Shaping data protection for the future now!
Press release of the 84th Conference of the Data Protection Commissioners of the Federation and the Federal Länder on 7/8 November 2012 in Frankfurt (Oder).
At the closure of the 84th Conference of the Data Protection Commissioners of the Federation and the Federal Länder, the Brandenburg Commissioner for Data Protection and the Right of Access to the Files, Dagmar Hartge, the Commissioner for Data Protection and Freedom of Information of the Free Hanseatic City of Bremen, Dr. Imke Sommer (Conference Chair 2013), and the Federal Commissioner for Data Protection and Freedom of Information, Peter Schaar, jointly presented the results of the Conference:
The data protection commissioners call on the Federal Government to advocate an effective General Data Protection Regulation for the European Union in the Council of the European Union. They strongly oppose efforts to create extensive exemptions from data protection obligations for the business sector. The Data Protection Commissioners reject the opinion of the Federal Minister of the Interior stating that data protection legislation should only regulate so-called "risky" data processing. The Federal Constitutional Court has long since clarified that there are no "irrelevant" data. Each processing of seemingly "irrelevant" data can have serious consequences for the individual. Therefore it is the state‘s duty to protect consumers’ data by law. An example for the need of Europe-wide high minimum requirements is the employee data protection. In Germany the relevant rules are totally inadequate. Binding provisions for employee data protection should be added to the European Commission’s proposals.
The Conference calls on the Federal government and the Länder governments to get clear the reasons for the undesirable developments of the past before they expand the exchange of data between police and intelligence services. A new empowerment for exchanging information cannot eliminate the existing shortcomings in implementation. If a thorough investigation reveals that a reform is required, the fundamental rights of citizens, the obligatory separation between the police and the intelligence services and an effective control especially with regard to them respecting data protection law must be guaranteed. This is our answer to the attempt of the ministries of the interior of the Federation and the Federal Länder to stronger connect police and intelligence services and to facilitate their exchange of information.
Public investigation in social networks raises data protection issues. The data protection commissioners request to publish investigation data only on the websites of the police. Unless the public character of social networks shall be used for investigation purposes, the investigation data must not become components of the service of social networks.
The data protection advocates call on the legislator to finally create sufficient legal bases for the source telecommunication surveillance. In this context, the requirements for the protection of the core area of private life as identified by the Federal Constitutional Court must be taken into account. Covert online monitoring should be permitted only in strictly limited exceptional cases. The currently developed standardized specifications for future surveillance cannot replace a legal basis. As to the source telecommunications surveillance, software is installed into the computer of a suspect in order to monitor its encrypted communications. Recently, the data protection commissioners’ tests of the so-called Trojan horse software used by the government revealed significant technical shortcomings and showed that the software did not meet the data protection requirements.
The transfer of registration data in electronic form to religious communities under public law and to the Fee Collection Center of public-law broadcasting institutions in the Federal Republic of Germany (GEZ) is only allowed if the data are sufficiently encrypted and if the identity of the sender and recipient is unambiguous. The Conference calls on the Federal Minister of the Interior to lay down in a binding manner the transmission standard "OSCI Transport" for the transfer of registration data to religious communities under public law as well as to the Fee Collection Center of public-law broadcasting institutions (GEZ). The transmission standard "OSCI Transport" ensures secure encryption and transfer of personal data. The data protection advocates point out, however, that these procedures have to be regularly reviewed and developed in accordance with the state of the art. The registration offices are required by law to transfer registration data to religious communities under public law and to the Fee Collection Center of public-law broadcasting institutions.
In order to ensure a privacy-friendly use of IPv6 (Internet Protocol Version 6), the new standard for data transfers and assignment of addresses on the Internet, the conference publishes a guide. The Conference addresses above all providers and equipment manufacturers in the retail business. The data protection advocates provide among others instructions on the assignment of Internet addresses. By this, it is intended to avoid targeted tracking of user behavior on the Internet. The guide also enumerates conditions to be met by providers in order to facilitate secure and confidential Internet communications for users. Soon many providers will introduce the new Internet standard; private customers will be the first to be affected. This new Internet protocol is necessary due to the scarce number of free Internet addresses in the previous version.
In order to ease the strain on their budgets, authorities and businesses are increasingly using common infrastructures for their data processing procedures. The Conference explains in a guide the data protection requirements as to such a form of data processing. Even if several data processing entities use the same computing and storage systems or databases (e.g. in common computer centers), it is only allowed to process personal data separately. Authorities and companies have to delineate their respective procedures from each other in a way that personal data can only be processed by authorized entities ("clients"). Only if the IT infrastructure and processes allow such a separation, the required limitation of the use of data for the purposes they were collected for remains. Rights of transfer and access must be restrained to the necessary measure.
Also internationally operating service providers, such as Facebook and Google, have to respect the laws of the Federal Republic of Germany. These laws oblige providers, for example, to allow the use of social networks on the Internet anonymously or under a pseudonym. In so far, the Data Protection Conference sees a need for action.
The Conference of the Data Protection Commissioners of the Federation and the Federal Länder is a voluntary association of the Data Protection Commissioners. They meet twice a year under a rotating presidency. The conference adopts resolutions in which the data protection advocates take a position on current issues relating to data protection in the area of technology, business and justice.