To celebrate the Data Protection Day we publish an impressive speech by Prof. Niko Härting who has been consistently listed among the best lawyers in IT law in the Best Lawyers Ranking since 2014.
Today I would like to talk about data protection. Data protection during a pandemic. What lessons have we learned from the last two years?
I‘ll talk about how data protection has two faces in 2021. One face is relatively young and nondescript, data protection as a component of regulatory compliance, ensuring consumer protection in a digital world. And the other face is rather old and distinctive, data protection as a civil right, a human right, and a stronghold against an intrusive state.
I’ll talk about why data protection needs both faces. And I’ll emphasize that data protection is part of a family – the family of civil rights. Because I firmly believe that data protection is not a kind of “savant syndrome.” Every data protection advocate should deeply care about citizens’ rights – all citizens’ rights. Any sound, earnest, and credible data protection advocate will always equally be a civil rights activist.
- Data protection is a civil right. And because data protection is a civil right, data protectionists cannot remain silent when civil rights are being drastically curtailed.
So why do we protect data? For one thing, we don’t protect personal data merely for its own sake. Data protection isn’t an end in itself. That’s something we all know.
Data protection is a civil right. In Germany, this right derives from the general freedom of action and basic human dignity, i.e., from the general right to privacy. Likewise, under the European Charter of Fundamental Rights, data protection is a fundamental right on its own. Moreover, data protection is also a manifestation of the human right to privacy as protected by the European Convention on Human Rights. So data protection is a human right.
As of March 2020, we have seen restrictions on civil liberties that most of us could never have imagined. Businesses have been forced to close, citizens only allowed to leave their homes “for a good reason,” and demonstrations subject to rigorous restrictions. And when the state infringes on fundamental rights to such an extent, it makes no exception for data protection. So how do you explain that theaters are closed to prevent the spread of infection, but a policewoman has no right to know whether the man she’s supposed to arrest has COVID-19? How can we expect people to understand that COVID-19 warning apps can only be operated under the strictest data protection regulations if students have to stay at home to avoid getting infected? And how can we justify the fact that restaurant owners have to handle their guests’ contact data with the utmost care due to data protection, yet every guest has to provide proof of vaccination and disclose health data everywhere they go?
Suitability, necessity, appropriateness – the trifecta of proportionality. These questions arise in the context of data protection. But it also goes far beyond that. Who even asks if the contact data we’re required to leave behind when visiting hotels and restaurants, pubs and gyms, or even brothels and sex clubs are actually collected and used by health authorities? Who asks if it’s fair, under the banner of “2G,” i.e., vaccinated or recovered, to turn away the unvaccinated even though they have tested negative? Who questions whether a tested but unvaccinated person actually poses more threat than an untested vaccinated person?
Data protection advocates cannot remain silent when an ever-increasing amount of health data is collected and stored in the name of infection control. That’s why Stefan Brink was right to voice his concern recently when the Baden-Württemberg state government announced serious plans to abolish face masks in restaurants exclusively for those who are vaccinated. If every guest can see which employees are unvaccinated, there’s a risk of stigmatization and social pressure. The fundamental right to informational autonomy is supposed to protect us from both.
- COVID-19 policy is about the classic balance between freedom and security. As data protection authorities are the defenders of freedom, they simply cannot look the other way.
This year marks the 20th anniversary of 9/11 and the subsequent anti-terror laws passed – the “Schily Packages.” And it was exactly 20 years ago, from October 24 to 26, 2001, that the Data Protection Conference (DSK) – 18 federal and state data protection commissioners – met and, according to their press release, demanded “homework from (Interior Minister Otto) Schily.”
“Bettina Sokol – State Commissioner for Data Protection in North Rhine-Westphalia and acting chairwoman of the conference: “Many proposals remain unbalanced and lack an objective and conscientious consideration of the individual’s civil liberties and personal rights.” The data protection commissioners criticize that everything that seems technically possible is being proposed without regard for the fundamental principle of non-interference and without first assessing what is truly necessary and helpful in combating terrorism. They urge those responsible for security policy not to limit personal rights prematurely and without careful consideration. A state of emergency cannot be allowed to become the norm.
Any new measures being considered must be reviewed to determine whether they are suitable and genuinely necessary for effectively combating terrorism. The one-sided pursuit of all-encompassing security must not be allowed to supersede the existing social consensus on the importance of civil liberties and personal rights.”
Clear and precise requirements and stern warnings. In 2001, the Data Protection Conference was still a body of civil rights activists. But can we still say that about the DSK today?
What do the Schily packages and 9/11 have in common with COVID-19? Like today, there was fear – both of terrorism and the pandemic. And just like today, there was a “security faction,” a “caution faction” that called for a ” powerful state.” And like today, politicians reacted with legislative packages that restricted civil rights to protect us from terror, death, and disease. Now, just like then, data protection was inconvenient. Those who opposed and still oppose biometric identity documents and pervasive questions about “vaccination status” are suspected of protecting perpetrators, lacking solidarity, and standing in the way of the greater good and health protection.
In the debate over freedom versus security – whether it’s over anti-terrorism legislation or anti-infection measures – data protection is firmly on the side of freedom. However, this is not quite as self-evident today as it was 20 years ago. In 2001, just 18 years had passed since the Federal Constitutional Court’s ruling on the census. Today, the birth of the fundamental right to informational autonomy lies almost 40 years in the past.
In the meantime, 75 years have passed since the Nazi era and 30 years since the fall of the Berlin Wall. The memory of history is fading, and the mistrust of an omniscient and omnipotent state is lessening. Under Chancellor Angela Merkel, the government’s face has become friendlier in the eyes of many citizens. Data protection is no longer viewed as the citizen’s safeguard against an overreaching state but as an instrument of consumer protection and a compliance issue. Data protection debates center on American Internet giants, cookies and credit history records, and only rarely on data-hungry government agencies. So it’s not surprising that very few critical voices were heard from data protection advocates during the COVID-19 crisis.
- Protecting civil rights in times of uncertainty has always been unpleasant. So likewise, data protection advocates should feel uneasy.
When data protection advocates silently accept that every brothel and self-help facility is required to collect “contact information,” they are doing a disservice to data protection. When data protectionists endorse curfews, they can no longer credibly explain why the transfer of every person’s data to the U.S. is about human rights.
By profession, data protection advocates are on the side of freedom. As a civil right, data protection is about freedom, not security. And as defenders of freedom, they should be more than just uneasy when it comes to American Internet giants’ popular apps and online services. We have to be more than just annoying when criticizing cookies, personalized advertising, and Facebook fan pages. We also need to be uneasy when the state protects us from terror and violence by monitoring our emails. We must be vigilant even when they try to track our contacts using an app. We cannot resign ourselves to the fact that health is a greater good and that this good cause justifies the means.
- Data protection is more than consumer protection and compliance. Data protection is a citizen’s stronghold against the intrusive state.
Every one of us is a consumer. And consumer protection is essential to all of us. So it makes sense to everyone that it’s right for consumers to know what happens to their data in data protection regulations and privacy policies. It makes sense to us that data protection authorities ensure that companies do not misuse consumer data. We agree that companies should not be allowed to spam our inboxes with unsolicited advertising. And we agree that personalized advertising must be regulated.
Many of us make our living from compliance. With comprehensive rules for handling personal data in companies and government agencies. With guidelines, instructions, data protection information. With deletion concepts, impact assessments, and reporting procedures. Compliance is the bureaucratic face of data protection, a world of checkboxes and filing cabinets.
Data protection is more than mere consumer protection and compliance. Data protection is the citizens’ defense against excessive state intervention. As such, data protection is always political as well. Data protection advocates who want to be taken seriously cannot allow themselves to get comfortable in the compliance departments of companies and the comfort zone of consumer protection. They must speak out when the state tightens its grip on surveillance. Data protection advocates must participate in the social discourse
of civil rights activists.
- Data protection principles also apply when data is processed for a “good cause.” Proportionality does not distinguish between “good” and “less good” causes.
The end doesn’t justify the means. And in data protection, there is no hierarchy of processing purposes. When health data is processed for infection control purposes, the same criteria apply as when data is processed for advertising purposes. The outcome of the trade-offs may be different, but the requirements and principles always stay the same.
Data minimization, storage limitations, purpose specification: All of these are relevant to the purposes of data processing in the pandemic, of course. And so, it was right for Stefan Brink and Barbara Thiel not to turn a blind eye when they heard that police officers were asking health offices whether they had any knowledge of positive COVID-19 tests for individual citizens. We must take care to ensure that contact, test and vaccination data aren’t simply collected as a precautionary measure and stockpiled, but instead used for specifically formulated purposes and deleted promptly. It’s only right that a COVID-19 app not be deemed privacy-compliant merely because a well-known artist presented it on (the TV program) Anne Will. Then days later, the first regional governments bought licenses and firmly anchored the app in their own regional protection policies. And we will all need to make sure that data collection laws do not take on a life of their own. The end of the “pandemic emergency” must also mean the end of the widespread collection of contact and health data.
That brings me to my final point:
- Data protection is the perennial scapegoat of digitization. The reasons for this are manifold, but one factor is that data protection law is so complicated that the average consumer cannot understand it.
Scapegoating data protection. When city council members perceive an audience as more of a disturbance, they veto the streaming of their meetings – data protection. When public officials don’t want to respond to annoying press inquiries about a public official, they regretfully decline to comment – data protection. When officials only respond to urgent requests by postal mail and not email, they shrug their shoulders – data protection. When government agencies don’t want to abandon the fax machine they’ve grown so accustomed to, or when offices don’t want to update their software or prefer to keep using paper, they always cite “data protection” as the reason.
The pandemic revealed that processes within the public health departments, the Robert Koch Institute, and a host of other organizations still operate in an antiquated and cumbersome manner. And digitization is still in its infancy in many parts of the healthcare system. But what do you hear from the people in charge? Yes, we’d love to, but “data protection.”
Data protection as a scapegoat. Many data protection professionals have a hand in this. When Thuringia’s data protection commissioner, Lutz Haase, discusses the legality of displaying names on apartment doorbells in newspaper interviews, he’s reinforcing the uneasy feeling many laypeople have. Data protection is complicated and bureaucratic, the purpose is not always clear, and it often makes everyday life unnecessarily difficult.
When the news broke that a teacher in Thuringia had received a letter from the data protection authority for questioning students about their willingness to be vaccinated (not about their vaccination status!), an educational journal reported:
“He (Lutz Haase) suggested that the questioning of the students may also have been about ideological data. However, even for this – depending on the age of the students – the parents’ consent might be necessary.”
“Do you want to get vaccinated?” Lutz Haase certainly has some imagination because I would never have considered this a reference to a belief or a worldview if I’d been asked this question.
Objections and associations like these do nothing for the image of data protection. And the fact that we can draw conclusions from data protection law lies in part with the mistakes made during the creation of the GDPR. For fear of “loopholes,” no one was willing to exclude everyday communications – nameplates on doorbells, class photos, congratulatory announcements – from the broad principles of prohibition under data protection law. No distinction was made between harmless everyday communications and the collecting of highly sensitive or even private data. Instead, they created a highly complex body of law within Germany on thousands of pages with around 15 annotations intended to cut a path through the jungle. As a result, we are the only clear beneficiaries of the GDPR: the lawyers, the consultants, the annotators, and academics who make a good living from it.
In the near future, the acceptance of data protection will hinge on the willingness to streamline the regulatory framework. But unfortunately, complexity will continue to be our Achilles’ heel, allowing data protection to be used as a scapegoat to shift attention away from our own failures – in digitization and the transparency of government action, but equally in healthcare and the efficient containment of a pandemic.
Data protection is and will remain a civil right that we all hold dear. And as a civil right, data protection is inseparably linked to many other rights of citizens – among them freedom of speech and assembly, protection of privacy, freedom of association, freedom of movement, and protection of housing. Those passionate about data protection cannot remain silent when civil rights are infringed upon. The dedicated data protection advocate is always on the side of freedom when striking a balance between security and freedom. Data protection has no comfort zones and must always remain uncomfortable.
This article was first held as a keynote at the BvD Autumn Conference on Data Privacy in Munich on October 27, 2021 and appears here on on the occasion of #DPD2022 by courtesy of the author.