Policy letter summer 2024
Dear readers,
Europe has voted. As Chairman of the Professional Association of Data Protection Officers in Germany and President of the European Federation of Data Protection Officers EFDPO, I would like to congratulate all elected MEPs on their election and look forward to working with them. Let us set the course for a successful and secure digitalisation of Europe in Brussels, Strasbourg and on the ground.
An important issue here is how to deal with artificial intelligence: in order to utilise the opportunities of AI for the European economy and to protect the privacy and data protection interests of citizens, we need effective supervision. This must be well equipped in terms of both personnel and expertise in order to keep pace with the rapid developments. In the complex interplay of sectoral responsibilities and federal structures – especially in Germany – it is still unclear who will be responsible for AI governance.
It will come as no surprise to you that we, as data protection officers, see the protection of personal data and trade secrets as a fundamental component of the European legal and life model. The GDPR continues to apply without restriction – and must be complied with. We want to protect people and companies from the risks of unauthorised data processing. This is what we stand for as data protection officers. From small companies to large corporations and public authorities, it is important to involve data protection officers in the training, development and use of AI at an early stage.
Companies need clarity, legally binding guidelines and advice when dealing with AI products. We will probably need many talented experts for this – because it will not be easy to find thousands of new AI officers for companies and authorities. Data protection officers, with their many years of knowledge of the processes in the respective organisations, could be an important interface here.
Just as the federal and state supervisory authorities must also be enabled to fulfil their advisory function.
Speaking of which, I would also like to take this opportunity to thank the outgoing Federal Commissioner for Data Protection and Freedom of Information, Prof Ulrich Kelber, for his consistently inspiring work and wish his successor, Prof Dr Louisa Specht-Riemenschneider, all the best.
Dear Members of the European Parliament and the Bundestag: Let us discuss these key issues together and benefit from the practical experience of data protection officers in many thousands of companies. We wish you a good start in Brussels, an equally good summer and an interesting read.
Expand compliance and advice from data protection authorities
Data protection advisory services must be expanded throughout Europe. This demand is based on the observation that the data protection supervisory authorities are currently unable to sufficiently fulfill their legal obligation to provide information and raise awareness of the correct handling of data.
Data protection supervisory authorities should be enabled to offer comprehensive advisory services. An expanded range of advisory services would help to increase general awareness and education in the area of data protection, thereby reducing both uncertainties and risks.
A key concern for data protection officers is the evaluation of complex data processing models, which is a major challenge for start-ups in particular. Many new business models are based on innovative data processing techniques that often have far-reaching implications in terms of data protection law. Without adequate advice from the data protection supervisory authorities, these companies are often only left with a “trial & error” approach. This means that companies have to make repeated attempts to ensure compliance with the General Data Protection Regulation (GDPR), which is inefficient and risky – and can paralyse digitalization and innovation. So-called regulatory sandboxes distort compliance and do not prepare for the reality of data protection law – and are therefore rejected by the BvD.
Many companies are currently unsure how to implement the legal requirements correctly. Targeted advice could clear up misunderstandings and avoid mistakes, which would ultimately lead to higher overall compliance, faster implementation and better protection of citizens’ data – also in light of the interplay between the various digital policy acts of recent years.
In addition, preventative advisory services could reduce the burden on data protection supervisory authorities in the long term. If companies understand and implement data protection requirements in advance, the risk of data protection breaches is reduced, as is the need for subsequent audits and sanctions. This would free up the authorities’ capacities to focus on particularly critical cases and increase the general efficiency of data protection monitoring.
Certifications: Creating Europe-wide standards
The training and professional and specialist knowledge of data protection officers is very heterogeneous, both nationally and across Europe. This is initially more of an advantage because, for example, in order to deal with rapid digital change and increasing automation through AI, different specialist areas and knowledge of IT, law, process consulting and, last but not least, industry knowledge and communication skills are required.
Despite all the diversity, there also needs to be a certain degree of uniformity in the certificates of competence. Europe-wide certification with binding standards would make it easier for companies to select suitable advice and provide data protection officers with a guideline for planning and updating their training. The next legislative period must be used to develop and establish Europe-wide standards for the transparent, secure and successful handling of data. In many cases, there are already tried and tested procedures that only need to be regulated politically.
In Germany, the BvD has presented a concept for personal certification of data protection officers with DPO-Cert and, with its professional mission statement, has enabled a voluntary commitment to quality standards that are actively practiced and verifiable for many years. Europe-wide standards should be based on this – the BvD and its European umbrella organization EFDPO are already
are already in talks with the national data protection associations in the EU and are ready to present the model at any time.
Involving the DPO in the event of data breaches reduces risks and bureaucracy
Involving the data protection officer at an early stage always makes sense and usually reduces litigation costs. Not least, but above all, when dealing with data protection offenses. With a simple trick, it would be possible to significantly increase efficiency and relieve companies and authorities of bureaucracy.
Would you like an example? Data breaches must be reported to the relevant data protection authority immediately and within 72 hours. This reporting of personal data breaches to the data protection supervisory authority poses considerable problems and effort for both companies and supervisory authorities. For the most part, this involves less serious cases such as the disclosure of email addresses through open distribution lists, malware infections on simple workstations or address mix-ups.
In the case of these less serious offenses, documentation of the breach should be sufficient and the obligation to notify the authorities should be waived. This would be a simple way of relieving the burden on both companies and supervisory authorities without reducing the level of protection.
The documentation of every personal data breach provided for in Art. 33 (5) GDPR could be designed to relieve the company so that the DPO keeps this register of “data breaches” and monitors the remedial measures defined by the controller.
What specifically needs to be adapted?
Art. 33 GDPR must be adapted so that the data protection officer can decide whether a reportable incident has occurred after detailed documentation, compilation and assessment of the process. This would bring additional harmonisation with Section 65 BDSG. This paragraph stipulates that a notification is only necessary if the breach is likely to have jeopardised the legal interests of natural persons.
BvD Association Days: Ulrich Kelber makes his last public appearance
The opening speeches at the BvD association conferences traditionally belong to politics and the major guidelines. More than 250 participants witnessed the last public appearance of Prof. Ulrich Kelber as Federal Commissioner for Data Protection and Freedom of Information. His speech focused on data protection through anonymization or pseudonymization. He said that decisive potential had not yet been exploited here. The deletion of personal references, i.e. anonymization, creates scope for research and is a crucial interface for linking data use and data protection. Kelber firmly refutes the common prejudice that data protectionists want to slow down digital change: “We are pragmatic fans of digitalization.” Precisely because data protectionists think the process through to the end and point out legal weaknesses, they support digitalization processes and therefore companies.
At the end of the month, Ulrich Kelber will be replaced by Louisa Specht-Riemenschneider.
Another long-serving representative of data protection also made an appearance before his departure. “Pirate” Patrick Breyer, who no longer stood as a candidate for the European Parliament for personal reasons, gave a much-noticed keynote speech.
At the heart of this was a report on the current points of discussion between the European Parliament and the Commission, such as chat control or the digital euro. While Breyer sees the unprovoked interception of digital communication not only as a gross infringement of civil rights, he also impressively demonstrated that other technologies can prevent online crime much more effectively. For the pirate politician, security by design and the deletion of content are part of this, for example, because: “Mass surveillance is not the model of freedom”. He also called once again for the rapid introduction of the ePrivacy Regulation, which is several years behind schedule but is still desperately needed, according to Breyer.
At the end of his report, the digital freedom fighter made a fiery plea for the digital self-determination of an entire continent – and for Europe, even if the political debates were mostly tiring and sometimes disillusioning.
A detailed summary of the event and the full speeches by Thomas Spaeing and Sergey Lagodinsky can be found here.
