Missing link: Ulrich Kelber vs. surveillance capitalism

A few weeks ago, Ulrich Kelber stepped down from the office of Federal Commissioner for Data Protection and Freedom of Information (BfDI) – not entirely voluntarily – without being re-elected. In an interview with heise online, he takes stock of the successes, challenges and disappointments of the past five and a half years, the lessons learned from the major data protection scandals, the impact of the General Data Protection Regulation ( GDPR) and the influence of lobbyists.

This is the second part of the interview, you can read the first part here.

What is your view on the discussion about a possible relaxation of data protection in favor of law enforcement and combating terrorism? There is the "zombie" of data retention, for example. Do you think it will be resurrected?

If there are new threats or methods of attack, then we also have to think about new instruments to counter them. I understand that and the security authorities have always had my support. But many of the current instruments and many of those being called for encroach deeply on fundamental rights without really making a significant contribution to security. And such instruments must definitely not be used, as the problems of the security authorities often lie in not having enough data. A constant feeling among citizens that they are being monitored at every turn must be prevented at all costs. Otherwise, it fundamentally jeopardizes a free democracy.

Specifically with regard to data retention?

Data retention is a variant of permanent surveillance. You have to expect that everything you do or don't do will be stored, evaluated, analyzed and put into a different context. And without you ever having done anything illegal. Instead, you have simply exercised your civil liberties. In my view, this is not compatible with a liberal democracy in the long term if someone is always looking over citizens' shoulders.

Does this also apply to the variation now being discussed of "only" storing IP addresses?

Of course, this is less than the other variants being discussed. Nevertheless, there is a very large possibility of corresponding profiling and this is therefore also highly problematic. Above all, some people are still demanding periods of storage during which any possible gain in knowledge would be extremely minimal.

Can you explain how the European Court of Justice came to its change in case law, particularly with regard to IP addresses? Is that understandable?

Not to me.

Do you remember any specific cases or scandals where you think the public doesn't know the whole truth?

If they were publicly discussable cases, we always mentioned everything that was necessary from our point of view. Therefore, no.

So you always addressed everything?

That's how it is. Except, of course, where confidentiality is required by law.

What internal or external disputes have you experienced as Federal Data Protection Commissioner that the public didn't hear much about?

In some debates about digitalization, I would have liked to have seen more sustained public attention, more pressure from civil society, e.g. in the modernization of the register, where unfortunately a solution that did not protect fundamental rights was chosen unnecessarily.

Have you ever had to make decisions that contradicted your personal convictions? How did you deal with this?

Of course, often and in all the offices and functions I have now held over the last few decades. Because you have to compromise with others. That's part of a democracy. You're not alone in a wide open space. I have allowed myself to be convinced by the opinions of my colleagues. So in that sense: personally, I still have a different feeling. But if so many people I trust all come to a different opinion in unison in their judgment, then I don't have to make the autocratic decision. In particular, there are cases in which I as a person have considered a business model or digital implementation to be wrong, but it was not illegal. Then, of course, the result is that an authority certifies that it is legally compliant, even if we don't think it's good.

Can you be specific about that?

Back then, before things developed differently under company law, we advised the German mobile network operators on the subject of TrustPid. This is now called Utiq. The consultation process was also great because the other side really played with open cards and made a lot of adjustments. Nevertheless, I personally don't think we need it at all. But the way it was designed in the end was legally compliant from our point of view. In principle, this is a kind of ID assignment for someone who is using the mobile Internet. Such an identifier can also be assigned to certain areas of interest if the person concerned has given their consent. This can be turned into a complete opt-out. It is difficult for advertising partners to assign this to a person. Normally, they don't actually know who they are playing something to, because there is usually no further profiling behind it. That's better than cookies or fingerprints from Google & Co. But from my point of view, it would still have been unnecessary.

How often were you influenced by political or economic interests in your role? How great was the lobbying pressure?

As a Member of Parliament and State Secretary, I even kept a publicly accessible diary of discussions with lobbyists, ranging from business to environmental associations. I couldn't do that in this form as BfDI. Because, of course, some of these are confidential discussions and there were legal reasons for not doing so. But in my view, it is important to listen to all opinions and weigh them up. Lobbying, understood in a positive sense, is the bundling of the voices of individual small parties in one place. Most lobbyists also work honestly, present their data, their figures. You then have to weigh that up. But there are also lobbyists who try to exert undue pressure. Via third parties. By simply stating facts. By avoiding clear answers and trying to make time work for them. This has happened time and again. Such lobbyists have also gone to third parties, politicians and the media, to try to create a bad atmosphere by making false claims or using tendentious figures.

Can you name names?

In the run-up to the Facebook fan page decision, we noticed that Meta falsely claimed to the German government that we had refused to take part in the talks. In fact, there were several rounds of talks.

So Big Tech in particular is strongly associated with lobbying?

Yes, but of course there is also strong lobbying in the area of economic interest groups. If we take the example of behavioral advertising, you always have German media publishers standing outside the door when you try to impose restrictions. Because they are afraid that their source of income will disappear. And that's why they show solidarity with these large platforms, even if they only end up with the crumbs of the cake.

Can you tell us about a case in which you campaigned hard for data protection but ultimately achieved nothing? What were the reasons for this?

I have publicly reported on these cases six times in the annual activity reports. One example: I believe that the digitalization of the healthcare sector could have been implemented in a more patient-friendly way and in line with fundamental rights with a little more will. I suspect that the current decision-makers felt so much pressure to finally present solutions after 20 years. The result was that suggestions to do things a little differently, to build in another security level that is still easy to use, were not followed. As a result, a number of immature and questionable approaches were chosen, which will lead to the whole thing coming to a grinding halt.

Also in relation to the European Health Data Space?

Also in the European Health Data Space. It starts with where consent is needed, where you can opt out, where there is a legal basis, where there is no real consideration of which data is useful, or where you actually need all the data in a representative way and where it is possible to do otherwise, what are the security requirements for accessing these databases – These are examples of this.

A broad field.

Yes, but one with particularly sensitive data.

Before taking on the role of BfDI, you were, among other things, Parliamentary Secretary of State for Justice. Have you learned any new unwritten rules or practices in the field of data protection and when working with government representatives during your time as data protection officer?

Well, not necessarily anything new compared to before. But it is exciting to see the cooperation between ministries and federal authorities long before the respective political leadership gets involved. It's a process with lots of rules, tricks, secrets and the fear of involving others at an early stage, as media coverage could then scandalize the whole thing à la "secret paper in Ministry XY". This is why papers are often kept completely secret instead of discussing them with other experts until they have been presented to the political leadership. But it should also be noted: There are a tremendous number of committed and highly professional people in this government apparatus at the working level.

So mixed experiences?

Yes, definitely positive ones, but sometimes also unnervingly annoying ones. You say, oh God, why didn't he come up with this six months ago? Then you could have said to him when he was first thinking about it: "Better watch out for the cliff, but here's an example of how you can do it." An example of this: when the supplementary pension in old age was chosen, it could have been implemented more elegantly if certain exemptions had been waived. Now you need data from applicants that you can't automatically collect from existing sources. This makes it much more bureaucratic just to avoid having to pay out 100 or 150 euros a month in a few special cases. Millions of cases have to be applied for and checked manually in an overly complicated way. If we had made a different decision beforehand and seen what data was already available, then the whole thing could have been much more automated.

What about the Ministry of the Interior? Was there any particular friction in the area of security authorities?

Yes, although of course it's such a huge organization that it really depends a lot on the individual people, on individual units, subdivisions and departments. The security authorities also have different levels of cooperation. For example, we had developed a particularly good working relationship with the Federal Criminal Police Office. Not necessarily always with the same point of view, but we have seen that arguments are taken on board, that there is transparency. And so we have achieved some good results together, including in changing data processing procedures.

What about the area of secret services and the "hacker authority" Zitis?

If the legal situation has been clearly clarified, either in the law or by a court decision, and our interpretation has been accepted in the end, then you have to clearly state to the German security authorities that they are going to great lengths to implement everything in accordance with the law. It always becomes difficult when the legal situation is unclear. Then, of course, a security authority wants to have the widest possible processing powers and we have always taken a different position. Such contentious issues have often led to legal action by those affected and non-governmental organizations. And as a rule, the courts have ruled as we predicted. The BfDI has a very high success rate.

What advice would you give your successor?

Anything she asks me for in a personal conversation. Louisa Specht-Riemenschneider and I have known each other for several years. We have also spoken several times since the decision to appoint her. She is an absolute expert. And I won't be giving her any public advice anyway.

Can you already say where your professional journey will take you now? You recently joined the European Academy for Freedom of Information and Data Protection (EAID). Your predecessor Peter Schaar was also active there.

The EAID is a good opportunity to hold debates and make contributions on issues that are not currently the direct focus of a data protection supervisory authority with its specific tasks. As for myself, I want to continue doing something that makes a positive contribution to well-done digitalization. I believe that Germany is dangerously under-digitized. Whether that ends up being in front of or behind the scenes, I'll let myself be surprised.

But will you stay involved in data protection?

If there is an offer in an area that interests me, then yes.

(mki)