“Don’t be afraid of supervision.”
Denis Lehmkemper has been the State Commissioner for Data Protection of Lower Saxony since 15 September 2023. In July of this year, a group of experts on the topic of AI, which he convened himself, began its work. BvD-News spoke to the lawyer about the goals of the advisory body, his position on Microsoft Teams and the still pending Employee Data Protection Act.
BvD-News: Mr. Lehmkemper, what issues have you experienced as major challenges in data protection so far?
Denis Lehmkemper: One thing is clear: the GDPR is well established, both for companies and for public authorities and citizens. But in my view, we are currently entering a new phase of digitalization with AI, which could not have been considered when the GDPR was adopted. The development of AI is certainly at the forefront of this, but it is also about the advancing digitalization in business and administration in general.
The second thing I see is that data protection is far too often used as an excuse when things don’t work out. I have to admit that this got on my nerves relatively quickly. Also because it’s often not true. It’s just convenient to say: “And there’s also data protection.” That’s why we decided to say to the critics: “Come to us and we’ll talk about where the data protection problem lies.”
BvD-News: What was the response to this?
Denis Lehmkemper: Some associations have actually contacted us. We are trying to provide information and make the problems a little smaller as a result. Surprisingly, it’s also quite easy to get rid of the blanket accusations against data protection.
BvD-News: You have set up an AI expert group on the subject of AI. Who is it aimed at?
Denis Lehmkemper: Right at the beginning of my term of office, we identified AI as a major topic for the authority. There were also intensive discussions on this at the level of the Data Protection Conference (DSK). That’s why we wanted to approach the topic differently. On a car journey to Berlin, we came up with the idea of bringing stakeholders from the AI environment to the table. At the same time, with the expert advice behind us, we can advise the state parliament, our client, and provide pointers for possible legal regulations on how the public administration in Lower Saxony can use AI.
BvD-News: AI is also a big topic for data protection officers. What do you think lies ahead for our profession?
Denis Lehmkemper: In my opinion, the biggest challenge is having to track and evaluate the constant technical innovations in order to be able to advise an organization well. In my view, this pressure to digitalize and innovate is being countered by the increasing importance of data protection. I think that’s an incredibly difficult task.
BvD-News: How do you support data protection officers in this?
Denis Lehmkemper: We have a regular exchange with both official and company data protection officers. In the beginning, I deliberately attended a lot of meetings to listen to the issues that concern DPOs. And I also want to convey that they don’t need to be afraid of supervision. In the end, I would much rather prevent data protection breaches than sanction them.
BvD-News: You had already focused on the pharmacy sector and carried out audits there. Are there other sectors that you want to scrutinize in terms of data protection law?
Denis Lehmkemper: We are currently taking a closer look at two or three sectors. But until we have a result, I don’t want to comment. However, we are seeing an increase in complaints in the real estate sector. Due to the housing shortage, this is a socially relevant issue. It could well be that some citizens waive their data protection rights in order to have a better chance of finding a home. Of course, we don’t think that should be the case.
BvD-News: I would like to talk about Microsoft Teams. Unlike other authorities, you do not see any data protection violations in the use of Teams. What changes at Microsoft have made this assessment possible?
Denis Lehmkemper: You are referring to the negotiations between the Ministry of the Interior of Lower Saxony and Microsoft regarding the introduction of Teams in the administration. I would like to start by saying that we were not directly involved in the contract negotiations. However, we did provide intensive advice to the CIO of the Lower Saxony state government during the negotiations. At the same time, he had the support of a law firm. We advised on the resolutions passed by the DSK on Microsoft. According to these, the Online Service Terms and the Data Protection Addendum must be in line with the requirements for order processing and appropriate technical and organizational measures must also be implemented. We submitted our “Gold Standard” to the Ministry of the Interior. In the end, we came to a result that we can describe as “acceptable” for use in the administration.
BvD-News: What does the agreement actually contain?
Denis Lehmkemper: Specifically, restrictions were agreed on the categories of data processed and more transparency regarding the subcontractors used. Microsoft has also undertaken to only use non-personal, i.e. anonymized, data for its own purposes. And we have clear restrictions on third-country transfers, for example that the support must come from a country with the same level of data protection and that Microsoft must comply with EU law in future in the event of disclosure requests from government authorities. On this basis, the CIO is now implementing technical and organizational as well as documentation and information obligations. I am confident that it will work. It is important to note that not all requirements can be fulfilled centrally by the CIO. A number of tasks also lie with the deploying authorities themselves, for example with the register of processing activities or the data protection impact assessment.
BvD-News: Another area where you see an urgent need for action is the Employee Data Protection Act. Where do you think it still stands?
Denis Lehmkemper: Unfortunately, the ball is still in the Federal Government’s court. But in the meantime, I’m not particularly confident that anything will change before the general election. We do have a lot of court decisions in employment law that shape the interpretation of the law. But especially in light of the development of AI, I don’t want to let politicians off the hook. There needs to be a societal debate as to whether minute-by-minute monitoring should be allowed in certain sectors. Performance monitoring and performance evaluation makes my stomach ache.
Denis Lehmkemper
Denis Lehmkemper is a lawyer and has held various positions in the state of Lower Saxony since 2001. Before moving to the head of Lower Saxony’s data protection supervisory authority in September 2023, he was head of the Spatial Planning, Land Development and Promotion Department at the Lower Saxony Ministry of Agriculture. Prior to that, he was head of the department’s personnel division.
Lehmkemper was born in Hamm/Westphalia, studied law in Marburg and completed his legal clerkship at the Darmstadt Regional Court. Denis Lehmkemper is married and has three children.
