Missing Link: How german authorities look the other way in data protection

Contents

It's a paradox: with advancing digitalization, artificial intelligence and cyber warfare, data protection and data security are becoming increasingly important, yet the very people who are officially responsible for the latter are becoming increasingly quiet.

When was the last time you heard from the data protection officers? Heise reports don't count, but even among these there are now numerous peculiar examples. For example, the fact that the European Data Protection Supervisor Wojciech Wiewiórowski no longer has any legal objections to the European Commission's use of Office 365. An issue on which the German data protection supervisory authorities have not been able to find a solution for five years – and neither has the provider Microsoft.

The Chaos Computer Club (CCC) environment plays a far more important role in the debate on electronic patient records, while the Federal Office fir Information Security in der Informationstechnik (BSI) is largely on its own when it comes to digital identities. How can it be that in the age of applied artificial intelligence and thus the evaluation and linking of large amounts of data, data protection officers are conspicuously quiet? Shouldn't they currently have more to do and be more present than ever before?

Data protection would actually be more and more relevant

Data protection has long since gone from being a theoretical discussion about potential power, as in the census ruling, to a very practical issue that plays a role everywhere. There are more networked devices than ever before. And there are more sensors in them, lots of software that taps into data. There is hardly any reason for companies and organizations not to use it.

Modern cars, for example, are full of sensors, including cameras. And where does this data go, how is it processed, by whom and what happens to it? A topic that is extremely relevant to everyday life. And a large number of car manufacturers – or their European headquarters – are also based in Germany, meaning that German supervisory authorities are responsible.

However, there is regularly no sign of critical oversight. Even when other countries around the world take up the issue of potential snooping cars that film Erna and Dieter in the garden, at crosswalks and when they pee in the wild, and whose sensors would be a treasure trove for the police, we hear virtually nothing from German supervisory authorities.

Lower Saxony's commissioner announces that she is in close consultation with Volkswagen and other supervisory authorities. But actual action? Only in the rarest of cases does anything happen.

Talking is like supervision, only cheaper

This is also due to the data protection supervisory authorities. They have been given more staff over the years. But it cannot be seriously reported that they have actually polished their teeth and bitten down hard. So who could blame companies or authorities for not doing anything substantial in the knowledge that the supervisory authorities may grumble, but in the end they usually shy away from a tougher approach?

Talk is cheap, as they say in politics. And regulatory action is expensive: it would involve paperwork, time and possibly losing court cases.

Of course, it's easy to argue about the extent to which Germany's data protection discussions have become somewhat artificial. After all, there is no country on this planet with more legal journals in which even the most outlandish and interest-driven interpretations of data protection law are broadly rolled out and then presented in the discourse as published and therefore absolutely serious arguments. Anyone who talks to lawyers in the field will quickly get a feel for how many of the debates are primarily there to drag out proceedings of all kinds and avoid legal clarity.

"Missing Link"

What's missing: In the fast-paced world of technology, we often don't have time to sort through all the news and background information. At the weekend, we want to take this time to follow the side paths away from the current affairs, try out other perspectives and make nuances audible.

• All our the "Missing Links"

But it is one of the wondrous German traits to believe that Germany would be strangled in the digital space by particularly strict supervisory authorities that unsettle those involved. Somehow, this narrative still seems to be catching on.

Yet there are some truly astonishing cases: The Hessian Data Protection Commissioner, for example, was sued because he believed that he did not have to investigate citizens' complaints vigorously. And was proved right by the ECJ: that was indeed the legal position.

An absurd case: citizens demand that supervisory authorities take tougher action against infringements – and they don't want to have to. Data protection supervisory authorities are now also being sued in other cases for doing too little.

Politicians are mainly to blame

This situation is only partly the fault of the responsible authorities, which are often rather brittle and not exactly known as a career springboard for civil servants. The majority of the misery is politically motivated – and the conviction that data protection would stand in the way of digitalization has long since prevailed, even among large sections of the Green Party.

One reason why, for example, the Green-Black state government in Baden-Württemberg, even before the Black-Green coalition in Hesse, has no objections to IP data retention or Palantir's analysis software being used by the state police. And the FDP? They have also had their problems with this in parts for a long time. However, with their withdrawal from federal politics, their significance is currently negligible. However, it too has recently been indulging in a narrative that has been cultivated by everyone from the CSU to the Greens: A completely different approach is needed to bring digitalization and data protection together.

Instead of tough regulatory supervision that punishes misconduct, a wimpy advisory mandate should be fulfilled and only the very, very unteachable are to be really cracked down on, according to this narrative. But perhaps only if this does not harm the economy. After all, everything is terribly complicated, from data protection to the AI Regulation and the Data and Data Governance Act through to the Digital Services Act, regulations interlock and sometimes bypass each other, regulate similar issues and allow and prohibit completely different things.

And when politicians create such complicated networks, what could be more obvious than, you guessed it, weakening their application retrospectively? By turning a supervisor with a control function into a breakyard supervisor who helps children to comply with the rules in an educationally valuable way and only imposes sanctions in exceptional cases?

Independent, but not too critical, please

For years, politicians have been telling companies, authorities and organizations that they are too stupid to understand and comply with rules, after years of complaining about the oh-so-great complexity. This is not a phenomenon unique to data protection, but it is particularly noticeable here: since data protection has come under greater political pressure and has been declared the scapegoat for the fact that politicians, authorities and companies have simply not tackled digitalization or have tackled it incorrectly in many areas, they have been acting with increasing caution.

Partly because representatives of a tougher line among the data protection officers have recently been dismissed several times by politicians or the positions have simply not been filled for months or years, today's data protection supervisory authorities are largely staffed as administrative supervisors – the formal independence prescribed by the General Data Protection Regulation is quickly coming to an end.

One possibility: shifting responsibilities. This has been looming for quite some time in the case of data protection supervision of intelligence services, for example: No matter how friendly the data protection officers are with the services, no matter how little they actually monitor or object, former Chancellery Minister Wolfgang Schmidt (SPD) preferred to outsource the supervisory authority to another body, the Independent Control Council, which also monitors intelligence service work in other ways.

The fact that the respective data protection supervisory authorities come into play at the latest when the Federal Intelligence Service, the Federal Office for the Protection of the Constitution and the Military Counter-Intelligence Service interact with the Federal Office for Migration and Refugees, the State Offices for the Protection of the Constitution or the Federal Criminal Police Office is a moot point in the political debate. After all, it would be a matter of "trimming" data protection.

A similar political signal: in the case of government projects, laws are reduced from "consent" to "consultation". In other words, instead of the data protection supervisory authority having to give the green light, it is enough that it has put its concerns on record. The signal in other words: Data protection officers are annoying and they should stop, regardless of whether it's data retention, health data or the use of AI for video surveillance by the police or in other contexts.

Not only data protection authorities under fire

In the end, data protectionists are not alone. Exactly the same fate is currently looming in other areas: Because the AI regulation is complicated, the competent authority is supposed to be much less sanctioning than protective. And because this also applies to cybersecurity, the BSI should of course also reach out to the NIS2 Directive before any intervention in order to support German companies that are struggling to comply with the regulations. The President of the Federal Network Agency has publicly emphasized many times how important the advisory function is in the German implementation of the AI regulation. As if supervisory authorities were consulting firms.

Digital policy is power politics, according to the coalition agreement between the CDU, CSU and SPD. And this is exactly what is currently at stake in many places: instead of a regulatory supervisory regime, there is to be a kind of digitization support. There is actually little to be said against the latter –, but it is a completely different task that has little place in supervisory authorities. Nobody would think of entrusting the economic development department of a federal state with the supervision of construction, food or financial authorities. But perhaps it's only a matter of time before the tax investigation department becomes a tax consultant for ailing German companies?

An opinion by Falk Steiner

Falk Steiner is a journalist based in Berlin. He works as an author for heise online, daily newspapers, specialist newsletters and magazines and reports on digital policy at federal and EU level, among other things.

It is therefore almost a stroke of luck that another branch of law enforcement has now emerged as an alternative, at least in terms of data protection: Companies are increasingly having to face mass proceedings for immaterial damages. The sums claimed per case are generally marginal – but the more data subjects assert these rights, the higher the risks associated with sloppy data protection.

At least until politicians see a risk for the economy here too and change the legal rules again. The data protection supervisory authorities can be pleased about the relief. And continue to write position papers in working groups on why it depends on the individual case whether the data protection assessment of the use of this or that software should be criticized.

So perhaps it is simply time to realize that digitalization only follows rules if citizens in all fields are given the opportunity to sue malicious or sloppy players to the ground – then the state supervisory authorities can concentrate on the politically desired advisory service.

(nen)