BfDI: Take digital sovereignty seriously and uphold European values

Contents

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Louisa Specht-Riemenschneider, is committed to involving the data protection authority in legislative procedures at an early stage. She sees data protection as a locational advantage for Germany and emphasized, among other things, that data protection not only protects the "right to informational self-determination", but is also "the basis for the exercise of many other fundamental rights".

She said this in a keynote speech at the 26th Data Protection Congress in Berlin, in which she spoke about the key topics of health, AI and security that were defined when she took office. The BfDI also addressed the launch of the electronic patient file (ePA), which was accompanied by the disclosure of various security vulnerabilities. After security researchers demonstrated security vulnerabilities that had been known for some time at the 38th Chaos Computer Club at the end of 2024, the nationwide introduction of the opt-out ePA was delayed, but "significant improvements for data protection and data security" were subsequently achieved. To regain the public's trust, it is important to quickly rectify any shortcomings that arise. In this context, Specht-Riemenschneider recently called for both the BfDI and the Federal Office for Information Security to regain the right of veto.

In the field of artificial intelligence, the BfDI shares the view of the European Data Protection Board: at the end of 2024, the EDPB clarified that the training of AI models with personal data is possible based on "legitimate interest", provided that a careful balancing of interests has been carried out beforehand. The first companies such as Doctolib and Ebay are therefore already using personal data for AI training. However, this practice is controversial under data protection law and is viewed critically by data protection experts, as it is unclear whether the requirements of the GDPR are actually met.

"Should the EU legislator actually decide to open up the GDPR, the introduction of tangible criteria under which AI training with personal data is permissible would be a good idea," said Specht-Riemenschneider, who then mentioned proposals such as a separate AI data protection regulation.

AI supervision should lie with data protection authorities

According to Specht-Riemenschneider, clear legal criteria are required for the handling of personal data. She is against an "absolute infection thesis" for AI models, according to which unlawful AI training would automatically make the subsequent use of the AI model unlawful. "If the probability of later use can be reduced to such an extent that the personal reference can be practically excluded and the AI model is therefore anonymous, the unlawful training no longer has any consequences for later use. Until this point, however, the system would have to be sealed off," demands the BfDI. It is also important that AI supervision is in the hands of the data protection authorities. The Ampel government had wanted to assign this task to the Federal Network Agency.

Balance between protection and freedom

The BfDI also sees major challenges in the area of security. "The price for our security must never be our freedom," said Specht-Riemenschneider. She advocates "a homogeneous IT landscape, as we are pursuing with the P20 project" and strong, independent supervision by her authority in order to guarantee both the security of the population and the rights to freedom. Otherwise, the potential risk of false suspicion would increase with every piece of data collected and every automated analysis.

BfDI wants to continue supervising the federal police and intelligence services

Another point of contention is currently the responsibility for the data protection supervision of intelligence services, particularly regarding the regularly sought extended security powers. With the constitutionally required "supervision of the federal police and federal intelligence services", the BfDI has "the full overview". It therefore considers it wrong "to concentrate official intelligence service supervision on another authority, also with regard to data protection control". Instead, it is calling for a legal basis for a better exchange with the other supervisory authorities.

When presenting its annual report, the BfDI made no secret of the fact that it was concerned about the wording of the coalition agreement. Independent monitoring is particularly important considering further planned powers of investigation in the digital space. In the past, there have been repeated disputes about the control of intelligence services, for example because the Federal Intelligence Service has refused to allow access to documents.

Promoting acceptance for data protection

In all projects, the BfDI relies on consultation and dialog with all stakeholders to promote data protection-compliant action and strengthen acceptance of data protection. A forward-looking approach, recommendations for action and projects such as the "Regulab" AI real-world laboratory set up this year should help to ensure that "AI systems can be tested under our active supervision and then released into the real world in compliance with data protection regulations".

She also called for greater public awareness of data protection, as up to now, only the topics of "cookie banners" and "endless data protection declarations" have stuck. She also raised whether authorities can still fulfill their information mandate if they stay out of social networks. A presence there is also possible in compliance with data protection regulations.

Upholding European values

She also calls for digital sovereignty to be taken seriously and for an open, honest approach to the weaknesses of data protection law to develop it further. New consultation formats have already been established to involve companies and society more closely. Specht-Riemenschneider would like to see more constructive communication about data protection and advocates incentives for companies that comply with data protection.

Data protection should become a locational advantage in another digital economic order, "which, unlike that of the USA and China, relies neither on complete surveillance nor solely on commercialization", Specht-Riemenschneider said. The BfDI would therefore like the new ministers to "clearly specify a digital policy direction that is in line with the times and – a digital minister who will lead us into a digital future in which our European values have a place and in which they are not trampled underfoot".

(mack)