Critics have attacked the German government’s decision to overhaul the country’s privacy watchdog, saying the reforms do not go nearly far enough.
Ministers have announced that the Federal Commissioner for Data Protection and Freedom of Information will be hived off from the Interior Ministry and upgraded to an independent agency in 2016.
The move followed accusations that the ministry interfered with the watchdog’s work and discouraged it from criticizing the Interior Minister.
The Ministry often took positions that were diametrically opposed to data protection, making the commissioner’s lack of independence “highly problematic,” said Konstantin von Notz, the Green Party’s spokesman for digital policy.
“The likelihood that companies will be scrutinized is very small.”
But even with this newly won independence, the commissioner still doesn’t have the resources needed to enforce Germany’s privacy laws, critics say.
“The likelihood that companies will be scrutinized is very small,” said Rena Tangens, a founding member of the advocacy group Digitalcourage.
At the moment, 87 staff members have the herculean task of holding 3,500 telecommunication companies, 1,500 mail service providers as well as multiple intelligence agencies and government ministries to account.
“Given the lack of personnel, it wasn’t possible to provide oversight in the way that I, and probably the public, would have liked,” Andrea Vosshoff, the current data protection commissioner, told Handelsblatt.
Under the reform, Ms. Vosshoff will receive an additional 21 staff. But, according to Ms. Tangens, that’s not nearly enough to provide effective oversight.
It’s not just an issue of staffing. Unlike Germany’s data protection commissioners at the regional level, the federal commissioner doesn’t have the authority to impose financial sanctions against companies for non-compliance.
The European Union’s General Data Protection Regulation would change that. Under the regulation, supervisory authorities such as Germany’s federal commissioner could impose fines of up to 4 percent of a company’s global revenue if data protection laws were breached.
After four years of negotiations, the final draft was completed last week. The European Parliament and European Council are expected to adopt the regulation in early 2016. It would then go into effect sometime in 2018.
According to data protection advocates, Ms. Vosshoff has been part of the problem in Germany. She was appointed commissioner in 2013 after losing her seat in parliament, and had no prior experience in privacy issues.
In contrast to her predecessor, Peter Schaar, she hasn’t actively engaged in the public debate. Major developments – revelations about U.S. National Security Agency surveillance in Germany, the reversal of the Safe Harbor Agreement with the United States, and the reintroduction of data retention laws in Germany – are normally accompanied by quiet statements on the commissioner’s website.
“She’s been a disaster,” said Constanze Kurz, of the Chaos Computer Club.
Ms. Tangens of Digitalcourage suspects that Ms. Vosshoff’s appointment, given her lack of experience, was a tactic to keep the office from becoming too powerful.
Ms. Vosshoff, for her part, said that she’s been fighting for additional staff since the beginning of her tenure, often in the face of heated criticism.
“Strong words alone aren’t enough,” she said. “We need a strong data protection supervisory authority that can have an impact.”
Anja Stehle is a correspondent for Handelsblatt in Berlin. To contact the author: firstname.lastname@example.org