported to the Senate Administration. In contrast, the GDPR allows greater flexibility in transferring data to third countries using standard contractual clauses, emphasizing a stark distinction between German and EU data handling practices.
While France, the Netherlands, and Denmark advance digital innovations, utilizing national health data spaces and AI-driven diagnostics, Germany is still deliberating essential legal frameworks for digital patient records and telemedicine. This emphasis on strict data protection in Germany could be deemed an innovation barrier, as other European nations are actively promoting technological integration in healthcare.
In a related matter, the Federal Data Protection and Information Commissioner (Edöb) has concluded a preliminary clarification regarding personal data utilization on the X platform for training the AI Grok. Reports emerged last year that the platform was using users' data without consent. The Edöb has reinforced that users retain the right to object to the use of their public contributions for AI training.
According to the Edöb, Twitter International Unlimited Company (TIUC) has provided detailed information about the processing of public contributions aimed at training machine learning and AI models, including generative models. As of July 16, 2024, users can opt out of their contributions being used by adjusting privacy settings, a move recognized by the Edöb as fulfilling legal requirements.
In conclusion, the complexities and emerging challenges in the landscape of data protection—whether stemming from the NIS-2 directives, BSIG implementation, GDPR tensions, or national versus EU standards—highlight a dynamic discussion on regulation versus innovation. While Germany grapples with its stringent data policies, the pressing need for balancing safety and encouraging technological growth in healthcare and other sectors becomes ever more critical.
