Interview: Ulrich Kelber: “Not a single measure to combat pandemic has failed because of data protection”
Berlin The Federal Commissioner for Data Protection, Ulrich Kelber, has warned against the hasty establishment of a national Corona vaccination register for the central collection of vaccination data. “Politicians should first and foremost specifically name the goals they want to achieve so that one can judge whether a central vaccination register is necessary or not,” said Kelber to the Handelsblatt. “That should be the first step.”
The privacy advocate expressed criticism of the design of the 3G obligation in the workplace, according to which employees must prove before entering their workplace that they have either been vaccinated, recovered or tested negative.
“The regulation still needs to be interpreted in some places with regard to the exact execution,” said Kelber. “What I see critically is that the evidence is documented specifically for each person and status, and that the data can be kept for up to six months.” In most cases, this is unnecessary. Proof of this is sufficient for access control. “The personal storage of sensitive health data is not necessary for this.”
At the same time, Kelber countered the charge that data protection restricted health protection. Those who claim that have obviously not dealt with the subject.
Top jobs of the day
Find the best jobs now and
be notified by email.
“Not a single measure to combat pandemics failed because of data protection,” emphasized Kelber. In addition, data protection was also restricted in the pandemic, for example when transferring passenger data, collecting contact data in restaurants or registering when going to a hospital.
Read the whole interview here:
Mr. Kelber, a national vaccination register is currently being discussed in connection with a possible general corona vaccination requirement. What do you make of it?
I have not yet received a corresponding draft law, which is why I am not familiar with the specific project and cannot assess it. Politicians should urgently first identify the goals they want to achieve in concrete terms, so that one can judge whether a central vaccination register is necessary for this or not. That should be the first step.
When it comes to questions like this, things did not always go smoothly in the past legislative period in your agency’s cooperation with the federal government.
The former Federal Minister of Health Jens Spahn recently voiced this allegation. I was three times surprised. Firstly, not a single project by the Ministry of Health has failed because of data protection. Second, no other ministry has invested so many resources from our agency in working together. And thirdly, the Ministry of Health is unfortunately also a prime example of how the cooperation that is required by law should not be organized.
In what way?
The Federal Ministry of Health did not use the advice at the beginning of a project, but only came very late with finished things. Then one is no longer able to take a path that is more friendly to fundamental rights. I think there are better ways of working together and that should start early on in all projects. That is exactly what we offer.
Were there also problems with other ministries?
In addition to the Federal Ministry of Health, we also made it clear to the Ministry of Labor early on that legal clarity must be ensured on the subject of 3G in the workplace.
They mean the corona regulation, according to which employees must prove before entering their workplace that they have either been vaccinated, recovered or tested negative.
I agree. Of course, it is possible to process this data if it is necessary to fight a pandemic. But there must also be a legal basis for this. The employer’s mere interest in this data is not enough for good reason. We explicitly pointed this out in August and offered our advice and support in creating the legal basis.
And that was not used?
We only received a nightly e-mail with the specific draft law in November and should comment on it by the morning of the following day. In these circumstances, the advice we would like to give is of course not possible.
Then the 3G regulation is not now data protection compliant?
The regulation is still in need of interpretation in some places with regard to the exact execution. I take a critical view of the fact that the evidence can be documented specifically for individuals and status and that the data can be kept for up to six months. In most cases this is unnecessary. Proof of this is sufficient for access control. The personal storage of sensitive health data is not necessary for this.
In the Corona period it was said again and again that data protection should not take precedence over the health protection of the population. Is the objection justified?
Both fundamental rights must be guaranteed. Anyone who claims that data protection restricts health protection has obviously not dealt with the topic: not a single measure to combat pandemics has failed due to data protection. And of course, data protection has also been restricted in the pandemic, for example when transferring passenger data, collecting contact data in restaurants or registering when you go to a hospital.
The head of the Techniker Krankenkasse, Jens Baas, criticized the fact that patient data in Germany should not be easily evaluated for research. He even spoke of “failure to provide assistance”.
The TK boss would like to use data for his health insurance. There are rightly limits because the health insurance companies would then come into a position of power that is dangerous. As the supervisory authority for some health insurance companies, we repeatedly have to deal with data protection violations, for example when health insurance companies, in violation of data protection regulations, put pressure on their insured persons to reduce sick pay. That is not how it works.
Mr. Baas was primarily concerned with using health data for medical research, which is apparently difficult to do.
The biggest shortcoming in healthcare is insufficient digitization. Sometimes in hospitals not even X-ray images can be shared between the individual computers. Then the health authorities are still not digitized. Different legal regulations are certainly a shortcoming. I consider 16 hospital laws to be an obstacle because they do not allow cross-border cooperation. However, the following must always apply: no data may be processed without a legal basis. That’s why I very much support the fact that the new coalition wants to create a research data law.
What does the law have to do to prevent data misuse?
The legislator is bound by the General Data Protection Regulation. There are already opening clauses for the research area. We won’t have any Chinese conditions. In China, you can get a copy of the real-time data of all citizens as often as you want. That will never happen in Europe. That contradicts our European values. But research data centers are possible, for example, in which you can work with data on request without it being further disseminated.
Do you expect future cooperation with the federal government to go better?
We will point out that an early involvement of our authority only offers advantages. Wrong paths are avoided, data usage options become clear, and subsequent sanctions by the data protection supervisory authority are not necessary. Incidentally, involving us at an early stage is also part of the federal government’s joint rules of procedure. That would help a lot with the many digitization projects that the traffic light coalition wants to implement. We have identified at least 155 data protection-relevant projects in the coalition agreement. It’s going to be a lot of work over the next four years.
How do you deal with the repeated allegation that data protection is a major hurdle for digitization?
We data protectionists are fans of smart digitization. We want digitization that creates trust in the use of applications and that ensures that there are no scandals, leaks or mishaps that then set digitization back.
That sounds positive. Still, many believe that data protection requirements are a brake on digitization. This was also shown recently by a Bitkom survey. How do you explain the reservations?
This also has to do with a climate of opinion that is created by some decision-makers. Data protection is badly talked about in order to distract from one’s own digitization failure. I will give you an example. When the Federal Minister of Transport at the time was asked why the people in the Ahr valley were not warned of the flood by cell broadcasting, the direct answer was: “It was due to data protection.” That is the opposite of the truth. Cell broadcasting is an extremely privacy-friendly technology. We asked the ministry years ago to use cell broadcasting.
A lot of data is needed for the use of artificial intelligence (AI). In Europe there should be strict guidelines for the use of AI. Doesn’t that slow down innovations?
I think it’s right that the EU Commission wants to provide a regulatory framework. The use of algorithmic systems should be classified based on risks and then regulated. Artificial intelligence can take place with good data, even with a lot of data. Quite often it is not personal data or anonymized data. If so, processing is possible with consent or on a legal basis.
In the economy, strict regulation is viewed critically. The industry association BDI finds the term “high-risk AI systems” too broad, because the development of innovative AI applications may already be weakened at the outset.
We have actually been further in the debate. Namely, that the lack of regulation in a social market economy is not an end in itself, but that regulation creates fair competition and ensures that technological progress always goes hand in hand with the values of our Basic Law and the European Charter of Human Rights. Therefore I cannot understand this lamentation.
Is it necessary to certify individual products?
The possibility of having products or services certified would be a giant step. This enables small and medium-sized companies in particular to be on the safe side in terms of data protection law when they resort to certified offers.
Mr. Kelber, thank you very much for the interview.
More: Contact restrictions and emergency plan: Scholz announces measures against the “towering wave”.