The General Data Protection Regulation (GDPR), which has been in effect for five years, opened up a new area of law when it was launched in 2018. The Federal Data Protection Commissioner Ulrich Kelber knows that everything cannot be clarified on the first day with court rulings and guidelines for users. However, the business associations were “poorly prepared” for the start and did not find out in a timely manner where the member companies and the supervisory authorities stood. Many disputes about the right to be forgotten or the required informed consent are currently still before the courts. When there is legal clarity, companies quickly adapt their processes.
“The European way – with compulsory seat belts and airbags”
Nevertheless, Kelber is tired of the “big whining from the industry” that we sometimes hear. When seat belts became mandatory, Mercedes-Benz didn’t complain that it was so mean. Rather, the car manufacturer “added the airbag to the market,” emphasized the inspector on Thursday during a question and answer session at the Telefónica base camp in Berlin. Business should now ask itself, “What is the European way” to make artificial intelligence (AI) work? It would also make sense to bring a messenger alternative to WhatsApp & Co. onto the market “that meets European values” and could give the manufacturer a competitive advantage via the GDPR. In order to help such an application achieve a breakthrough, it would be conceivable that it could be used across the board in the administrative sector, which would lead to 30 to 40 million users in this country.
In the area of AI, the computer scientist finds it “exciting what is now becoming widespread.” The technology “will also require us to make adjustments to data protection.” However, this is only a “very small part” of the regulation alongside aspects such as personal rights, copyright and liability. But what needs to be clarified is, for example, “who is responsible under data protection law?” The processor model no longer fits exactly here, as there are “levels of shared responsibility”. It also remains to be clarified whether GDPR principles such as consent, purpose limitation and data minimization already apply to the training of learning systems. A cross-departmental strategy group of the Federal Data Protection Authority will publish the first guidelines in 2024.
Artificial intelligence and data retention
According to Kelber, the “Italian colleagues” have already implemented a requirement for ChatGPT, according to which European users must be able to turn off the function through which the system also learns from the interaction with them: “Sensitive data must not have any impact.” With the planned AI regulation, the former state secretary is relying on a state or federal data protection authority as an “AI competence center” being responsible for data protection supervision and working with the other relevant control bodies as with the GDPR. For a larger GDPR reform, he would like to see a reduction in bureaucracy, for example through easing the information and documentation requirements, but on the other hand, he would like to see an earlier, stricter ban on profiling, for example for automated decisions.
Kelber believes that data retention that is largely limited to IP addresses can in principle be implemented in a legally secure manner, even after many restrictive relevant rulings such as the recent “very limited” ruling by the Federal Administrative Court. “Huge piles of data that cause other problems” are not proportionate. A quick freeze, as suggested by Federal Justice Minister Marco Buschmann (FDP), makes fundamental sense. A period of a “few days” is conceivable, during which IP addresses “must be retained for IT security reasons”. Peter Schaar, one of his predecessors, has already published a guideline with a storage period of up to one week. If there really is a suspicion, telecommunications data can be “put aside for the next two weeks,” according to Kelber.
The practitioner sees the new EU-USA data protection framework somewhat more positively than the Austrian activist Max Schrems, who brought down its predecessor agreements such as the Privacy Shield. He is therefore somewhat calm about the first lawsuit from French MP Philippe Latombe. The new construct is a “clear progress”. The US legal system works. A presidential order restricting the secret services there has a similar meaning to a parliamentary resolution in Europe. Overall, Schrems is doing a “really great job” and has helped, for example, to resolve cases with higher fines more quickly than the responsible Irish data protection authority had planned.
To the home page
#Federal #data #protection #officer #Industry #largely #missed #GDPR