At the “DPO Autumn Conference” 2020 organised by the BvD and the subsequent Authorities’ Day, around 200 data protection officers discussed the opportunities presented by the evaluations of the GDPR and the Federal Data Protection Act (BDSG) and by a return to a European perspective on data protection law. A post-conference report by Thomas Spaeing, BvD Board Chairman and President of EFDPO.
The Schrems II ruling of the European Court of Justice on transnational data transfer has been on the minds of DPOs (not only) in Germany since it became known in July. At the “DPO Autumn Conference” of the German Association of Data Protection Officers (BvD) and the subsequent “Authorities’ Day” in October 2020, the decision of the supreme court of the European Union repeatedly played a role. Above all, the legal uncertainty that the decision left in its wake was felt throughout this joint conference of the BvD and the supervisory authorities of Baden-Wurttemberg and Bavaria.
The ECJ as a driver for data protection
In addition to me as BvD Board Chair, Dr. Stefan Brink, State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, also addressed the Schrems II ruling right at the beginning. “The ECJ is giving us a good run for our money”, declared Brink in his opening remarks. At the moment, everything still amounts to “exploratory steps”; and with the ruling, the GDPR now finds itself in difficult waters “that no one wants”.
Self-critically, Brink admitted that in a situation in which the data protection commissioners of the federal states are expected to provide orientation, the supervisory authorities “currently present an image that is not exemplary”. But this admission is also part of being truthful and transparent.
The assessments and advice on how to deal with the transfer of data to U.S. services and companies vary greatly from supervisory authority to supervisory authority – whether this concerns Microsoft 365, the use of U.S. programs such as Google Analytics, or direct contact between corporations in Europe and the United States. For data protection in Europe, this makes things more difficult: “How can we enforce common data protection law in the same way in all EU countries?” Brink asked. “The European Data Protection Board has great difficulty in taking good and visible steps”, he said. “But the coronavirus pandemic is also increasing the pressure on data protection.” Time and again, he hears the phrase that under corona, data protection doesn’t really work anymore. “That amazes me, especially when that reasoning comes from public agencies that are bound by law”, he said. He went on to note that certain regulations introduced by some states or by the federal government encroach on fundamental rights.
Brink pointed out that the pressure on some company data protection officers is no less severe. Some company managers want to act as freely as possible in the corona crisis. “We have to learn to withstand this pressure,” said Brink. “We have to hold our flag high and maintain our position.”
Data protection officers are becoming increasingly important
It is clear that the role of data protection officers is increasing rather than decreasing. As the BvD, we are therefore working hard to promote certification for data protection officers and for companies that behave in an exemplary manner in terms of data protection law.
Thomas Spaeing, BvD Chairman of the Board, also referred to this. “There will be a global quality seal competition that Germany must not miss out on! Apparently, German legislators have not yet recognised the potential. France, for example, is already much further ahead in this area.”
Instead of weakening the role of data protection officers via a renewed mock debate on the designation limit, the German government should have the courage to involve data protection officers more in tasks such as notification requirements, data protection impact assessments (DPIA) and processing directories, in order to relieve the burden on small and medium-sized enterprises in particular. Spaeing explained that the goal of the evaluations of the GDPR and BDSG must be to increase the use and benefits of DPOs and reduce bureaucracy for companies. Above all, it must be possible to immediately take advantage of the opportunities arising from the GDPR for certifications and approved codes of conduct.
Open data imposed by the state: The democratic digitisation
Guest speaker Saskia Esken, a trained computer scientist and chairwoman of the German Social Democratic Party, also warned against raising the designation limit again. Esken argued that this would not be economically justifiable, as all the bureaucratic requirements of the GDPR and the BDSG remain unchanged for the controller – with or without a designated DPO.
At the same time, she called for more transparency from authorities and the state. “A state that keeps all information to itself fails to recognise its role in a modern information society”, she said. All public authorities are obliged to comply with the Freedom of Information Act. Many authorities still fight “tooth and nail” against this, claiming it would take too much effort to disclose data. “But open data does not mean additional effort; it means less effort in the end”, she said.
For Esken, what is at stake here is nothing less than “democratic digitisation” – this is the great social debate.
In Kai Strittmacher, long-time China correspondent of the German newspaper Süddeutsche Zeitung, Esken found a fellow advocate for a new understanding of democracy against the backdrop of digitisation. He reported on the “total surveillance” of the Chinese population by the government – with a network of surveillance cameras and the social control that this allows, as well as the awarding of social credit points.
In this context, the development is not about China, “but ultimately about us”, Strittmacher concluded. “If China is reinventing dictatorship, then we have to reinvent democracy.” He cited Taiwan and the Scandinavian democracies as role models that are trying to make digitisation and data collection by the state transparent.
Decisions on the participation of Huawei in the 5G tender, for example, must be preceded by the question of whether the German government can trust the Chinese Communist Party. If the argument that Chinese providers are cheaper counts in matters of national security, “then something is seriously wrong”, warned Strittmacher.
Middle ground, a data trust?
The question of how companies could use data without obtaining personal data by trickery or against the will of the data subjects was explored by Frederick Richter, board member of the Foundation for Data Protection (Stiftung Datenschutz), who explained the idea and conditions of a possible data trust.
Consumers could have their data anonymised via such a trust. The trust would strengthen individual control over data flows and could promote participation in economic data utilisation. In return, companies could work with the data more easily than before. However, there must be a sufficient level of security to prevent re-personalisation or de-anonymisation. Richter explained that if this were ensured, data processing in authorities and companies could leave the scope of data protection laws.
A side effect: large platform operators would no longer be ahead in the evaluation of personal data and could thus lose their sometimes overly dominant position in the market.
At present, however, what is missing are “best practice” examples that show in a comprehensible and economically feasible way how data subjects can be assured of a sufficient degree of security with regard to anonymisation. According to Richter, it is not yet clear whether the federal government will consider a trust model in its new data strategy, which has been in the pipeline for some time.
Of authorities and municipalities
Barbara Thiel, State Commissioner for Data Protection in Lower Saxony, reported that there is still a lack of awareness regarding data protection, especially among public authorities.
An audit of 150 municipalities conducted by her authority showed that most of them had started preparing for the GDPR too late. In addition, there were major deficits in the reporting of data breaches and in DPIAs.
In principle, the companies and authorities were audited identically, Thiel stated. As a rule, the visit was announced in advance and they were told which documents their authority would need to see and how long this would take.
Thiel emphasised that, particularly in the case of large on-site inspections, the companies answered willingly, and some were very polite and accommodating.
In contrast, the announced audits tended to be met with incomprehension by the municipalities. “The public sector must set an example”, said Thiel. “I would have liked to have seen a little more understanding and cooperation.”
Accordingly, as host at the “Authorities’ Day”, Dr. Stefan Brink encouraged data protection officers in public administration and authorities to pragmatically and helpfully ensure data protection. “But don’t let yourself be backed into a corner and pushed away from the decision-makers’ table.” It is also true for public authorities that data transfers to the USA should be put to the test after the ECJ ruling. He urged the data protection officers to “get going”. They should identify international data traffic and transatlantic service providers. “This is what we want to see in audits”, said Brink. “We don’t expect perfect solutions to be in place, but that people have thought about how to solve problems.”
The Bavarian Data Protection Commissioner, Prof. Dr. Thomas Petri, who is responsible for data protection at public authorities in his federal state, emphasised that his department is very concerned by the fact that the decision of the ECJ on Schrems II occurred during the time of the pandemic, in which society is dependent on digitisation.
This poses challenges, as his counterpart for the private sector, Michael Will, new President of the Bavarian State Office for Data Protection Supervision, explained. Whether regarding the corona warning app, guest lists in restaurants or police duties during the pandemic – his authority has to provide information in answer to many questions. Not all of these concern data protection law.
Christina Rölz, Head of the Data Protection Department at the Bavarian Ministry of the Interior, referred to another ECJ ruling on the applicability of the GDPR to the work of parliaments. The state parliament of Hesse had so far rejected the idea that it falls under the scope of the GDPR. The ECJ denied this position, however: Article 23 does not provide for any exceptions.
Questions to the supervisory authorities
One of the now established highlights of both the “DPO Autumn Conference” and the “Authorities’ Day” was the Q&A panel “Questions to the supervisory authorities”. The questions covered a wide range: “Where do the fines go?” “Can an employer require its employees to register in the cloud?” or: “Can a local council stream its meeting?”
And at the end of the three intensive days, Schrems II popped up again, when Michael Will stated that the ruling had once again brought the role of company data protection officers into focus. In reply to the question of whether a company could emigrate to the cloud with Microsoft 365, he explained that the risk assessment, the records of processing activities, the categories of data and the processing procedures – everything had to be looked at more closely after the ruling. In the end, the judges’ decision promoted the logic of the GDPR and was “extremely beneficial” to it.
Even though the idea of the “DPO Autumn Conference” originated from the BvD members’ wish for a central event in the south of Germany, the online format has now allowed the association to transcend regional boundaries and offer members nationwide a platform.