This article is also available in:
Deutsch: ENDitorial: Was soll denn schon schiefgehen?

With the discussions on the proposed General Data Protection Regulation in full swing and the first published opinions of some European Parliament Committees, several themes of proposed changes emerge. One of these can be paraphrased as “we shouldn't bother controllers with too many obligations, they know their stuff and want to do the right thing”.

Slightly more elaborate versions of this view have been used to justify amendments aiming to cut documentation obligations, lessen requirements on data breach notifications and information obligations. There also seems to be an undercurrent of “in any case, it's usually not that bad if things go wrong”.

Indeed, how bad could it be if things go wrong? And do controllers handle personal data responsibly? A few cases that made headlines in the past years can provide examples.

Between 2005 and 2007, Deutsche Telekom used its own traffic data to spy on journalists and trade union members of its own supervisory board in order to stop leaks. According to the head of unit in charge of the spy operation, this happened on behalf of the then-CEO and the chairman of the supervisory board. Since then, this head of unit has been sentenced to 3.5 years of prison, while the former CEO and the chairman of the supervisory board claimed not to have known anything.

More recently, WhatsApp, a smartphone application for sending text messages which is used around the globe to send more than a billion messages per day, is currently in the news for an astounding row of privacy gaffes. For starters, the service used to send messages without encryption, so that exchanges could be easily spied upon. It seems that whatsapp's developers had been made aware about this security hole the size of a barn door almost a year before they fixed it. Just a month later, another security flaw was uncovered, allowing to take over whatsapp accounts and send messages from compromised accounts using simple tools – there was an app for that. Instead of fixing the problem, whatsapp sent legal threats against the developers of the tools. Now, two and a half months later, this other barn door is still wide open.

Between 2002 and 2005 Deutsche Bahn, a railway operator, screened 170 000 of its employees to find out about connections to subcontractors and possible corruption. In 2006 and 2007, it also spied on employees' e-mails to uncover whistleblowers, sifting through up to 150 000 e-mails a day. The company's CEO had to step down over these scandals, while still denying that any wrongdoing had occurred. Later on, investigations confirmed the suspicions and Deutsche Bahn was fined 1.12 Million Euro in 2009. Sounds like a lot? That year, it took Deutsche Bahn about seven hours to make that amount in pre-tax profit.

In 2007 to 2010, when sending cars around the world to collect images for its service Street View, Google also collected information on wireless networks to be used to make cell phone localisation more precise. The software used also collected content sent over open WiFi networks, collecting websites visited, passwords, e-mails and other information. Google was not forthcoming in the investigations, first denying that payload data had been collected, then talking about a simple “mistake”, then blaming it on a rogue developer. In the end, it turned out that the code in question was in fact documented, and that oversight was “minimal”, to quote from the US Federal Communications Commission's investigation report, which fined Google 25 000 USD for stonewalling the investigation.

In a different register, police authorities do not fare better. They will be subject to a different text, a proposed Directive that contains more lax rules than the Regulation. Here as well, egregious violations can be found everywhere.

For example, officers of the Irish Police (Garda) used police databases for their private interests, for example to run background checks on their daughters' boyfriends. In another case, a police officer used retained telecommunications traffic data to snoop on her ex-partner. Such cases have been discovered again and again over the years, following a usual pattern: they become public, the Data Protection Authority (DPA) investigates and conducts audits, finds wrongdoings, the Garda promises to change, rinses and repeats. In one case, the Garda also adopted a “code of practice”, endorsed by the DPA. It does not seem to have helped much.

In Poland, the police, as well as the anti-corruption office and the domestic intelligence agency, surveyed at least ten journalists of various media between 2005 and 2007, using telecommunications traffic data without court orders or any connection to ongoing investigations. One of the journalists, of the influential Gazeta Wyborcza, wrote several articles about well-known and sometimes controversial actions of the anti-corruption office – the one that later on requested his traffic data. After the case became public, an investigation was launched, but a regional prosecutor’s office claimed to have found no wrongdoing. Only after one of the spied journalists went to court, a meaningful investigation got under way. The court ruled on the case in April 2012, saying that the anti-corruption office violated the journalist’s privacy, as well as the right to protection of journalistic sources.

In Dresden, Germany, the local police collected information on more or less every mobile phone call made and SMS sent in the city, in total almost one million connections, at the occasion of an anti-Nazi demonstration. The police justified collecting the information with several offences that occurred at the margins of the demonstration. Saxony's interior minister defended the measure as being “proportionate”, even after it became public that the police also used the data for totally unrelated investigations and had been told to stop this by the local prosecutor's office. Months after being formally reprimanded by Saxony's DPA, the police still used the data.

What all these examples, both from the private and the public sector, show is that in many cases, incompetence or lack of oversight lead to unacceptable shortcomings, while in others, it is straight-up malice. In law-enforcement, there seems to be a widespread belief among practitioners that “we're the good guys”, which in turn sometimes leads to abuses. So no, we cannot trust controllers to know their stuff and to want to do the right thing. And yes, it can be bad if things go wrong.

Whatsapp case
http://www.h-online.com/security/news/item/Account-theft-still-possibl...
http://www.h-online.com/security/news/item/WhatsApp-no-longer-sends-pl...
http://www.h-online.com/security/news/item/WhatsApp-threatens-legal-ac...
http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-co...
http://www.androidpolice.com/2012/05/02/whatsappsniffer-shames-whatsap...

Deutsche Telekom case
http://www.wiwo.de/5239704-all.html
http://www.wiwo.de/5239730.html

Deutsche Bahn case
http://www.heise.de/newsticker/meldung/Deutsche-Bahn-zahlt-Rekordstraf...
http://www.heise.de/ct/meldung/Bahn-Datenskandal-Arbeitsminister-bekra...
http://www.n24.de/news/newsitem_4936517.html
http://www.sueddeutsche.de/wirtschaft/spitzel-affaere-bei-der-bahn-tie...

Google Streetview case
http://www.wired.com/threatlevel/2012/05/google-wifi-fcc-investigation...

Irish police case
http://www.edri.org/edrigram/number10.21/irish-dpa-police-self-regulat...

Surveillance of Polish journalists case
http://wyborcza.pl/1,76842,8842563,Inwigilacja_dziennikarzy_badana_od_...
http://wyborcza.pl/1,76842,9763653,CBA_i_billingi_dziennikarza__Gazety...
http://wyborcza.pl/1,75478,11625664,Precedensowy_wyrok__CBA_nie_moze__...

Dresden police case
http://www.taz.de/!73222/
http://www.taz.de/!94114/
http://www.heise.de/newsticker/meldung/Saechsische-Polizei-nutzt-weite...

(Contribution by EDRi interns Katarzyna Syska and Owe Langfeldt)