The selection process for the state commissioners and the federal commissioners for data protection still largely violates the requirements of the European General Data Protection Regulation (GDPR). This is the conclusion reached by a current report by the data protection network on the appointment of public data protection officers. The topic is very topical: At the moment, two lines have been vacant for months. In the coming year there will be replacements or new appointments in six federal states.
The heads of the data protection supervisory authorities are very important with regard to their “fundamental rights, constitutional and democratic” significance. Because “with their independence they should in view of the special fundamental rights risks”, so the data protection expert Thilo Weichert prepared reports, “grant early, effective, early legal protection”. The Baden-Württemberg state data protection officer, Stefan Brink, agrees with heise online: “Due to the progressive digitization, which can only succeed with adequate data protection, the management of the independent supervisory authorities is also becoming increasingly important.”
The high standards of the GDPR are often ignored
However, according to the expert opinion, qualification criteria and selection processes in many state laws do not match the requirements of the GDPR, which have had to be implemented since 2018. The GDPR requires in Article 53that the heads of authorities must have “the necessary qualifications, experience and expertise, particularly in the area of personal data protection”. In Hamburg, for example, occurred this year a specialist in media law the successor to Johannes Caspar. The Berlin data protection officer Maja Smoltczyk, who recently resigned from her position, had only marginally to do with data protection before taking office, as did the much-criticized former Federal Data Protection Officer Andrea Voßhoff.
In addition, according to the GDPR, the selection of candidates should take place in a “transparent process”: “The forces that influence the appointment of members must be balanced in such a way that there is no unilateral influence,” explains the report. This should “prevent people from getting into the important public office without there being a public debate in which the required balance can be achieved.” Obviously, this is not the case when the state governments propose administrative lawyers who, for example, worked in the Ministry of the Interior to lead the independent data protection supervisory authorities – as was the case most recently in North Rhine-Westphalia.
Colorful patchwork of regulations
In view of the uniform requirements of the GDPR, it is “surprising”, according to the expert opinion, how different the selection process and the term of office are regulated in Germany. The terms of office provided by law range from five to eight years. Re-election is possible twice in Baden-Württemberg, for example, and only once in many federal states. There are no restrictions whatsoever in Bavaria or Hesse. There is only an obligation to tender in Saxony-Anhalt – but it has not yet been implemented in practice: In 2017, the state parliament should have chosen a successor to Harald von Bose. His term of office ended by law at the end of 2020. The position has been vacant since then. It is also vacant in Berlin. In NRW, the position was vacant from summer 2020 to spring 2021.
In four federal states and the federal government, the government has the right to make proposals; otherwise, proposals come from parliament or the government groups. Elections are then consistently held in the parliaments – with the exception of the President of the Bavarian State Office for Data Protection Supervision, who is appointed by the state government. A debate on the candidates is expressly excluded in six parliaments. The option has never been used in a further eleven parliaments.
The expert opinion considers the appointment procedure to be “deficient” as the transparency of the procedure is hardly or not at all guaranteed. It also criticizes the fact that the filling of vacancies is repeatedly delayed. The report recalls that before 2018, “irrelevant considerations” were decisive when filling the positions: party membership and office patronage were more important than professional qualifications. Since then, “obviously unqualified” appointments have not been observed any more. In Schleswig-Holstein there was even the first attempt in 2020 to take legal action against the appointment, as no advertisement had been issued. However, that had before the administrative court Schleswig no success.
Tender to strengthen the office holder
In conclusion, the report states that the transparency can ideally be created through a tender, which should be stipulated by law. Since the quality of the management is “strongly determined” by the selection process, the establishment of “professional processes is necessary”: the “widespread political practice of refinishing in back rooms” must be ended.
The data protection conference of the federal and state governments has not yet commented on the problem. The lawyer Malte Engeler, who failed in a non-transparent selection process in Hamburg, says: “At the moment, the newly appointed trunk lines are starting with a completely unnecessary and avoidable mortgage on their credibility.” The Baden-Württemberg data protection officer Stefan Brink, who is due for re-election in 2022, also sees an advantage for the incumbent in an advertisement: “Only those who emerge successfully from a transparent and qualified selection process can fulfill the duties of expertise and personal independence associated with the office . “
Schleswig-Holstein’s state data protection officer, Marit Hansen, whose re-election has been contested in court, says: “I personally support advertisements because this can encourage applicants. I myself came to the office through an advertisement and several interviews.” This was possible because the pirates had advocated this approach in the state parliament at the time. According to the Schleswig Administrative Court, a tender is currently not legally required. Hansen adds from his own experience: “But even tenders do not prevent someone from stripping the electorate in advance, insisting on his party book or damaging the reputation of another person.”