The need for a proactive and fundamental rights-oriented data protection strategy

The times when data protection was limited to subsequently resolving the consequences of technological developments have long been a thing of the past. It is far from enough to rely on reactive measures, as has often been the case in the past. In view of the rapid digitization of all areas of life, the demand for aproactive, fundamental rights-compliant design of technical systems is constantly important. As early as 1995, the “Council for Research, Technology and Innovation” set up by the federal government recognized that data protection, which is traditionally regulated by legal requirements, urgently needs to be supplemented by innovative technical solutions, so-called “data protection technologies”. In the center of thisDevelopment stood the principles of data avoidance and data economy, i.e. the obligation to only collect personal data when it is absolutely necessary. The aim was and is to ensure that those affected have the highest level of anonymity towards network operators and providers.

Legal anchoring and practical challenges

Following this insight, the Bundestag enshrined a binding obligation in 2001 with Section 3a of the Federal Data Protection Act. Accordingly, both the selection and the design of data processing systems must be aimed at “collecting, processing or using as little personal data as possible or as little as possible”. In particular, possibilities ofAnonymization and pseudonymization can be used consistently, provided they are technically feasible and economically justifiable. But despite these clear specifications, the practical implementation of this design maxim has so far fallen far short of expectations. In public tenders, the principle of data economy is rarely included as a mandatory criterion. Rather showsin practice there is often a trend to the contrary: More data is collected and provided in the name of flexibility and versatility than is actually necessary.

Examples of lack of data economy and crumbling protective walls

A striking example of this problem was the introduction of the motorway toll. A technical system was deliberately avoided here, which does not even save the distances of the vehicles covered. Instead, attempts were made to protect the extensive movement data from improper use by legal regulations – a protective wall that is increasinglyEDM has since announced that the federal government has announced that it will also use toll data for the purposes of fighting crime and averting danger. Such developments make it clear how quickly and flexibly purposeful changes are allowed, which means that the original data protection promises are losing more and more of substance.

Risks of comprehensive monitoring potential

In view of the fact that modern information technologies have the potential to completely monitor all behaviors, contacts and communication processes, effective measures to contain this threat are urgently needed. Politics, business and science must become aware of social responsibility and set themselves clear boundaries. noEverything that seems technically possible should also be realized. Whenever you decide to use new IT systems, the impact on the fundamentally protected individual right to informational self-determination must be carefully examined.

Mis incentives and insufficient protective measures

In practice, however, the opposite is often the case: companies and authorities invest considerable creativity and financial resources in the development and use of ever-increasing systems for the collection and evaluation of personal data – often without direct reference to the actual purpose of the survey. Examples of this are the statutory stock storage ofTelecommunication traffic data or the progressive development of biometric monitoring methods. Demands for the use of new monitoring technologies often become louder than the necessary reflections on their reach and social impact. At the same time, comparable efforts to protect privacy, to secure data protection andto protect the right to informational self-determination.

Constitutional principles as guidelines for the digital society

In view of these developments, it is necessary to remember the constitutionally enshrined principles of human dignity and proportionality. These principles form the foundation of a democratic information society and apply not only to the collection, but also to the further use of data. The possibilities of automatically generated data with each otherto link, steadily increase. Although multiple use of data may appear economically or politically attractive, IT systems must be designed in such a way that the combination of differently stored data stocks can only take place under strictly defined and controlled conditions. IT security and data protection must be closely interlinked, since ahigh level of data protection can only be achieved through suitable technical solutions.

Transparency, Enlightenment and Assumption of Responsibility

A central task for information systems developers and users is to keep the impact of new technologies transparent and comprehensible for individuals and society. Only when those affected are informed about the consequences of new digital tools can they deal with them confidently and in a self-determined manner. Transparency promotes trust in innovativeIT projects. Comprehensive education, advice and information are essential to establish and disseminate data protection-friendly technologies on the market.

Ease of use and real choices

IT-supported procedures must be designed in such a way that they offer users a wide range of options when dealing with their data. It should always be possible to use private or public services without electronic systems. The data collection should always be subject to an informed, voluntary consent of the data subjects. realVolunteering is only available if there are actually alternatives. For example, companies should offer different payment options, including data protection-friendly prepaid models. The use of RFID chips in retail must be designed in such a way that users can deactivate them without affecting the functionality of the products.

Data protection as an integral part of digital systems

Data protection must already be anchored in the system design of IT solutions. Subsequent protective measures are usually less effective and associated with higher costs. Therefore, IT procedures and devices must be designed in such a way that potential data protection risks are already taken into account in the planning phase. The more sensitive an application area is, the higher the requirements must be metbe protective measures. The responsibility for a data protection-compliant operation must not lie solely with the user; Developers and manufacturers also have to take responsibility. Only if products and IT systems provide access protection, logging functions or encryption by default, users can trust that their data is adequately protected.

Tools to strengthen informational self-determination

With the increasing complexity of digital systems, it is becoming increasingly difficult for individuals to keep track of their data usage. Therefore, it is essential to develop user-friendly tools that allow for effective protection of personal information and controlling their use. such instruments – like pseudonymization tools,Password managers, programs for reading personal data storage or for automatic evaluation of the data protection level – must be made available at low cost for the masses. Identity management systems can help users decide who to provide which information.

Risks through profile building and necessary limitations

There are numerous ways to capture and evaluate individual behavior nowadays: Cookies and web bugs register surfing behavior on the Internet; Mobile phones produce permanent location data; Purchase behavior in retail is linked to buyer data; Telecommunications data provide detailed information about communication networks; RFID technology allows for the unnoticedreading information; Geomarketing links places of residence with socio-economic data. The merging of this information into comprehensive personality profiles poses a serious danger to the right to informational self-determination.

Control over personal data and intelligent identity management procedures

These developments must be effectively taken. Responsible persons must ensure that personal behavior, usage and movement profiles – if they are created at all – only arise with the express knowledge and consent of those affected and are only limited to clearly defined purposes. Control over your own data must always beaffected themselves. Comprehensive personality profiles, in which all private and public data flows together, must not exist in a free society. Information technology itself is also required to develop intelligent identity management procedures that effectively support the protection of privacy and prevent misuse.

Data protection as a guiding principle of the digital society

Finally, it turns out: The challenges of the digital world can only be overcome through an interplay of technical data protection, legal framework conditions, political responsibility and social education. Data protection must be anchored as a guiding principle in all phases of the development, design and application of digital systems in order to ensure freedom andto preserve the self-determination of the individual in the information age.