Dieter Kugelmann, Data Protection Officer of Rhineland-Palatinate, sees “the trust of citizens in the legality of state action” shaken by the recently known access to contact information from the system behind the Luca app by prosecutors in Mainz. The procedure is “the completely wrong signal, especially in times of a pandemic that is challenging society as a whole”.
Legal situation in the Infection Protection Act
According to the police law expert, he initiated “immediately supervisory procedures”. In particular, the circumstances are to be clarified which, despite the clear legal situation, led to the query and use of the contact data, which was collected exclusively for infection protection purposes, which is inadmissible under data protection law. The supervisory authority has already sent corresponding requests for information to the institutions involved.
What is particularly worrying for Kugelmann is “that both the public prosecutor’s office and the health department were obviously unaware of the legal situation in the Infection Protection Act and the associated data protection regulations, which had changed some time ago, or have ignored it”.
Possibilities of sanctions against state authorities
The head of the agency announced on Tuesday, after clarifying the facts “to check the exercise of all the powers available to him under data protection law”. However, the options for sanctions by the inspectors are significantly more limited in relation to government agencies than in the case of private companies, where the General Data Protection Regulation (GDPR) applies.
The background is an incident from November. After a 39-year-old man with severe head injuries was found in front of a Mainz inn, the responsible investigative authorities asked the health department to release the contact details recorded by the restaurant operator via the Luca app at the suspected time of the crime.
Prosecutor admits inadmissibility
The health department complied with the request and transmitted the data of 21 people. Those affected were then contacted by the police and questioned about the incident. In the meantime, the public prosecutor’s office has admitted the inadmissibility of the data processing that took place. The makers of the Luca app sharply criticized the abuse. At the request of the police, the Mainz health authority “simulated a case of infection” in order to be able to decrypt the data, which is protected.
After reports of the authorities’ actions, loud calls to uninstall the Luca app, the rapper Smudo, as a co-developer of the system, described as “irresponsible”. This is currently helping to break chains of infection every day. Experts, on the other hand, consider the application to be “technologically dead” and currently also ineffective because the workload in the health authorities is too high in the multiple corona waves. The employees there would not even get to track the supplied contact data.