With the federal president handing over her certificate of appointment, the new Federal Commissioner for Data Protection and Freedom of Information (BFDI) Luisa Specht-Riemenschneider officially took office on Tuesday. At the federal press conference in Berlin, she answered the question of how she wants the office to run – and put some early exclamation marks. Specht-Riemenschneider said she is striving for “digitalization that is sensitive to fundamental rights.” At the same time, she “does not want to be limited to the role of a naysayer,” said the new Federal Data Protection Commissioner. It is about showing how projects are possible. However, there are red lines in the data protection law that must be followed. It is about the implementation options under the data protection law.
Advertisement
She wants to use her term as an invitation to dialogue on trusted digitalisation and to offer a fresh start where discussions have been stuck. But this also requires the cooperation of the other parties involved: Specht-Riemenschneider appealed for the early involvement of the BfDI. This is something her predecessor Ulrich Kelber had repeatedly complained about. Although necessary, draft laws relating to data protection often reached the authority late in the process and its comments were ignored.
Specht-Riemenschneider relies on dialogue in the health sector
Specht-Riemenschneider wants to focus on three areas in particular. The first is the health sector, in which large-scale changes have recently been introduced as a result of the Health Data Use Act and the Digitalisation Act. In the health sector, sensitive data is processed, which requires taking data protection into account from the very beginning, says Specht-Riemenschneider. “Especially in the health sector, data protection and digitalisation are considered too much in opposition to each other,” the Federal Data Protection Commissioner says, which she regrets.
However, the success of research data access and electronic patient files depends on high data protection standards and IT security. There should be no doubt about the level of security, but at the same time functionality must be guaranteed. To this end, she wants to involve everyone involved, such as doctors, but also patients.
Demand: AI supervision of data protection officers
The second focus area of her tenure will be artificial intelligence. Apart from the many opportunities, it also involves significant data protection risks. She wants to do “everything we can as a supervisory authority to enable a trustworthy and fundamental rights-oriented AI landscape.” But she also wants to campaign vigorously against AI that violates data protection. Specht-Rienschneider says AI real-world laboratories are desirable.
“I am firmly convinced that AI supervision belongs in the hands of the state and federal data protection authorities,” said Specht-Riemenschneider. This is the logical consequence of existing competence and independence, as required by AI regulation. It is also comparatively cost-effective. Discussions are currently underway at federal level about which German authority should become the supervisory body for AI regulation – Federal Digital Minister Volker Wissing already spoke clearly in favour of the Federal Network Agency in an interview with c’t in May.
Security projects in focus
The third area that the new BfDI wants to prioritise is internal and external security. “The price of our security must never be our freedom,” Speck-Riemenschneider stressed. The risk potential for false suspicions increases with each data set collected. “We need a balance between surveillance measures to ensure internal and external security.” However, without independent control and the protection of fundamental rights, trust in the security authorities is at risk. Speck-Riemenschneider expressed criticism of the idea of transferring control for the intelligence services from the BfDI to the independent Control Council – but was prepared for close cooperation with it.
In the ongoing debate about the expanded use of facial recognition procedures, as is currently being planned by the federal government, Specht-Riemenschneider expressed caution. He pointed out that there are already legal options for using facial recognition in some areas. However, when it comes to data that is freely available on the Internet, there are certain requirements that must be followed: “I simply cannot say: facial recognition can be used for any kind of law enforcement.”
In this area in particular, it is important to ensure that the balance between the various fundamental rights is enshrined in law. However, her authority has not yet received any specific draft law, so she does not want to speculate about its possible rules. In addition, the Federal Constitutional Court will probably provide further information in early October when it announces its decision on the BKA law.
However, state data protection authorities and the federal data protection authorities are currently discussing the question of databases that have been collected on a large scale without permission and beyond the intended purpose, or AI systems that have been trained with data illegally, under the heading of “infection risk”. This not only applies to facial recognition services such as PimEyes or Clearview, but is also a problem with, for example, research data, which is why it needs to be addressed holistically, says Specht-Riemenschneider. How the “fruits of the forbidden tree” can be dealt with cannot yet be said conclusively.
GDPR: The gold standard with gaps
Overall, the GDPR is a gold standard, but enforcement is still often lacking. This applies particularly to the area of enforcing the rights of private individuals in relation to large internet companies. They could only enforce their claims with great effort. The official enforcement of the GDPR could also be improved, for example by allowing the Data Protection Conference of the States and the federal government to work more closely with the law. With regard to their European colleagues in other EU countries, they also regret that large platforms are still allowed to operate despite major data protection deficits.
At the same time, Specht-Riemenschneider also sees the legislature as having a duty to explain more clearly which data processing procedures are socially desirable and to establish the corresponding rules in law. She believes that it is unfair that the entire responsibility for processing is placed on the affected people and the processors.
BFDI intends to pursue legal proceedings
Specht-Riemenschneider currently sees no need to change the legal proceedings her authority is conducting against the Federal Press Office: “I see no reason to put a question mark behind every case we make.” Ultimately, only the courts can provide legal clarity on various questions of interpretation.
Specht-Riemenschneider was elected by the Bundestag in May after a months-long search by the FDP and the Greens following a formal proposal for a cabinet. She once again explicitly thanked her predecessor Ulrich Kelber, who gave great popularity to the issue of data protection.
(Old)
