Data protection: Activity reports show concerns about AI surveillance methods

Contents

The state data protection commissioners of North Rhine-Westphalia and Berlin have presented their latest activity reports. Both reports highlight the growing challenges posed by artificial intelligence and video surveillance. “Too often I hear that data protection is a hindrance or is taken too seriously. However, people want their data to be protected, and their concerns must also be taken seriously politically,” says Bettina Gayk, State Commissioner for Data Protection and Freedom of Information in NRW (LDI NRW). Data protection is not a stumbling block, but a central concern of the people.

A new trend in the call center industry is also the use of AI-supported emotion analysis, which analyzes the melody, intensity, rhythm, and sound of customers' and agents' voices in real time. Gayk has examined such a system at an online marketing company and considers its use to be a massive and unjustified intrusion into the personal rights of those affected. “The AI-supported evaluation of voice for emotion recognition poses a high risk to the rights and freedoms of the data subjects, as it allows extensive insights into their personality”, the report (PDF) states. The voice data was processed without a legal basis, there was no consent from the data subjects and a mandatory data protection impact assessment was not carried out. The LDI NRW considers the use of such systems to be a serious infringement of personal rights.

Smart smoke detectors and co.

In addition, topics such as AI, video surveillance and the use of data for advertising purposes dominated the inquiries to the data protection authorities. Cases such as smart smoke alarms with a climate monitoring function in Vonovia apartments also caused uncertainty. In the future, the function may not be activated without tenants' consent. In another case, an online weather company had passed on its users' location data to third parties without effective consent, which was also prohibited. The LDI also examined insurance companies that had exchanged sensitive health data with each other by email without permission.

Gayk was critical of political plans to centralize data protection supervision. She sees this as a step backwards that would lead neither to a reduction in bureaucracy nor to cost savings. The proximity of state supervision to small and medium-sized enterprises – which make up 99 percent of the economy – is a successful model. A switch to federal supervision would make consulting more difficult and destroy established structures. The high number of 12,490 submissions last year underlines the importance of local supervision. “Considering these figures, which affect NRW alone, entire departments would have to be rebuilt at the Federal Data Protection Commissioner. At the same time, established structures at state level would be dismantled. Nobody can seriously want that,” criticized Gayk.

Transparency law required

Gayk also warns against the “dismantling of data protection in favor of new security laws that are being discussed at the federal level and in NRW”. She describes the ideas of using AI for facial recognition and the access of the Office for the Protection of the Constitution to private video surveillance systems, which has been brought into play in NRW, as worrying. “Every day, millions of people are impacted by private video surveillance, such as on public transport or at petrol stations, who have given no reason for the security authorities to take action. If, in the future, these people have to suspect that the Office for the Protection of the Constitution is behind every private camera, this is an unjustified massive encroachment on civil liberties.”

The LDI NRW also wants to check whether the public prosecutor's offices are working in compliance with data protection regulations and, for example, are processing personal data lawfully, but according to Gayk, the Ministry of Justice is blocking this check and questioning whether the LDI NRW is authorized to do so. Gayk sees this as an inadmissible restriction of its independence and a disregard for its statutory supervisory powers. According to Gayk, there is a lack of “recognizable development of the NRW Freedom of Information Act towards a genuine transparency law” in the area of freedom of information, which could strengthen trust in the state and democracy. “The state government should actually be interested in a proactive and transparent information policy from its administration,” Gayk points out.

Biometric facial recognition affects many innocent people

The activity report by Meike Kamp, the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI), also focuses on issues relating to AI, video surveillance and biometric facial recognition. Kamp is particularly critical of the use of facial recognition systems by the Berlin public prosecutor's office: the legal basis is inadequate and there has been no data protection impact assessment. She warns of massive encroachments on fundamental rights, as biometric characteristics are unchangeable and many uninvolved persons are affected.

“The use of facial recognition systems by law enforcement agencies interferes heavily with the fundamental right to informational self-determination. Biometric features are unchangeable. People cannot simply remove their face,” says Kamp. As soon as their characteristics are recorded and identified, “the areas in which they can move around anonymously and without leaving a trace disappear”. Many unsuspicious people are impacted by the use of such systems. “The existing legal regulations do not provide a sufficient basis for this,” explains Kamp.

Non-official data retrieval by police officers

Many fine proceedings again concerned police officers who “accessed personal data of third parties from internal police databases for non-official purposes and in some cases also used it further”. Video surveillance at the Kottbusser Tor police station was also classified as disproportionate and without a sufficient legal basis. The police had to examine milder alternatives to protect the basic rights of passers-by and people seeking help. Kamp is also in favor of more transparency: “Often, the people concerned are either not informed at all or not sufficiently informed about the processing of their data in AI systems”.

The BlnBDI report also shows that companies used personal data for AI training without providing sufficient information to the data subjects. One company used all customer communication for AI training without informing customers. Another company, a photo platform, offered personal images uploaded to the internet for AI training in return for payment without informing the data subjects. Kamp has announced increased scrutiny, particularly regarding transparency and the risk of discrimination due to distorted data. AI is also to be used in compliance with data protection regulations in the Berlin administration – The data protection officer is supporting these processes in an advisory capacity.

Unauthorized (election) advertising

Kamp also reports cases in which the services of address traders were used, and unauthorized advertising was sent out as a result. One regional association sent an election advertising booklet to an affected person without their prior consent. The regional association used address data with the characteristics “performer”, “conservative-established” or “liberal-intellectual”. For example, 130,000 address data were used by a lettershop – a company that offers, among other things, mass mailing services –, “which then sent the advertising material provided by the advertising company to the addresses provided by the address dealer as part of order processing”. In a similar case, a company had sent out advertising for a cultural event and also used the services of an address dealer. Addresses with the attributes “resident in Berlin” or “resident in Brandenburg” and “purchasing power well above average” or “purchasing power above average” were selected and sent to a lettershop.

Responsibility at Doctolib

Doctolib, a company known for its booking portal for medical appointments, has been listed in the BlnBDI's activity reports since 2019. This was also due to previous uncertainties as to which data protection authority is responsible for the French company, which has a subsidiary based in Berlin. It is also relevant who decides on the “means and purposes of certain data processing”.

Following contradictory information on responsibility in the privacy policy and the statements made by the German subsidiary to the supervisory authorities, the BlnBDI clarifies that the French data protection supervisory authority (Commission Nationale de l'Informatique et des Libertés – CNIL) is generally responsible for sanctions against Doctolib. In this context, the BlnBDI also points out that companies must provide “accurate information about the data controller”.

For complaints procedures against Doctolib “concerning cross-border data processing for which the parent company is responsible”, the two supervisory authorities work together, although the CNIL decides. It then submits a draft decision to the BlnBDI, for which the BlnBDI draws up an opinion that is to be “duly considered”.

Highest level of data breach reports

As in many other federal states, the number of complaints and data breaches reached record levels. In NRW, 7,539 complaints were received and there were 2,170 data breaches. In Berlin, there were 6,063 complaints and 1,262 reported data breaches. In total, Kamp issued fines amounting to 80,190 euros. Security gaps in practice management software alone led to a fine of 60,000 euros. The security vulnerabilities allowed registered patients to “access extensive data of other patients”. Another software error also ensured that unauthorized third parties were able to view medical documents “that were transmitted from the medical practices to the patients”.

(mack)