German federal health minister, Shein and Deutsche Bahn ‘awarded’ for worst privacy and data protection offences

German BigBrother Awards

Digitalcourage organised their annual German BigBrother Awards gala on 11 October 2024 in Bielefeld. These negative ‘awards’ given to companies, organisations, and politicians aim to highlight the worst privacy and data protection offenders in business and politics.

The awardees for 2024 are a particularly esteemed bunch, including state and federal ministers, online giants, and even a trend. Read more about them below.

1. Health Minister: European Health Data Space and German implementation

   The German Federal minister for Health, Karl Lauterbach, was awarded in the “Health” category for his role in the final negotations on the European Health Data Space (EHDS), and for the German law that implements this EU regulation (“Law for the Use of Health Data” or Gesundheitsdatennutzungsgesetz).

   In his laudatory speech, the former Data Protection Commissioner for Schleswig-Holstein, Thilo Weichert, criticised Lauterbach for having removed safeguards in the legislation. The speech highlighted the so-called “secondary use” of health data by private enterprises, for scientific research including training of AI, and by public bodies even including law enforcement. These secondary uses, said Weichert, are poorly regulated and give data subjects no rights to be informed and to potentially object.

2. Border policing gone rogue: Police and Interior Minister of Saxony.

   Frank Rosengart of the Chaos Computer Club took on a far-reaching surveillance measure in the German state of Saxony in his award speech in the “Authorities and Administration” category.

   In 2019, a new law in Saxony enabled the use of cameras up to 30 km away from the state’s borders to Poland and the Czech Republic, which covers about half of the state. These highly sensitive cameras, part of a “Person Identification System” (PerIS), can recognise passengers through car windows and are used to track movements of “persons of interest”. Naturally, a large number of uninvolved persons are also captured.

   Due to doubts about the measure’s legality, the state was given power to continue this onlyuntil the end of 2023 . In view of a pending case in Saxony’s Constitutional Court, the Saxony government unilaterally continued the use of this legal instrument in December of that year. However, parliamentary questions have revealed that almost all German states’ police forces have requested to “borrow” the even more dubious mobile and “covert” versions of this technology from Saxony. This was not justified in the new law, and is instead based on a generic passage in Germany’s Criminal Procedure Code instead.

   To use this legal basis, police forces are bending the legal definition of “real-time” vs. “retrograde” faceial recognition by configuring the software to delay its functions by a few seconds.

   As the award speech concluded, this should be taken as a warning of what we might soon be facing in the EU if the parties in power will not significantly restrict the use of biometric control.

3. Dangerous gaps in privacy and transparency: Temu and Shein

   The worst offenders in the ‘consumer protection’ category were the e‑commerce platforms Temu and Shein.

   Peter Wedde of the Frankfurt University of Applied Science demonstrated how these retailers, who act as brokers between consumers and mostly Chinese manufacturers, use dark patterns and very dubious terms and conditions to expose customers to conditions and privacy policies that give the companies almost free reign over their customers’ data. He also pointed out significant risks to customers due to the the fact that legally they are turned into individual importers. Given that both companies are based in China (with EU headquarters in Ireland), data is processed in China and might also be handed to Chinese security agencies, which clearly violates EU law.

4. The ongoing journey away from surveillance-free travel: Deutsche Bahn

   An award in the ’mobility’ category went to Germany’s main and state-owned railway operator, Deutsche Bahn (DB, translated: “German Railways”). As padeluun from Digitalcourage described in detail, the company is adding tile after tile to a mosaic that is being built in order to make anonymous travelling without surveillance impossible.

   Latest additions to this surveillance mosaic are the reduction of options to buy tickets anonymously and with cash, including the requirement to submit a mobile phone number or e‑mail address when buying saver tickets, the move to stop selling the popular discount card (BahnCard) as a physical card and to tie its use to the DB Navigator app, and other attempts to coerce people to use this app, which includes trackers that DB shamelessly and inappropriately declares as “necessary”.

5. A patronising, unnnerving, imposing, convenient trend: Technology paternalism

   A more fundamental, reflective award was presented by Rena Tangens from Digitalcourage. It highlighted how modern technology tries to make decisions for users and act “for their own good” but often does things against our will. Examples included Google’s intentions to no longer answer users’ questions at length but second-guess their wishes and serve one single answer, or just tell users what they want even before they ask . The speech also mentioned a project by Deutsche Telekom that aims to develop an app-free, AI-driven smartphone, and VAR decisions in football.

   Tangens pointed out how independent information suppliers are being phased out of the market by these trends. It concluded with a call to take responsibility, retain sovereignty and uphold individual decision-making.

Contribution by: Sebastian Lisken, EDRi member, Digitalcourage