On April 25, the Hamburg administrative court upheld the September 2016 order by Hamburg DPA Johannes Caspar that Facebook stop sharing the data of German WhatsApp users with Facebook, agreeing with him that consent of the 35 million users for such transfers had not been obtained. While Facebook indicated it would appeal, it has for some time suspended such transfers of WhatsApp user data across Europe.
On April 27, the German Parliament passed a new Data Protection Act, designed to adjust current German data protection laws with the requirements of the GDPR and replace the current Federal Data Protection Act. Taking advantage of the GDPR’s opening clauses to exercise national discretion in certain areas, the Act contains provisions on such matters as the rights of data subjects, data protection officers, data processing in the employment context, and exceptions for processing special categories of personal data. The Act was passed in spite of considerable criticism, with the European Commission expressing dissatisfaction with it as late as one week prior to its passage. According to the Commission, the opening clauses were not intended to be used in this manner and doing so undermines the harmonization goals of the GDPR. For example, while the GDPR sets significant penalties for non-compliance by companies, the Act creates rules allowing for the sanctioning of individuals, leading to potential liability by managers, employees and data protection officers, including the possibility of prison terms of up to three years.