AI in administration
Data protection officers discussed digitalization, social media and Microsoft at the BvD Authorities Day.
AI and the AI Regulation are becoming a hot topic in administration. With increasing digitalization, authorities, municipalities and other public institutions are using AI applications to simplify application and approval procedures or provide translations quickly, for example. In Baden-Württemberg, the police and state Office for the Protection of the Constitution are to be equipped with AI and semi-automated analysis software to evaluate image and video material, among other things, as part of the planned state security package.
And this is where the problems are already becoming apparent. The projects in Baden-Württemberg are initially declarations of intent, said the State Commissioner for Data Protection and Freedom of Information, Prof. Dr. Tobias Keber, in his keynote speech at the BvD Public Authorities Day on October 18 in Stuttgart. The plans would now have to be cast into law. Whether these would stand up to judicial review is questionable.
In his keynote speech on the opportunities and challenges of AI in administration, Keber appealed to offices and authorities to quickly prepare for the AI regulation, parts of which will come into force in February 2025. “AI expertise is important, we need to position ourselves very well and very early on,” said Keber. Administrations must be prepared for the start of the AI Regulation.
Keber currently counted 54 AI applications in public administration in Baden-Württemberg alone. These ranged from AI-supported objection regulations, for example for property tax reform, to behavioral detection and intelligent case selection, for example for random samples. In one case, an AI enabled interrogation comparisons. “However, this is a highly sensitive area,” said Keber. You have to take a closer look at a data protection impact assessment. As far as anonymization is concerned, the risk of re-anonymization is not averted. He therefore advises administrations to ask the question: “Do I really need this?”
AI not without humans
In her presentation in Stuttgart, Dr. Verena Guttenberg, Government Director at the Bavarian State Commissioner for Data Protection (BayLfD), pointed out that AI must be designed with people in mind and must therefore be trustworthy and socially acceptable. Data protection must be considered from the outset. After all, it is often no longer possible to implement it retrospectively. “AI without data protection is possible,” said Guttenberg, “but it doesn’t make sense. This is especially true for AI for public authorities.” When AI is used in public authorities, the processing procedures must be described in a way that everyone can understand and documentation should be created from the outset. In addition, authorities should be aware that the training of AI by public bodies is critical, said Guttenberg. Furthermore, administrations should always consider the purpose limitation of collected data. If public administrations want to use AI for decision-making processes, they are not allowed to make decisions on their own under the GDPR. The final decision on applications or approvals, for example, must always be made by humans, Guttenberg emphasized. The authorities would also have to pay attention to where the server on which the AI data is stored is located and guarantee copyright protection.
Her conclusion: Accompanying the technical development of AI in terms of data protection law is a challenging topic. In principle, however, it is subject to the GDPR. This means that public authorities can draw on existing expertise.
AI attacks on municipalities and public bodies
Against the backdrop of AI-driven cyberattacks, Nicole Matthöfer, President of the Baden-Württemberg Cybersecurity Agency, warned against negligence on the part of cities and local authorities. Without cyber security, data protection is not possible, she said in her keynote speech in Stuttgart. Administrations not only have to comply with legal requirements such as the GDPR and the AI Regulation, but also have a moral responsibility towards their citizens. Data protection and cyber security ultimately promote trust in the state and its institutions and therefore in democracy.
Raising employee awareness of data protection issues helps to prevent attacks, said Matthöfer. If an attack does occur, knowledge about how to handle personal data helps to improve the handling of the case. The Baden-Württemberg Cybersecurity Agency provides information on training and assistance in the event of an attack at cybersicherheit-bw.de.
Further topics: Social media, procedure directory and SDM
The Public Authorities Day also dealt with a range of other current topics relating to data protection in public administration. A perennial topic: the presence of public authorities on social media. Karoline Nutz from the LfDI took up this topic. And she made it clear: if local authorities use Facebook, Instagram, LinkedIn or TikTok, this not only affects data protection, but sometimes also personal rights, liability rights, copyright, domestic and contract law, possibly competition law and the protection of minors. “Anyone who uses social media as a public authority is responsible for what they do there,” said Nutz. This was made clear by the ECJ ruling in 2022 on fan pages on Facebook. According to this ruling, responsibility also extends to data processing by platform operators and to the joint fulfillment of data subject rights such as information, deletion or compensation obligations. The “balance of power” between the parties involved often does not correspond to the guiding principle of the GDPR, said Nutz. A division of obligations would only be possible if the platform operators disclosed all processing of personal data. As the administrations’ influence on the services is limited, they must ensure that no data of citizens is processed by the platforms. However, this could already be done by integrating social media widgets on the administration’s website or tracking methods such as cookies. The situation is becoming even more difficult because the platforms are now training AI applications with user data. Overall, it is impossible for administrations on social media platforms to determine the purpose, type and scope of the intended use. “Authorities are trustworthy social actors and role models for communication that complies with data protection law,” said Nutz.
The European Health Area – without data subject rights
The Bavarian State Commissioner for Data Protection (BayLfD), Prof. Dr. Thomas Petri, who is responsible for the administration, criticized the design of the European Health Area. In Stuttgart, he criticized the fact that the draft contains extremely detailed regulations for health data and processing bases. However, the rights of data subjects would be largely abolished.
According to Petri, however, the sharing and use of data should be permitted for the most part. “A great thing for healthcare services,” he criticized. In future, data protection officers will have to protect the rights of data subjects even more than before.
No fine but further measures
The topic of claims for damages against public institutions is likely to gain momentum. In her presentation at the end of the Public Authorities Day, lawyer Isabelle Brams from Latham & Watkins said that there is no regulation on fines for public authorities for data protection violations. However, there are other possibilities for sanctions in the event of data protection violations, such as warnings, orders and claims for damages. At the same time, she conceded that legal proceedings against local authorities and their handling of the processing of personal data are becoming increasingly complex and lengthy, partly because the authorities now have more experience in conducting proceedings. Brams sees a further obstacle in the obligation of data subjects to prove that the misuse of personal data results from a specific data protection incident and that they have suffered concrete and actual damage in the event of a lawsuit.
In the final format “The supervisory authorities answer your questions”, Petri reported on a case in Bavaria in which a mayor had filed a criminal complaint against another mayor because the latter had published non-public data. “It happens”, said Petri, “not that often, but it does happen”.
