Data protection officer prepared for data use mandate and economic oversight
The Federal Data Protection Commissioner cannot complain about a lack of work, as her annual report shows. The coalition wants to change her responsibilities.
Louisa Specht-Riemenschneider presents her annual report for 2024 in Berlin.
(Image: BfDI-DH)
What is the future of data protection under the Black-Red coalition? This question also overshadowed the presentation of the annual report by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) Louisa Specht-Riemenschneider in Berlin on Thursday.
The coalition partners wanted to bundle responsibility for data protection in the economy and also declare the BfDI to be the data usage commissioner. She is prepared to do this, said Specht-Riemenschneider. However, she could not currently see any intention in the coalition agreement to extend its competencies beyond data protection aspects to the AI Regulation or the Data Act.
Meanwhile, the Bonn-based authority is not bored: the Federal Data Protection Commissioner's report for 2024 records 8670 complaints and inquiries, with a sharp increase in general complaints under Article 77 of the General Data Protection Regulation (GDPR). These made up the largest group after general inquiries with 3313 submissions. The authority did not impose any fines in 2024.
Specht-Riemenschneider said that she wanted to continue to focus on providing advice, but did not want this to be misunderstood: "Advice only works if we take our job as a supervisory authority that enforces data protection law seriously." This applies both to private players, where the supervisory authority is located, and to public bodies. "Advice is only offered to those who want to comply with the law."
Debate about responsibilities
Meanwhile, a dispute is emerging within the circle of federal and state data protection commissioners regarding the expansion of competencies envisaged by the CDU/CSU. The BfDI is currently responsible for postal and telecommunications service providers, which were previously in federal hands, in addition to the federal authorities. However, an extension to economic responsibility in general would be at the expense of the legally assigned competencies of the state commissioners.
The State Commissioner for Data Protection and Freedom of Information in Baden-WĂĽrttemberg, Tobias Keber, sees a great need for discussion: "This is the wrong approach", said Keber at the request of heise online. "Local and low-bureaucracy advice and support can only be provided locally." It would be right to strengthen the data protection conference "in order to maintain short routes to the supervisory authority and low-threshold services, especially for small and medium-sized companies."
The Berlin State Data Protection Commissioner is also skeptical about the plan to advise and supervise businesses locally. "Whether and which nationwide topics, for example infrastructural issues, should be bundled at a federal authority, on the other hand, must be looked at in detail," said Berlin State Data Protection Commissioner Meike Kamp at the request of heise online. "I see the coalition agreement as a mandate to analyze exactly where bundling makes sense and where it doesn't."
Intelligence service control: dispute on the rise
Another political point of contention is the responsibility for data protection control of intelligence services. To date, the BfDI has been responsible for checking compliance with the data protection regulations applicable to the BND, BfV and MAD. However, during the last legislative period, there were already efforts to transfer this control to the so-called Independent Control Council, an authority set up as a result of the NSA affair.
Specht-Riemenscheider said that she was very concerned about the wording of the coalition agreement. "We are the only body that has an overall view of the intelligence services." This is in danger of being lost – Furthermore, only the BfDI is an independent body in terms of European law. Especially now that the coalition is planning to carry out further interventions with security powers, independent monitoring is absolutely essential.
Security legislation causes concern
The value of informational self-determination must also be taken into account in security legislation, said the data protection expert. "Data protection is a basic prerequisite for ensuring that we do not feel monitored and that we can behave freely." It could not be the purpose of a state governed by the rule of law for the population to adapt their behavior preventively, regardless of whether they are actually affected.
Specht-Riemenschneider sees a great need for discussion on the three-month storage obligation for IP addresses planned by the CDU, CSU and SPD before its possible reintroduction. In its ruling from April 2024, the European Court of Justice allowed storage in a very specific case of copyright infringement. Specht-Riemenschneider said that some of the public discussion about this ruling was "nonsense". "Not everything is possible, IP address storage is a very sensitive area."
Electronic patient file: Thanks to CCC
With regard to the electronic patient record (elektronische Patientenakte, ePA), which is planned for widespread use by 2025, the Federal Data Protection Commissioner announced that she would continue to ensure that insured persons could and would make decisions about their data in the future. "Make informed decisions and decide for yourself," she appealed to policyholders.
Specht-Riemenschneider said that her supervisory authority has only had limited opportunities to intervene since a change in the law in 2023. "Whether the ePA is secure is not primarily assessed by the Federal Data Protection Commissioner, but by the BSI." She expressly thanked the Chaos Computer Club for uncovering security gaps in the electronic patient file.
AI regulation and data protection?
The AI Regulation should ensure that innovation and the protection of fundamental rights are reconciled, said the BfDI. It is satisfied that crime probability scoring has been prevented. However, the relationship between data protection law and AI law must be clarified. Legal uncertainty is a decisive aspect of why companies would shy away from using AI. "AI training that complies with fundamental rights must also be possible in Europe," demanded Specht-Riemenschneider. Data protection law does not stand in the way of this.
Fortunately, the draft coalition agreement no longer states that the Freedom of Information Act should be abolished, said Specht-Riemenschneider. The Freedom of Information Act is an essential prerequisite for the rule of law and she continues to hope for a genuine transparency law that further strengthens information rights instead of reducing them. "It is a very important point for guaranteeing the rule of law and trust in democracy," emphasized the BfDI.
GDPR reform
Despite reservations, Specht-Riemenschneider is open to calls for a partial reform of the General Data Protection Regulation. It is a problem if the public perceives data protection law as cookie banners and overlong data protection declarations. However, the BfDI said that the core area of data protection law should not be affected by a possible reform and that this should be made clear at the beginning of such a discussion.
(wpl)
