Even police and secret services are not always convinced of the usefulness of their large databases. There is also criticism of licence plate scanners and surveillance technology from private manufacturers.
On Wednesday, the German Federal Commissioner for Data Protection, Ulrich Kelber, presented his latest report on activities at a press conference in Berlin.
presented. It shows that last year the authority was notified of 10,658 data protection violations last year, a good five per cent more than in 2021.
Kelber, a former SPD member of parliament, monitors compliance with data protection at federal public agencies as well as at companies that provide telecommunications and postal services. For this purpose, he and his team undertakes inspection visits and prepares audit reports, which are followed by recommendations or orders. Kelber also regularly checks their implementation. The control of other business enterprises, clubs, associations or political parties, on the other hand, is the responsibility of the 16 state commissioners for data protection.
Kelber is known as a fierce critic of commercial social media platforms such as Facebook and Twitter and has therefore switched to the open-source service Mastodon, as have 40 other authorities and institutions. In his report, he emphasises that “especially the highest federal authorities should set a good example and use legally compliant social media”. The operation of a Facebook fan page is not possible for an authority in conformity with data protection, which is why he ordered the Federal Press Office, for example, to shut down their page.
One focus in the report for 2022 is digitalisation projects in the health sector, which Kelber described himself as a “fan” of at the press conference, but against which he also raises concerns. The Electronic Patient File planned by the Federal Minister of Health from 2024 would be at the expense of data protection for people without a digital terminal device, the report says. More problematic, it says, is the planned European regulatory framework for health data to be exchanged across the EU (European Health Data Space). This, the report states, is a “challenge in terms of data protection law”, because citizens must have a right of choice in this regard. For the planned use of data for research purposes, data subjects should be able to explicitly consent or “unconditionally” object.
A ten-page chapter of the report is dedicated to a “multitude of topics in the security sector”. Among them is the automatic registration of vehicle number plates, which has also been used by the Federal Police since one year. This involves comparing passing vehicles with manhunt databases, which, according to a ruling by the Federal Constitutional Court, may only be used to a limited extent because of its “surveillance state character”. Kelber and his team wanted to check the implementation of the strict ruling, but despite two years of asking the Ministry of the Interior, only received notification of this one week before the operation. At the same time, the Ministry had issued an immediate order for the number plate recognition systems without hearing him first. However, the introduction of the search method for the Federal Police was not urgent and would have required a data protection impact assessment beforehand, Kelber said.
Police forces and secret services use commercial products for surveillance. For the area of telecommunications, Kelber had already called for strict rules for manufacturers in a position paper. These should not be allowed to decide on the use of the technology; their insight into the personal data processed must be “limited to a minimum”. Instead of buying surveillance software on the free market, authorities should rather rely on “proprietary developments”, Kelber says in its report.
Kelber also makes a sweeping attack on police and secret service databases. After the annual compulsory inspection of the Anti-Terror Database and the similarly structured Right-Wing Extremism Database, he once again recommends their comprehensive reorganisation or even abolition. Even from the point of view of the participating authorities, their usefulness is “very small”, “with at the same time far-reaching encroachment on fundamental rights”, he claims. Moreover, both data compilations are not being used in accordance with the regulations. According to Kelber, the Federal Criminal Police Office (BKA) has not deleted much of the data, as is required, for example, after the closure of an investigation or in the event of the death of the person concerned. At the Federal Police, too, “not all data records fulfilled the necessary storage requirements”. Last year, Kelber and his team also found “system-related errors” there, which are now to be corrected with an update of the software.
The activity report shows how the authorities use their surveillance powers as they see fit and interpret them for other purposes. However, it also becomes clear how important the office of the Federal Data Protection Commissioner is: only after his control and complaint, for example, had the Federal Police deleted “a considerable proportion of the data” in the Right-Wing Extremism File.
Apparently, this is only the tip of the iceberg. According to Kelber, large parts of his work “in the context of the security authorities” are not allowed to be made public. If, for example, authorities see security or the interests of the government at risk, secrecy can be ordered. The data protection commissioner must also abide by this.
Published in German in „nd“.