Laudator: Werner Hülsmann, FifF

The BigBrotherAward in the category "Government Authorities" is going to

the prime minister of the federal state of Lower Saxony

Mr Christian Wulff

for demolishing the data protection authority in Lower Saxony.

Slowly but steadily, more and more federal states (Länder) governments are handing over the supervision of data protection in the economy to independent Data Protection Commissioners appointed by the states. However, the government of Lower Saxony has decided to place these supervisory duties into the hands of the Ministry of the Interior and Sports, with the beginning of next year.

For some time, the supervision of data protection in the economy had been split between the Ministry of the Interior for jurisdictional and the Data Protection Commissioner for technical supervision, which made the latter the actually responsible authority. At latest since the European Directive of Data Protection of October 1995, this division was no longer practicable. The Directive requires complete independence for data protection authorities, not only for public administration, but also for the economy.

This measure was taken for good reason. Quite frequently, decisions taken by data protection authorities working in regional councils or in the Ministry of the Interior of various federal states can be suspected of allowing for the interests of security services such as the police or public prosecution.

Two decisions may serve as an example:

  • The regional council of Darmstadt giving permission to save and store the connection data of internet flat rates for up to six months; an illegal regulation, as the local magistrates' court has found since, and
  • the decision by the Ministry of the Interior of the state of Baden-Württemberg to allow introducing a process that allows customers to pay with their fingerprint. Of course, the digital data of each fingerprint then need to be saved, e.g. at the premises of a pub or in the centres of retail chains, such as EDEKA.

In both cases, investigators have a "natural" interest in gaining access to these data.

This serves to show that 10 years after the European Directive of Data Protection had been issued, it was high time to finally reform the procedures of data protection supervision in Lower Saxony. However, the step was taken into the wrong direction. Instead of giving the independent Data Protection Commissioner the responsibility of legal supervision as well, as practised quite successfully in other German states, the government of Lower Saxony has created a new department within the Ministry of the Interior and Sports.

In the future, the Data Protection Commissioner's responsibilities are to be restricted to local and regional authorities, while the Ministry is going to fully supervise the economy. The government is talking of "synergetic effects", though these would be much more effective if all responsibilities were put into the hands of the Data Protection Commissioner.

Embarrassingly enough, the EU commission had introduced legal proceedings against Germany in July 2005 for breach of contract, because the various forms of technical, jurisdictional and disciplinary supervision of data protection in the economy did not comply with the requirement of "complete independence" of the supervising authorities. Contrary to the demand of granting more independence to the data protection authorities, the decision by the government of Lower Saxony makes the supervision of data protection even more dependent on the interests of the government.

It is mere eyewash when the state premier's office states in a press release that this shift of responsibilities was to avoid "frictional loss" in "preparatory jurisdictional processes". Quite obviously, the government is taking punitive action on the Data Protection Commissioner for his often critical comment on a number of bills! One example is his objection to the stated reasons for the law on preventive monitoring of telecommunications, a law that has meanwhile been ruled unconstitutional.

It seems the ambition of the government of Lower Saxony to copy the outgoing Federal Minister of the Interior in this area. He also greatly disliked the comments of "his" Data Protection Commissioner, asked him for more restraint in this matter and reproached him for "transgressing his competences". However, it is quite within the responsibilities of the Federal Data Protection Commissioner to criticise government projects, and it does not matter much whether the government in general or the Federal Minister of the Interior in particular cherish these comments at all.

It is pure cynicism that the said press release on changing responsibilities includes a reference to the states of Baden-Württemberg and Bavaria, where the Interior Ministry or, respectively, a regional council has the responsibility of supervising data protection in the economy. After all, the state of affairs there leaves a lot to be desired, too. With very low personnel resources, it is not surprising that in these two states the economy or the citizens concerned feel hardly any effect of data protection activities. Accordingly, making data protection authorities independent of the Ministry of the Interior is now at least being considered there.

The Award goes to state prime minister Christian Wulff as representative for those committees of the government of Lower Saxony that have decided to demolish the state's data protection authority. Mitigating circumstances cannot be seen for Mr Wulff, as Lower Saxony is not only removing the supervision of data protection in the economy from its Data Protection Commissioner. Together with the state of Hesse, the government has also presented a bill to the Bundesrat (the Upper House of Parliament at the federal level) which, if accepted, will force significantly fewer companies to appoint a Data Protection Representative. This in turn would greatly weaken the internal supervision of data protection and privacy issues.

Data protection supervision of the economy that is dependent on the government, as it is being introduced in Lower Saxony, together with a decrease of in-house supervision of data protection and privacy in companies let us expect the worst as far as the protection of customer and employee privacy is concerned.

Congratulations to Christian Wulff, prime minister of the state of Lower Saxony.