Constanze Kurz from the CCC: Majority unaware of health data transfer

Informatics expert and Chaos Computer Club spokesperson Constanze Kurz warned at the start of the Anosidat conference on Tuesday in Berlin about a gradual erosion of healthcare data protection in favor of economic interests. At the conference, experts from science, politics, and civil society are discussing the responsible use of data. Kurz referred, among other things, to a lawsuit filed by the Society for Freedom Rights (Gesellschaft für Freiheitsrechte, GFF) against the transfer and storage of health data to the Research Data Center Health (FDZ Gesundheit) of the Federal Institute for Drugs and Medical Devices (BfArM), to which researchers can now apply for data access.

Most people do not know that since 2022, billing data has been transmitted to the Research Data Center Health and in the future it will also be accessible in a European Health Data Space, which is also under development, Kurz emphasized. She wished for a deeper technical understanding and clarity on how much data is actually required to enable research and innovation – without endangering privacy and fundamental rights.

While the data of all statutory insured individuals are to be made available, other groups, such as privately insured individuals and the Bundeswehr, are excluded from data extraction, Kurz criticized. The CCC spokesperson wondered that so far only a small portion of the statutory insured have objected to the creation of an electronic patient record.

Especially when using health data, the risks due to insufficient anonymization are serious, Kurz warned. Data protection is not an obstacle to research but a prerequisite for trust. Prof. Mohammadi, head of the Privacy and Security working group at the University of Lübeck, also emphasized that IT security and data protection are not opposites: "IT security means that systems behave as expected and do not do anything else, even if malicious actors are involved. Secure data usage means that data is only used for the purpose for which it is intended, even if someone tries to circumvent that." He advocated for decentralized solutions and international cooperation instead of central data storage. Large datasets are necessary to ensure both analysis quality and protection.

Data Protection as an Excuse

Even if data protection were completely abandoned, Germany would not automatically become a leading location for artificial intelligence, Thomas Köllmer from the Fraunhofer Institute for Digital Media Technology (IDMT) pointed out. Kurz emphasized that fundamental rights such as the right to informational self-determination must be more strongly protected throughout Europe and are part of European values. For Köllmer, data protection and innovation are not opposites. Rather, data protection must be integrated into projects from the outset and adequately financed. At the same time, he pointed to practical hurdles in everyday research, such as the lengthy access to data.

Many regulations are interpreted overly cautiously, even though the General Data Protection Regulation explicitly allows for balancing, Mohammadi said. Behrendt clarified that data access and economic use should not be based solely on economic criteria. A value-oriented data economy, in which data usage is flanked by technical and organizational controls, has priority.

When asked if one should not rather focus on the research question first, Köllmer replied that collecting the vast amounts of data fits the LLM data hunger. They throw everything in first and then find the right questions later. Regarding strong investments in LLMs and the current AI hype, Mohammadi referred to a MIT study (PDF), according to which 95 percent of companies had not yet benefited from the use of AI systems. He also warned of uninformed debates about AI systems, which also pose significant risks, and called for a broader societal discussion about the risks of LLMs.

CCC spokesperson Kurz saw positive aspects in the Digital Markets Act and other EU regulations. These regulations would cause providers to behave differently in the European market. "Even civil society was involved," Kurz said. Data protection is a fundamental prerequisite for the European concept of values. She sees strict rules as a potential competitive advantage, as companies then develop secure and trustworthy systems. Many opportunities for better data protection already exist, but according to researchers, those responsible are often not interested in them. When asked what miracle would solve all problems, the discussion participants were somewhat at a loss. For Behrendt, it would be a miracle if he went out in the morning and no one was interested in data misuse anymore.

(mack)