Ethics Council Chairwoman: "Data minimization is an insane idea today"

Alena Buyx, Chair of the German Ethics Council, takes issue with a fundamental principle of the General Data Protection Regulation (GDPR): "Data economy is an insane idea in this day and age," explained the medical ethicist on Tuesday at the re:publica 24 digital conference in Berlin during a debate with the still acting Federal Data Protection Commissioner Ulrich Kelber. "We click away 48 pages of cookie declarations," argued Buyx. It is no problem for big tech companies to access huge amounts of data. Every browser history is more sensitive than health data due to the porn preferences it reveals. There is a huge disproportionality here "as far as risks are concerned".

She is in favor of protecting the interests of the people "from whom the data originates", Buyx explained. At the same time, it is necessary to make "abundant" use of data in the health sector, for example through research consortia oriented towards the common good: "We are lagging behind dramatically." Relevant studies either no longer take place in Germany or start a year and a half later. This is also partly due to local data protection practices and "how we force people to jump over hurdles". Many people in this country assume that "we can't use certain data at all". This is partly due to the experience that the protection regulations are "interpreted very strictly".

The GDPR's requirement to "minimize" personal data "should not be confused with frugality", Kelber countered. The motto is therefore not: "Throw everything away." Rather, it is about not collecting anything that is not needed for specific data processing. If personal information is to be used for other purposes, such as research in the health sector ("secondary use"), technical protection mechanisms such as pseudonymization make "everything" possible. The supervisory authorities spent 90 percent of their work advising on "how the intended use of data can be achieved". However, as there is no dispute about this, this aspect does not appear in the media.

Data protection can cost "statistical" lives

Especially during the coronavirus pandemic, it was "super-frustrating" when a phone call would have been enough to get in touch with data protection officers about the increased use of hospital data, Buyx recalled. Then it would have become clear more quickly which form of isolation in clinics and which medication helped, where the patients went and how visits were regulated. "We had a data desert," says the scientist with annoyance. She and her colleagues had to work with information from Israel or Great Britain. In this respect, there is some truth to the claim that "data protection can cost lives". "It doesn't mean that someone falls down in front. These are statistical lives that are lost." For example, very old, particularly vulnerable people could have been better protected by a better distribution of vaccinations.

One of the biggest upsets for Buyx was a paragraph in Bavaria's hospital law, according to which data had to remain on site. This rule from the 1980s prevented information from hospitals from being stored in the research cloud. It was only after letters from interested scientists that the clause was removed. In general, data protection impact assessments are also extremely long for research projects in Germany. It would be desirable to lower the hurdles somewhat, especially in the case of public interest projects.

Data protection, a cheap excuse for digitalization failures

20 years ago, the federal and state data protection commissioners first called for a research data law with more options for use, Kelber emphasized. Only now has a draft law been presented. If registers, directories and IT projects were financed from public funds, a certain data quality and standardized transmission paths should be enforced. Unfortunately, the prevailing attitude in many companies and authorities is still that they have fast computers but want to use "protection technologies from the 1980s". There is no encryption, no distributed data storage and no secure access. But "anyone who digitizes stupidly has to be prepared for the supervisory authorities".

"Germany is dangerously under-digitized," Kelber never tires of pointing out. The Robert Koch Institute, for example, still has no digital reporting chain with the health authorities. A good friend of his, who had cancer, had to send images from an imaging session in the Eifel region to the treating clinic in Essen on CD in the middle of the night in the hope that the tumor board would be able to deal with them in time. And this was only because the practice responsible was not connected to the secure communication system in the healthcare sector, was unable to send an encrypted e-mail and also refused to consent to the use of security procedures. For the computer scientist, this makes it clear that it was not only during the pandemic that "those who are not making progress with digitalization" and "suffocating in federalism" had an "easy excuse with data protection".

Kelber would also welcome it if the supervisory authorities could make more binding, harmonizing decisions. However, this approach is not reflected in the federal government's draft bill to amend the Federal Data Protection Act (BDSG). "Politicians don't dare to do that," complains the former State Secretary. Every complaint would still have to be processed independently. In general, "many processes are not adapted to digitalization" and no basic building blocks are being worked on.

(akn)