German data protection commissioner criticises government agencies, legislative procedures

Ulrich Kelber (left) with party colleague Foreign Minister Heiko Maas at an SPD parliamentary group meeting in 2018. [EPA-EFE | Felipe Trueba]

Ulrich Kelber (SPD) rarely shies away from criticising his own government in his role as Commissioner for Data Protection and Freedom of Information (BfDI). During the presentation of his annual reports, he pointed out hasty procedures where data protection is at risk. EURACTIV Germany reports.

At the presentation of his activity reports on Wednesday (17 June), Kelber complained that too little attention is paid to data protection and freedom of information in government agencies and legislative procedures.

He particularly emphasised that the Ministry of Health had not always taken the time to debate all the necessary issues in its many draft laws and had occasionally involved it “too late.” He cited as examples the Digital Healthcare Act, the Implant Register Establishment Act, and the Measles Protection Act.

In some cases, there were even violations of the rules of internal procedure, and this also happened in other ministries.

“Particularly with sensitive issues such as health, it is difficult when the data protection authorities are asked for their opinions at a very late stage,” said Kelber.

More time should be taken in the legislative process, and “the timing of the next coalition committee” was not a “technical reason” for a shortened legislation timetable.

GDPR enforcement held back by lack of resources, report says

Enforcement of EU data privacy rules is being stifled by a lack of resources across national authorities, according to a new study published today (25 May), on the second anniversary of the EU’s landmark general data protection regulation (GDPR).

Call for independent monitoring review

He was particularly critical of security legislation, which will probably again be in the focus in 2020, and said the trend of planned major interventions in civil rights will continue. What is missing is a constant review of the existing competencies of the authorities.

In concrete terms, Kelber called for a “comprehensive monitoring account,“ as the Federal Constitutional Court discussed in 2010. It provides that the data protection risks of new laws are not examined in a vacuum, but instead in interaction with existing laws and instruments.

“Such an analysis does not exist to this day. This is one of the reasons why I take an extremely critical view of the constant accumulation of safety authority intervention options,” said Kelber.

He again called for a moratorium on new security legislation until there is an “independent, scientific study of existing security laws.”

EU stands by its data privacy rules in response to COVID-19

Europe cannot win the fight against the coronavirus without digital technologies, the European Commission said in a video call with EU-27 health ministers on Monday (27 April). But this must not come at the expense of EU data protection rules, which must remain a “global gold standard”. 

Transparency instead of just freedom of information

Another of Kelber’s demands concerns freedom of information, which is his second field of competence alongside data protection. The existing Freedom of Information Act gives too much leeway and a transparency law is needed to make it easier for citizens to access public information.

Some authorities did not respond to anonymous or pseudonymous requests for information and requested the data of the applicants, although it was not necessary to fulfil the request. In other cases, answers to these questions may not be published, resulting in many identical questions.

Kelber’s own authority tries to “lead by example” and publishes such responses and other internal documents. A transparency law should force all authorities to do just that.

German government presents 'best coronavirus tracing app worldwide'

The German ‘Corona-Warn-App’ is here, and the government gave it the hard sell when ministers presented it on Tuesday (16 June), EURACTIV Germany reports.

Supervision of the ‘Corona-Warn-App’

Currently, the biggest topic in Kelber’s area of expertise is the Corona-Warn-App, whose development he accompanied as a consultant.

It has a “good data protection architecture.” However, here too, his time as an involved party was limited, it was “not easy to do the consultation in seven weeks.”

With Tuesday’s release of the app, Kelber will now be in charge of its supervision. For example, he will check whether it fulfils its purpose, because according to the General Data Protection Regulation (GDPR), the processing of data is only legitimate if it fulfils its purpose.

Kelber does not see the risk of discrimination through the app.

If landlords or employers demand that the app be shown, they are already in violation of the GDPR. This would represent an insight into personal health data that is not justified, because an infection cannot be conclusively determined or excluded from the app data. Hence his appeal: “Better not try it.”

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters