The Federal Data Protection Commissioner Ulrich Kelber is not bored in these times. 10,614 reports of data protection violations were received by the BfDI in 2022, 500 more than in the previous year. By the end of the week, Kelber is also expecting the decision of the Federal Press Office (BPA) as to whether it will stop operating the “Bundesregierung” Facebook fan page, as ordered by Kelber in a notice, which does not appear to be the case at the moment. At the presentation of the annual report of the data protection supervisory authority, the former SPD member of the Bundestag Kelber called on the federal government to create clarity.
Kelber explained that if the federal government did not sue, it would have to be shut down first. “There were some adjustments in this consultation process, but unfortunately they did not solve the main problem from our point of view. So if the path is feasible in compliance with data protection, then of course operations can also be maintained.” The BPA may have to take action here by Friday.
Health digitization as a point of contention
At the press conference in Berlin, Kelber focused on the question of health projects. “We are big fans of digitization in healthcare,” said computer scientist Kelber, “and you are sitting in front of someone who wants an electronic patient file as a private individual.” Among other things, the Ministry of Health announced extensive changes last week as part of the announcement of a new digital strategy. For example, the electronic patient file is to change from the opt-in to the opt-out model in the future.
Kelber emphasized today that the Ministry of Health, led by Karl Lauterbach, has not yet specified the details in many places, but that the BfDI (Federal Commissioner for Data Protection and Freedom of Information) will of course give an opinion on the planned legislative projects. “It’s about not doing without basic data protection and IT security measures for apparent comfort reasons,” Kelber made his position clear. This affects, among other things, the question of who is allowed to see which data and when. There is still no solution “for insured persons with the electronic patient file who do not want to use a suitable smartphone or tablet to control their electronic patient file.” Instead of finally creating solutions for this, health insurance companies sued against a corresponding order from the data protection officers and used the money of the insured persons for this. With a second obligation of health insurance companies, however, one was successful, namely that document-specific settings should be possible.
Many questions about the ePA still unanswered
For the future, however, many questions remain unanswered, such as the question of how reading rights can be restricted or what an opt-out for use as research data looks like, has not yet been further specified. Overall, the criticism of the data protection supervisory authorities is not directed against better data use for health data research, emphasized the Federal Data Protection Commissioner – here, too, it is a matter of concrete implementation.
Kelber did not flatly oppose the BMG’s plan to declare only one data protection supervisory authority responsible for research data projects in the future: Here it is important that a competent state data protection supervisory authority also has to be able to evaluate and accompany large research projects: “Many of my colleagues in the state data protection authorities are still extremely tight when it comes to their human resources.”
Kelber’s authority raised specific objections in the case of a redemption platform for electronic prescriptions because there had been “fundamental, strong IT security problems. It would have been easy to access the data of all insured persons from over 18,000 locations in the republic,” said Kelber today. The BfDI then made suggestions with the same comfort and functionality as to what a data protection-compliant solution could look like.
CSA regulation: Kelber criticizes chat control
Kelber expressed sharp criticism of the planned so-called chat control proposed by EU Interior Commissioner Ylva Johansson. The Commission’s proposal for better investigation and prosecution of depictions of child sexual abuse includes extensive obligations for providers of platforms, for hosters and number-independent communication services – i.e. chat systems. If content is end-to-end encrypted, the latter should check content for possible legal violations before encryption or offer other ways of checking. “The question of breaking it open is particularly difficult, regardless of the type of secure encryption,” says Kelber. “This is something that must be avoided at all costs because it has many other dangerous consequences, including the increased possibility of third-party attacks from the outside.”
Kelber is also critical of the active examination of files stored by the providers: “The screening of all existing data, thus providing deep insights into private life, is also to be viewed critically, above all because the protection provided by experts and experts from criminal prosecution and child protection is rated as low.”
Lots of shadow, some light
But Kelber also offers sharp criticism in other areas. In his report, for example, he recommends “fundamentally revising” the regulations for data trustees provided for in the Telemedia Teleservices Data Protection Act, since in his opinion the current regulation is not GDPR-compliant. In addition, the so-called anti-terror database and the right-wing extremism database should be abolished for lack of use. In his report, Kelber also clearly criticizes the fact that the BfDI, which is supposed to issue an opinion on many laws in the legislative process, was regularly only involved with very short deadlines in 2022, for example in regulations to combat the Covid pandemic.
However, Kelber was also able to report positive things in his activity report: for example, the concept of the Federal Ministry of the Interior for the case processing system in the Federal Criminal Police Office was successful and is now to be implemented, federal apps are to be made available on alternative stores in the future and the German Pension Insurance Association has fundamentally revised its data protection organized.
(sigh)
