Data protection – design mandate in the age of digitalisation

Nov 22, 2022

The German Association for Data Protection and Data Security (GDD) held its 46th Data Protection Symposium (DAFTA) from 17 to 18 November 2022. After purely virtual events in the last two years, the event was traditionally held again in the Maternushaus in Cologne. The political discussion as well as all forums were additionally transmitted via the internet.

Prof. Dr. Rolf Schwartmann, Chairman of the GDD and Head of the Research Unit for Media Law at the Technical University of Cologne, opened the event with a caricature of the EU data strategy: the new Acts [i.e. Data Governance Act, Data Act, AI Regulation] are designed for data sharing and are intended to serve the good of mankind, but they would have the General Data Protection Regulation in their luggage. Taking the right course here is a particular challenge.

After welcoming addresses by Dr Ralf Heinen, Mayor of the City of Cologne, and Nathanael Liminski, Minister for Federal and European Affairs and Head of the State Chancellery of North Rhine-Westphalia, Axel Voss, Member of the European Parliament and rapporteur on the planned AI Regulation, opened the discussion on the new European Acts files with a keynote speech. He emphasised that targeted, future-oriented data protection must make it possible to create added value from data. In this regard, there was a need for the GDPR to catch up, especially with regard to its principles of data minimisation and data deletion, in order to be able to achieve these goals. Artificial intelligence, as a central component of the data strategy, should not be over-regulated. The decisive factor for the obligations in the use of AI must be the risk potential of the respective application. In the current draft of the regulation, too many AI applications are covered by the legal regulations.

Gabriela Krader, Group Data Protection Officer of Deutsche Post DHL Group and Deputy Chair of the GDD, points to a mixed mood in the business community, which fluctuates between a gold-rush mood and panic: on the one hand, there is a great interest in data, but on the other hand, the obligations for data sharing are not sufficiently clearly outlined. Regarding the role of data protection officers, a change of era is imminent. Data protection compliance is increasingly developing into data compliance due to the new EU law. Additional skills are necessary for data protection officers in order to establish uniform data management in the company.

Dr. Stefan Brink, State Commissioner for Data Protection and Freedom of Information of Baden- Württemberg, referred to the difficult role of the supervisory authorities with regard to the Acts. The view of data processing must be broadened in the sense of data sharing while maintaining the restrictions of the GDPR. Incentives for fair and lawful processing must be created, whereby self-regulation is an important approach to deal with the difficult and abstract requirements of the GDPR.

In his keynote speech, Prof. Dr. Herwig C. H. Hofmann from the University of Luxembourg and litigator before the ECJ in the “Schrems cases” emphasised that the Data Act and Data Governance Act expanded the regulatory spectrum for data beyond the protection of personal data. Whether it is possible to create new data spaces that bring together data from a wide variety of sources is largely dependent on interoperability, which is increasingly moving from a technical concept to a legal one. Successful quality control of data is also crucial for success, which data protection has been able to guarantee in the past through data access rights for the benefit of the data subject.

The Managing Director of the GDD, Andreas Jaspers, knew how to classify the new Acts for practice. The standards for data sharing would have to be worked through in the GDPR if personal data were involved. There is no free pass for data sharing. Anonymisation and pseudonymisation of personal data are decisive instruments to enable data sharing under the planned new EU law.

Christian Völkel, Chief Privacy Officer of Porsche AG, sees the time of conservative data protection as over. The new Acts have an immanent design mandate, also for data protectors. However, the implementation effort to be expected from the Acts must be kept in mind, otherwise the companies would have more costs than benefits from it.

After the panel discussion, Andreas Jaspers and Dr. Niels Lepperhoff, both managing directors of DSZ Datenschutz Zertifizierungsgesellschaft mbH, presented the new “Trusted Data Processor” Code of Conduct for processors to the public in Forum 1. Thanks to the approval of the Code of Conduct by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg and the accreditation of the DSZ as a monitoring body, processors can now subject themselves to a transparent standard. This also benefits data controllers who want to make their personal data available to a reliable service provider.