Im Januar dieses Jahres veröffentlichte die Europäische Kommission einen Vorschlag zur Überarbeitung der bestehenden Datenschutzrichtlinie aus dem Jahr 1995, die nicht mehr in der Lage ist, die Herausforderungen vor die uns Cloud Computing und Co. stellen, adäquat zu beantworten. Der Vorschlag eines Entwurfs einer neuen Datenschutz-Grundverordnung wird derzeit sowohl auf deutscher als auch auf europäischer Ebene intensiv diskutiert. Obwohl wir Minister Friedrich seit langem, ob nun in Pressemitteilungen, in Anträgen oder in Anhörungen, auffordern, konstruktiv am Entwurf der Kommission mitzuarbeiten und sich endlich in die seit langem laufenden Debatten einzubringen, um so für einen effektiven Grundrechtsschutz der Bürgerinnen und Bürger zu sicherstellen zu können, verschläft die Bundesregierung diese so wichtige Diskussion leider komplett.
Dabei wird der Vorschlag der Kommission derzeit sowohl im Bundestag, wo wir vor Kurzem im Rahmen eines grünen „Datenschutz-Pakets“, das mehrere Initiativen umfasste, auch einen entsprechenden Antrag mit der Aufforderung in Richtung Bundesregierung, sich endlich für einen Erfolg des Reformvorhabens einzusetzen, eingebracht haben, als auch im Europäischen Parlament, wo unter anderem gerade ein interparlamentarische Hearing „The reform of the EU data protection framework. Building trust in a digital world“ stattgefunden hat, intensiv diskutiert. Hier findet Ihr eine Tagesordnung der Anhörung.
Während der Anhörung, die vom 9. und 10. Oktober 2012 in Brüssel stattfand und an der neben Mitgliedern des Europäischen Parlaments auch zahlreiche Vertreterinnen und Vertreter nationaler Parlamente, Regierungen, der Wirtschaft, verschiedener Datenschutzbehörden und der Zivilgesellschaft teilgenommen haben, hatte ich die Gelegenheit, im Rahmen des Panels während der Session VI „Police data sharing and access to private data bases“ in einem Kurzvortrags die Position der Grünen Bundestagsfraktion hinsichtlich des Reformvorhabens zu erläutern. Hier dokumentieren wir meine Rede.
Interparliamentary Committee Meeting
The reform of the EU Data Protection framework –
Building trust in a digital and global world
9-10 October 2012, European Parliament, Brussels
Input Dr. Konstantin von Notz in Session VI: “Police data sharing and access to private data bases”
Guiding questions for the panel (see invitation):
- Should such a new framework also apply to purely domestic processing activities by law enforcement or should it be limited to cross-border cases only (question of reversed discrimination, data protection as a common fundamental right from the Charter, subsidiarity, etc.)?
- There is a growing tendency by law enforcement to have access to data held by private companies for commercial purposes; how to ensure a proper balance between law enforcement needs and fundamental rights?
I. Address of welcome and thanks for invitation
II. General remarks:
The primary aim when harmonizing data protection laws has to be the setting of high protection standards all over the European Union. We as parliamentarians have the duty to fight a political development resulting in a race to the bottom of data protection standards in Europe.
The protection of personal data in the field of police and judicial cooperation in criminal matters is not a folklore at the discretion of the ministers of the interior of the Member States, it is an obligation deriving from the EU Charter of Fundamental Rights, the Treaty on the Functioning of the European Union as well as from the national constitutions.
As a Member of the German Bundestag and as a Member of the Green Party, all my positions taken are based on the conviction that the high data protection standards set by the data protection laws in my home country, the German Constitution and the elaborated case law of the German Constitutional Court harbor many valuable standards for the European development as well. This is especially true for data retention, profiling and data mining where our Constitutional Court clearly declared that the hurdles for the use of those instruments have to be extremely high and limited to exceptional cases.
What we need are high data protection standards all over Europe and not just high data protection standards for the cross-border flow of data between police and law enforcement authorities in Europe. Therefore strong EU data protection legislation is necessary. And the lack of those legal data protection standards resulting from the dramatic loopholes and weaknesses of the existing EU framework decision on data protection are a severe threat for the fundamental right to data protection of the individuals in Europe.
For this reason I want to underline that I do not sing from the same songsheet as those in Germany, who see the harmonization of data protection legislation in Europe as a threat as such. The contrary is true: this harmonization is absolutely necessary! But the fact, that a former judge of our Federal Constitutional Court publicly expressed a very sceptical position regarding this harmonization process shows: after the harmonization of protection standards in the field of asylum, the harmonization of data protection is a second stress test for the multilevel system of fundamental rights protection in Europe. And it is our task and responsibility as parliamentarians and legislators in Europe, to achieve a high level legal data protection in Europe.
What we see is an ever closer and intransparent cooperation and data exchange between police and law enforcement agencies all over Europe, complemented by more and more EU data bases, EU agencies and private and official data pools at the national level. And all those elements, authorities, agencies and data pools are somehow interconnected with each other. I don`t have to tell you anything about Prüm, the Swedish Initiative, PNR, the data retention directive, the access to the Visa Information System and the processing of personal data by Frontex – to name only a few of the interdependent and overlapping EU instruments fostering the free exchange of personal data between police and law enforcement agencies.
Where the dream and the agenda of security driven policy in Europe is the principle of free availability of personal data for all security authorities and the free processing and use of those data together with the data available in the respective EU Member State, we need strong EU data protection standards for domestic processing activities as well as for cross-border cases. Otherwise we’ll end up in a nightmare of uncontrolled overall surveillance. Moreover I think, the future EU legal instrument for data protection in the sector of police and criminal justice should include additional data protection standards for EU authorities and agencies as well.
But those strong EU data protection standards are not only important with respect to the rule of law and fundamental rights protection. Those strong EU data protection standards are also the precondition for the necessary exchange of personal data for the purposes of crime prevention and persecution. Without those standards we won’ t achieve the necessary mutual trust for the cooperation of security authorities all over Europe. Mutual trust in data protection standards is not only important for the private and commercial sector. It is also the precondition for a successful security policy in Europe.
We face a dilemma and difficult political decisions: on the one hand we really do need a new legal framework for the area of police and criminal justice. On the other hand we cannot accept proposals allowing for forms of processing of personal data, which are forbidden under our national
constitution and the main principles of our national data protection legislation. The more we transfer personal data systematically to other EU countries in the context of security policy, the more our legal and political responsibility for breaches of fundamental rights through the processing of data somewhere, elsewhere (who knows to what end?) becomes evident. Our political and legal responsibility for the fundamental rights of the data subject does not stop at the physical German state border, nor are we allowed to be blind and process data non-regarding under which circumstances and data protection standards they have been collected in other EU countries.
That’s why we need a strong EU data protection legislation for the domestic level as well as for crossborder cases.
II. The Commission’s proposal for a directive for the police and criminal justice
I don’t want to repeat the comments made by the Art. 29-Group, the European Data Protection Supervisor and the civil society groups, especially Privacy International. I just want to mention briefly a few strengths and some weaknesses of the proposal from a (green) German point of view.
1. We need a framework for the domestic processing as well as for cross border cases (guiding question 1, see above)
I already explained, why I think that this is absolutely necessary. I welcome the Commission’s decision to include domestic processing as well as cross-border cases in the scope of the directive. Data protection at the domestic level unfortunately has been excluded from the scope of the 2008 framework decision under the German presidency.
The argument brought forward at the moment -especially by the German government- that there is a lack of EU competence for data protection legislation for “purely domestic” activities under art. 16 of the treaty on the functioning of the European Union is a flimsy pretext. In my eyes it is an attempt to undermine German data protection standards; to undermine national protection standards by
supporting the securitization of EU policy on the one hand and trying to prevent a balanced EU data protection law on the other hand.
Good legal arguments for the German position concerning Art. 16 of the Treaty on the Functioning of the European Union can hardly be found. I don’t want to bore you with the details. But since the EU competence itself refers to the fundamental right to data protection and since a “national origin” of a single data with a view to the complex structure of the EU information management system cannot be identified, it is impossible to protect the individual against breaches of the right to data protection without regulating as well the national data protection level.
Briefly: the EU fundamental right to data protection requires a comprehensive EU data protection legislation protecting the data subject all over Europe. This is only possible, if we have EU legislation setting at least minimum standards for data protection at the domestic level. Thus, there can be no doubt, that processing of data in the Member States falls under the scope of Union law in the sense of the data protection competence in Art. 16 of the Treaty on the Functioning of the European Union.
2. Access to private data pools by police and law enforcement agencies: we need restricting provisions for the access to those pools and for data mining, data screening and profiling (guiding question 2, see above)
Access for police and law enforcement agencies to data held by private companies for commercial purposes is very problematic. In Germany the use of external data pools for crime prevention and their subsequent use for data mining, screening and profiling are strictly limited through constitutional restraints. Our Constitutional Court in its decision on the legitimacy of the use of online-surveillance tools even went as far as to claim a new constitutional right to “integrity and confidentiality of it-systems” which raises high hurdles for state access to any device designed to enable sophisticated forms of processing personal data like for instance smart phones and their enabling infrastructure. Additionally, both in its judgements on the so
called “Rasterfahndung” and on data retention of telecommunication data the constitutional court limited the use of data pools collected for general or completely different purposes to exceptional cases of concrete danger of high ranking legally protected interests. This means, that the general threat of terrorism cannot justify the pooling of data by the state or the use of private data pools held for commercial purposes. To give you an impression of the ranking of the Constitutional Court’s arguments in this respect: the Court underlined the potential discriminative effect of data mining, data screening and profiling. And the Court argued, that overall surveillance of the individual is a breach of the right to human dignity as the underlying concept of our Constitution. Especially the court´s claim that there is a need for high security standards in any privately run infrastructure which is systematically being used for law enforcement purposes should be of high interest for a European regulative perspective as well.
Due to the ever closer interconnection between data pools and police and law enforcement authorities in Europe this leads me to a clear answer to the second question posed for this panel: we need precise EU provisions limiting to exceptional cases the use of external data pools, be they held by the state or private persons an limiting to exceptional cases data mining, data screening and profiling.
In this respect the Commission’s proposal for the data protection directive is extremely weak and therefore cannot be accepted.
Thank you for your attention.
Alle Unterlagen zum Hearing, Stellungnahmen, Tagesordnungen, Reden und vieles mehr können auf der Seite des Parlaments heruntergeladen werden.