BfDI: New security powers "not permissible"

Contents

After less than two years, Louisa Specht-Riemenschneider will step down from her position as Federal Commissioner for Data Protection and Freedom of Information (BfDI) for health reasons as soon as her successor has been appointed. However, she is still the head of 386 employees who had plenty to do last year. This is evident from the annual report for 2025, which Specht-Riemenschneider presented in Berlin on Wednesday.

According to the report, the BfDI received 11,824 complaints and inquiries last year – a third more than in 2024, reaching a record high: only in 2018, when the GDPR came into effect, was the level of complaints higher. The number of data protection violations reported by perpetrators under Article 33 GDPR was also still at a high level with 9110.

The BfDI, which is responsible for postal and telecommunications services in addition to federal authorities, conducted 80 on-site inspections and 40 written control procedures last year, according to its own statements. The authority speaks of a total of 129 “supervisory measures.” One of these was the proceedings against Vodafone, which resulted in fines totaling 45 million Euros.

In 2025, the authority also focused on health data. The electronic patient record (ePA) has the potential for better care and research if data protection, data security, and user-friendliness are considered together. Many citizens are open to the ePA, but at the same time, there is still a need for information. The BfDI is also addressing the health sector with the ReguLab.

No applause for data retention

On her departure, Specht-Riemenschneider sharply criticized politicians and expressed concern about the multitude of new internal security laws. “The breadth and intensity of security powers are increasing,” warned Specht-Riemenschneider. At the same time, the control of security authorities is being restricted. “I cannot understand why it is happening the way it is,” said the data protection officer. “This is an intensity that I do not consider permissible in this country.”

Specht-Riemenschneider warned against the planned third iteration of data retention. She could not “applaud frantically” the draft law, said the data protection officer. The corridor remains very narrow, and the Hadopi decision of the European Court of Justice also considered IP connection data retention permissible “only for the absolutely necessary period.” However, the federal government has so far failed to provide evidence for the necessity of a three-month retention period.

The outgoing data protection officer described the expansion of intelligence service powers while simultaneously removing them from data protection control as “complete nonsense.” Fundamental rights interventions can only be justified with functioning and effective control. Specht-Riemenschneider considers it impossible that supervision would impair the work of the Federal Intelligence Service (BND). “The BND currently employs 6500 people,” she calculates. “We manage with three.”

EU Laws: “Wrong Direction”

At the EU level, Specht-Riemenschneider sees a need for action regarding the mass trading of data and the outdated E-Privacy Directive. However, she sees no signs of this currently: “Everything is going in the wrong direction for me,” criticized the data protection officer. “Everything that would be important in data protection law is not in the Omnibus Act.”

Nevertheless, data protection will not be overlooked. Ministries listen very carefully when it comes to the German version of the digital wallet EUDI Wallet. Integrating data protection from the outset in administrative digitization and making it data protection compliant is not impossible. A prerequisite for this is transparency: citizens must know where their data is being used in order to assert their rights.

A wallet that allows age verification without transmitting the date of birth is much preferable to her than a biometric-based “face verification”, emphasized Specht-Riemenschneider. At the same time, however, it must be ensured that no data leakage occurs here, not even through an aggregation of different data verified via the EUDI Wallet.

No Wallet Yet

Specht-Riemenschneider emphasized that she does not yet see a complete representation of the identity card on a wallet basis. There is data that might be better stored in the registers where it is today – but seven months before the announced start of the German wallet implementation. She has no concept for the technical design of what it should actually contain.

The assessment made by Specht-Riemenschneider, who took over as successor to Ulrich Kelber two years ago, sounds less optimistic than before. In some areas, she simply lacks the ability to enforce the law. For example, if legal assistance agreements with the USA are missing or not applied, all she can currently say is: “We don't think that's good.”

Therefore, it is consistent that the BfDI welcomes a different development: that the path of claiming damages is increasingly being taken. As in many other legal areas, the coexistence of private law and administrative enforcement is correct, believes Specht-Riemenschneider. Could a claim for damages also be a sensible option against federal authorities to strengthen data protection? Considering the ineffective control powers currently available to her over the intelligence services, she needs to rethink such ideas, says the outgoing Federal Data Protection Commissioner.

(wpl)