Data Collection Frenzy of the German Health Ministry - We Criticize the Plans of Jens Spahn
Update: On November 7, 2019, the German Bundestag passed the law without further changes.
On Thursday, November 7, 2019, the new version of the “Digitale-Versorgung-Gesetz” (Digital Supply Act, or DVG) is to be passed in the Bundestag. The creation of a database of all health data of all German health insurance patients is currently causing a stir among data protectors.
The planned procedure foresees that the statuatory health insurers will forward the personal data and treatment data of all insured persons to the GKV-Spitzenverband. Here they are to be stored in a pseudonymized way. The collected data should then be usable for research (and possibly also for industry). Possibilities for patients to object and plans for the encryption of the data are not specified in more detail in the draft law. These points are to be worked out in the Ministry of Health after adoption by the Bundestag.
Criticism of the Digitale Versorgung-Gesetz (DVG)
We agree with the opinion of the Federal Data Protection Commissioner and strongly criticise the plans of the Ministry of Health.
I find it irresponsible to introduce a law into the Bundestag that would encroach so deeply on the rights of patients without defining a security strategy first.
(Robert Freudenreich, CTO of Boxcryptor)
Read our statement below.
Patients Lose Track of Their Data
The storage of personal data in a central database is not traceable for patients. Patients do not have an overview of who accesses their personal data, for what reasons and at what time. In times when data protection is becoming increasingly important, this is – in our opinion – a fatal signal.
No Possibility to Opt-out
The draft law does not currently provide any possibility of appeal. All data of all legally insured persons will be collected in a database. We condemn this plan.
Companies Could Gain Access
Many data protectors and security experts are irritated that the draft law does not explicitly exclude access to data by companies. In this way, information could be passed on to for-profit companies without the consent of those affected. This is not in line with our view of modern and individually oriented data protection. Since this is highly personal data with often intimate information, such access is unethical in our eyes.
Missing Encryption
So far, no information has been provided on how the patient data will be protected. Encryption is planned, but the technical details have not yet been defined. This is fatal, because in our opinion it should be clear in such a project that nothing but genuine zero knowledge encryption is used. The vague statement of the ministry spokesman that data protection “enjoys the highest priority” is too unclear for us at this point.
Germany Gets an Image Problem
So far, Germany has been considered as a pioneer when it comes to data protection. Our standards are internationally recognized when it comes to privacy. The GDPR has been influenced significantly by the existing German data protection laws. Gambling away this reputation harms Germany as a business location, because Made in Germany is a guarantee for high security standards, especially in the IT sector.
Boxcryptor Stands for Data Protection
As the founder of a software company for encryption, we are fully committed to the topic of data protection. Privacy is an important asset, which we protect and defend with Boxcryptor. The new “Digitale-Versorgung-Gesetz” torpedoes these efforts. We call on the Ministry of Health to remove the planned database from the bill or at least revise the plans.