Data protection experts call for strict rules on police data analysis
Data protection experts warn that police data analysis without a clear legal basis may also affect uninvolved parties.
(Image: JARIRIYAWAT/Shutterstock.com)
The Conference of Independent Data Protection Authorities of the Federal Government and the Länder (DSK) is pushing for automated data analysis by the police to be designed in a manner that complies with the constitution. In a resolution passed at the interim conference on September 17, 2025, the DSK calls for a concrete legal basis. The background to this is the debate about the possible nationwide introduction of complex analysis tools in police authorities.
Previous procedures could also affect innocent people. "There is a risk that people could become the target of police investigations without justification. That is why clear legal rules are needed," explained Meike Kamp, Berlin's data protection commissioner and current chair of the Data Protection Conference.
"The data analysis methods known to date, which some state police authorities are already using, can in principle affect all people without them having given cause for police investigations through their behavior," says the DSK, most likely referring to Palantir. "New insights can emerge from the linking of large amounts of data," says Kamp.
The Federal Constitutional Court had already clarified in 2023 that police authorities "may only use such drastic procedures in cases of very serious violations of legal rights and within the framework of very narrow procedural provisions." According to the DSK, the existing legal basis does not yet meet these standards. With regard to automated analyses, the DSK points out the considerable risks to fundamental rights that this entails – they should therefore only be permitted in strictly limited exceptional cases. In practice, there is often a lack of compliance with the existing legal requirements, which is why the Gesellschaft für Freiheitsrechte recently lodged a constitutional complaint "against mass data analysis by the police in Bavaria". The limits for automated data analysis are not observed by the police there, according to the GFF.
P20 as an opportunity
In addition to the legal requirements, the conference also refers to digital sovereignty: police data should not be dependent on systems that allow access from insecure third countries. The DSK sees opportunities in the "Police 20/20" (P20) IT project, which aims to create a joint infrastructure between the federal and state governments –, possibly on the basis of transparent open-source solutions.
Videos by heise
In addition to police data analysis, the conference addressed issues relating to data transfers in international health research and the reform of the General Data Protection Regulation (GDPR). The DSK has adopted guidance on data transfers to third countries for scientific research for medical purposes, as questions on this topic arise regularly. "When health data is transferred to third countries, certain measures must be taken to protect the rights of those affected. With this guidance, the Data Protection Conference clarifies when processing for research purposes is permissible and what instruments are available for transferring such data to third countries. In any case, those affected must be informed," explains Kamp.
(mack)
