Data retention dilemma

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Andrea Vosshoff, released the latest report on Germany's ongoing performance in data protection. The 317-page document, which is published every other year, came at a time when Germany is fiercely debating its future direction on data protection and retention principles.

With the release of the report, Vosshoff stood out for criticizing a controversial draft law intended to govern mass data retention. She called the draft “unconstitutional,” and said that the bill, which is going to be up for a parliamentary vote in September, could not be passed in its current form. Vosshoff suggested that the draft was in breach of both German and EU law.

The commissioner clarified that the draft law stipulated that telecommunications companies would be required to store telephone and online data of all citizens for ten weeks - for no apparent reason. While supporters of the bill have said that it was justified for fighting crime and terrorism, Voshoff explained that security agencies would be left with too much power, and that she could “not justify such massive interference into personal rights.”

She pointed out that the law in question also made provisions to store user locations for all mobile phone calls placed in Germany for four weeks, creating copious volumes of personal data.

Vosshoff was not consulted on new draft law

While regarded somewhat of an improvement on previous practices, which used to allow telecommunications companies to store user information for six months, data protection practices remain a divisive topic in Germany. Vosshoff stressed that she understood the public dismay over concerns relating to mass data retention, adding that the government had not consulted with her when drawing up the legislation, despite the fact that her office was the highest government authority for data protection issues.

The commissioner further emphasized in her criticism that the Constitutional Court, Germany's highest court, as well as the European Court of Justice had both previously provided sufficient guidelines on the matter after the EU had decided last year that Germany's practice of mass data retention went against EU law. A former supporter of mass data retention, Vosshoff also admitted that she had personally experienced a change of heart on the issue after she had studied various EU guidelines and regulations on data protection.

One quarter of government agencies break data protection laws

Vosshoff further disclosed in her report that various government bodies had transgressed current data protection guidelines. She mentioned that her team had served notices on 21 occasions while reviewing 93 government bodies in the past two years - since the last report had been published under her predecessor, Peter Schaar. With new EU guidelines due to take effect later this year, she said that she hoped her office would be given greater powers to administer fines in such cases.

The commissioner also highlighted that in the past two years the number of citizens turning to her office had more than doubled. More than 23,200 German citizens had contacted the Commissioner for Data Protection during that period citing various data protection concerns. Vosshoff pointed out that Edward Snowden's NSA revelations had led to a particular spike in activity.

More resources needed

She also stressed, however, that with the ever-increasing amount of traffic and public scrutiny she would require further resources in future, in particular staff. Statistically speaking, she said she could afford to audit each of the 3,500 telecommunications companies under her oversight only once every 350 years. With almost a quarter of all the government agencies reviewed during the past two years having been flagged for malpractice already, Andrea Vosshoff appears to have her work cut out for her.

Vosshoff praised the growing international cooperation in fighting data crime and addressing data protection issues. Speaking at a news conference she said: “When data is spread globally, protections will also need to be international.” The publication of her report came just days after a summit of various EU interior and justice ministers held in Luxembourg to discuss reforms to data protection and privacy rights.

This is the first report published under Vosshoff at the helm of the organization, which currently is part of the German interior ministry. However, the Federal Commissioner for Data Protection will become an independent federal agency at the beginning of 2016, as outlined by EU regulations. Vosshoff, who took over the post at the beginning of 2014, is the first woman to hold the position and might just turn out to be the most outspoken commissioner to date.