Federal Data Protection Commissioner wants to focus on AI, security and health
The new Federal Data Protection Commissioner Louisa Specht-Riemenschneider seeks more cooperation while emphasizing the strict boundaries of data protection law
The Federal Data Protection Commissioner Louisa Specht-Riemenschneider.
(Image: Volker Lannert / Universität Bonn)
The new Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) Louisa Specht-Riemenschneider officially took office on Tuesday with the handover of her certificate of appointment by the Federal President. At the Federal Press Conference in Berlin, she then answered questions about how she intends to carry out her duties – and made some initial exclamation marks. She is striving for "digitalization that is sensitive to fundamental rights", said Specht-Riemenschneider. At the same time, however, she "does not want to be restricted to the role of the naysayer", said the new Federal Data Protection Commissioner. It is about showing how projects are possible. However, data protection law knows red lines that must be adhered to. It is about implementation options within data protection law.
She wants to use her term of office as an invitation to engage in dialogue for trustworthy digitalization and offer a fresh start where discussions have become bogged down. However, this would also require the cooperation of other stakeholders: Specht-Riemenschneider appealed for the BfDI to be involved at an early stage. This was precisely what her predecessor Ulrich Kelber had repeatedly criticized. Although required, the authority had often only received draft laws relating to data protection late in the process and its comments had been ignored.
Specht-Riemenschneider relies on dialog in the health sector
Specht-Riemenschneider wants to focus on three areas in particular. The first is the healthcare sector, where massive changes were recently introduced as part of the Health Data Use Act and the Digitalization Act. According to Specht-Riemenschneider, sensitive data is processed in the healthcare sector, which requires data protection to be considered from the outset. "In the healthcare sector in particular, data protection and digitalization are thought of far too much in opposition to each other," which she regrets, said the Federal Data Protection Commissioner.
Videos by heise
However, the success of research data access and electronic patient records depends on high data protection standards and IT security. There should be no doubts about the level of protection, but at the same time functionalities must be guaranteed. To this end, she wants to involve all stakeholders such as doctors and patients.
Demand: AI supervision of data protection authorities
The second focus area of her term of office will be artificial intelligence. In addition to many opportunities, this also poses considerable data protection risks. She wants to "do everything we can as a supervisory authority to enable a trustworthy and fundamental rights-oriented AI landscape." However, she also wants to campaign vehemently against AI that violates data protection. According to Specht-Riemenschneider, AI real-world laboratories are desirable.
"I am firmly convinced that AI supervision belongs in the hands of the data protection authorities of the federal states and the federal government," said Specht-Riemenschneider. This is a logical consequence of existing expertise and independence, as required by the AI Regulation. It is also comparatively inexpensive. Discussions are currently underway at federal level as to which German authority should become the supervisory body for the AI Regulation – In an interview with c't in May, Federal Digital Minister Volker Wissing had already clearly spoken out in favor of the Federal Network Agency.
Focus on security projects
The third area that the new BfDI wants to prioritize is internal and external security. "The price for our security must never be our freedom," emphasized Specht-Riemenschneider. The risk potential of false suspicion increases with every data record collected. "We need a balance between surveillance measures to ensure internal and external security." Without independent monitoring and protection of fundamental rights, however, trust in the security authorities is at risk. Specht-Riemenschneider criticized the idea of transferring control from the BfDI to the Independent Control Council for the Intelligence Services – but was open to closer cooperation with the latter.
Specht-Riemenschneider expressed caution in the ongoing debate on the expanded use of facial recognition procedures, as currently planned by the German government. She pointed out that there are already legal possibilities to use facial recognition in certain areas. However, when it comes to data that is freely available on the internet, there are requirements that must be observed: "I can't simply say that facial recognition can be used for any form of criminal prosecution."
In this area in particular, it is important to strike a balance between the various fundamental rights in the law. However, her authority has not yet received any specific draft legislation, so she does not want to speculate on possible regulations. In addition, the Federal Constitutional Court would probably provide further guidance at the beginning of October when it announces its decision on the BKA Act.
However, the issue of databases that have been collected on a massive scale without permission and beyond the purpose limitation or AI systems that have been unlawfully trained with data is currently being discussed among state data protection officers and the Federal Data Protection Commissioner under the keyword "risk of infection". According to Specht-Riemenschneider, this not only applies to facial recognition services such as PimEyes or Clearview, but is also a problem with research data, for example, which is why it needs to be addressed as a whole. How to deal with the "fruits of the forbidden tree" is therefore not yet clear.
GDPR: Gold standard with gaps
Overall, the GDPR is a gold standard, but enforcement is often still lacking. This applies in particular to the area of enforcing the rights of private individuals in relation to large internet companies. They can only enforce their claims at great expense. Official enforcement of the GDPR could also be improved, for example by enabling the data protection conference of the federal states and the federal government to cooperate more closely by law. With a view to her European colleagues in other EU countries, she also regrets that large platforms continue to be allowed to operate despite major deficits in data protection law.
At the same time, Specht-Riemenschneider also believes that legislators have a duty to make it clearer which data processing is socially desirable and to lay down corresponding regulations in law. She considers it unfair that the entire responsibility for processing is placed on the data subjects and the processors.
BfDI wants to push ahead with court proceedings
Specht-Riemenschneider does not currently see any need for change in the court proceedings that her authority is conducting against the Federal Press Office, among others: "I see no reason at all to put a question mark behind every case we are conducting." In the end, only the courts can provide legal clarity on various questions of interpretation.
Specht-Riemenschneider was elected by the Bundestag in May following a months-long search by the FDP and the Greens at the formal suggestion of the cabinet. She expressly thanked her predecessor Ulrich Kelber once again, who had given the issue of data protection a great deal of visibility.
(vbr)
