Meike Kamp: "GDPR changes shake the cornerstones of data protection"

Contents

Berlin's Data Protection Commissioner, Meike Kamp, has sharply criticized the EU Commission's reform proposals for the General Data Protection Regulation (GDPR). The planned changes to the definition of personal data attack the core of European data protection law. Furthermore, they go beyond the previous case law of the European Court of Justice, said Kamp, who invited to an event in Berlin on Wednesday to mark EU Data Protection Day.

“Above all hangs the question of when data is still personal and whether the General Data Protection Regulation is applicable or no longer,” said Kamp. For many years, the discussion has moved “from absolute personal reference to the questions of who has the means of identification, whose perspective is relevant for assessing personal reference, and how high the risk of re-identification may be.”

Companies must bear responsibility for data storage

Kamp also referred to the SRB ruling of the European Court of Justice. In her view, this is often read in a shortened way. “The ECJ counters this fear in the SRB ruling and says that this transmission to the 'unaware' recipient does not affect the assessment of the personal nature of the data, especially in connection with any subsequent transmission to third parties,” said Kamp.

However, the EU Commission draws different conclusions from this: “The Commission formulates, simply put, that information does not become personal data solely because a potential subsequent recipient has the means to identify the data subject,” said Kamp. With the draft of a new recital, it is explained “that a possible disclosure to 'aware' third parties only makes the information personal data for those third parties.”

According to this interpretation, the data would no longer be classified as personal data at the recipient's end and would fall out of data protection law. “This would have serious consequences,” said Kamp, referring to data-driven business models such as online advertising.

Criticism of planned changes to personal reference

Using the example of real-time bidding for advertising space on websites, Kamp illustrated the dilemma. The basis is “a large number of actors in a complex data processing chain.” With the help of cookies or advertising IDs, it is possible to merge data of individual users.

“The planned changes must not lead to numerous data processing operations falling out of the scope of data protection law in the future,” warned Kamp. “With the amendment of the definition of personal data, the EU Commission is shaking the cornerstones of data protection. I do not consider this to be the right path.”

This assessment was also shared by the new chairman of the Data Protection Conference, Prof. Tobias Keber. The impression that the digital omnibus is merely transposing existing ECJ case law into legislation is misleading from his perspective. “If one considers not only the SRB ruling but also several decisions of the ECJ, for example on vehicle identification numbers, then the Commission's proposal goes beyond the case law,” Keber told heise online.

Digital Omnibus Reform “not the right framework”

Furthermore, Keber criticized the procedure. “Such a far-reaching change as the definition of personal data is not a minor adjustment,” he said. “For such fundamental interventions, an omnibus procedure designed for speed is not the right place from the perspective of the Data Protection Conference.”

The GDPR is an abstract set of rules whose parts interlock. “If you change something at such a central point, it usually has effects at many other points, which also affect other EU digital and legal acts. More time would be needed to analyze exactly what these changes will bring about,” said Keber.

Demand for solid pseudonymization

Instead of restricting the scope of application, Kamp advocated for strengthening pseudonymization and anonymization. “We should preserve the scope of application of the General Data Protection Regulation,” she said. For data processing with good pseudonymization and low impact on data subjects, there should be simplifications. “Do not strive for the unattainable or water-down terminology, but dare to implement solid pseudonymization.”

The role of anonymization and pseudonymization is at the center of the event, with which Kamp marks the end of her chairmanship of the Data Protection Conference. Among other things, an interim report on planned application guidelines of the Data Protection Conference was presented. In addition, research projects from areas such as healthcare, mobility, and web statistics presented practical approaches to the data protection-compliant handling of personal data.

Metadata and special cases

Furthermore, it became clear that metadata can already be sensitive. Timestamps, frequencies, spatial patterns, or technical accompanying information can be sufficient to narrow down individuals or make them re-identifiable. Metadata are therefore not just a by-product, but must be explicitly considered when assessing anonymization and pseudonymization.

Dr. Jan Daldrop from the Berlin Commissioner for Data Protection and Freedom of Information presented the work status of a joint project of the Data Protection Conference, which aims to develop application guidelines for anonymization and pseudonymization. Using mobility data, he showed that even with highly aggregated datasets, residual risks can remain – for example, in special events such as a wedding procession, which could be recognizable even in anonymized data due to an unusual combination of route, time, and driving behavior.

Those involved agreed that anonymization is not a self-runner and requires ongoing evaluation. Keber summarized: “Legal certainty arises not from blanket assumptions but from careful case-by-case examination.”

(mack)