Data protection commissioner releases report for 2011-2012
When presenting his 24th Activity Report on Data Protection covering the years 2011 and 2012 on 24 April, the Federal Commissioner for Data Protection and Freedom of Information Peter Schaar mentioned that
the activity report “emphasises the increase of data protection issues by many examples from almost all areas of our lives,” Schaar said.
“ It is not only the young people who will not envisage their lives without smart phones and Internet. Also increasing is the alleviated use of many everyday objects by the “internet of things” - from cars to electricity meters to television - computer chips simplify our lives, but at the same time they also collect comprehensive user data. Therefore up-to-date rules for handling information technology are more urgent than ever,” the Commissioner said.
Compared with these challenges, the political and legal progress in data protection is very modest a press statement outlined.
“Unfortunately, improvements proclaimed by the Federal Government for its legislative period were only implemented to some degree, The Employee Data Protection Act was definitively shelved after heavy criticism in spring. Thus, employees still remain without adequate legal protection against spying at the workplace.
Under reference to the discussion on European level, the intention to modernize German data protection law was not pursued any further. However, the new European law will come into force no earlier than 2015.
A comprehensive independent evaluation of the security laws has not taken place. Nevertheless, the security authorities were provided with additional powers and data files during the period under report (No. 7.1).
The Federal Government has not followed up the “Red Lines Act” for the limitation of data collection and profiling on the Internet, which was announced in 2010. Instead, the Federal Government apparently puts all hope in the business sector’s self-regulation.
The Foundation for Data Protection, which is to start its work this year, shows an excessive presence of business representatives in its committees. Anyhow the financial framework is so limited that grants from companies are inevitable. The question is now how it might perform its duties independently as required.
The most important discussions on data protection are currently taking place on European level. The data protection reform package presented by the European Commission offers the chance to up - date data protection and to enforce data protection provisions effectively. With regard to this European legislative process, I expect the Federal Government to yield a high level of data protection in a committed and constructive way. For a European General Data Protection Regulation the following points are particularly significant; Non-European companies have to comply with the European data protection law when they offer services in the European internal market and intend to process Europeans’ personal data (marketplace principle).
The Data Protection Authorities’ independence has to be ensured vis-à-vis national governments and vis-à-vis the European Commission. They must get a position to effectively penalize violations, especially by means of fines, which are based on the financial capacity of the respective companies.
Technological data protection must be strengthened. In so far, the draft contains promising approaches (Privacy by Design, privacy-friendly default settings, privacy impact assessments) which, however, need to be ex-tended. I advocate the setting of strict limits to the merging of personal data to profiles and to their use.
Given the increasing data exchange between European security authorities, it is necessary to provide European minimum standards for data protection without jeopardizing the German level of data protection. That is why the Directive for data protection in the area of police and justice proposed by the European Commission is of great importance. However, the draft directive requires significant amendments.
Objections and citizens’ complaints
85 officers have conducted 106 inspections of public federal agencies. A total of 15 complaints were made. 9,729 citizens have appealed to the Federal Data Protection Commissioner in 2011 and 2012.
Other topics of the 24 Activity Report Google, Facebook and other internet companies with headquarters in the United States continue to collect comprehensive data in Germany and Europe, partially in violation of local data protection laws. The data protection authorities of several European Member States cooperate in a joint initiative for the punishment of Google’s violations against European data protection regulations. Although an inspection of the services of Facebook by the Irish data protection authority has led to some improvements (such as turning off the facial recognition for all users from the European Member States) - many data protection issues remain unanswered yet.
The Federal Commissioner takes a critical stance towards the fact that during the period under report the security authorities were granted additional powers and instruments again and before the reappraisal of the former causes and negative developments was completed.
Already in the legislative process for the Act on Setting up a Counter-Terrorism Database the Federal Commissioner advocated stricter data protection regulations, in particular to protect (“contact”-) persons with no criminal record. Due to the arrangement of responsibilities for the counter-terrorism database scattered on different administrations, data protection supervisions encounter considerable difficulties.