Data protection in the German Bundestag

Many members of the Bundestag in Germany violate the General Data Protection Regulation (GDPR) and the Telecommunications Digital Services Data Protection Act (TDDDG) on their websites. The members of the Bundestag are therefore acting against a basic regulation and breaking a law for which they themselves were partly responsible.

Our analysis shows below how widespread these violations are among German politicians and what this means for data protection in Germany. The GDPR and the TDDDG are important instruments of the Federal Republic that can guarantee the human right to privacy in the digital space - if they are implemented and applied correctly.

Contents

What was investigated?

We have checked the websites of all members of the German Bundestag for data protection compliance - provided they have a website.

We focused on which cookies are set when a website is accessed and which data transfers to third parties occur before permission has been granted.

This is a deliberately low bar.

513 members of the German Bundestag, i.e. 72%, commit data protection violations on their websites. In our opinion, only 196 of the politicians design their websites in accordance with data protection regulations. 27 people do not currently have a website and were therefore excluded from the analysis.

The members of the Bundestag

In order to illustrate the data protection requirements for website operators, we present five approaches from members of the Bundestag and how they deal with data protection in more detail. These clearly illustrate the complexity of correct implementation, why a lot of effort in website design is often not enough to protect personal data and what methods members of the Bundestag use to try to address or circumvent the issue.

The data set with the analysis results of all Bundestag websites can be found here.

Hansjörg Durz – good intentions, poor implementation

Hansjörg Durz from the CSU, a member of both the Economic Committee with a Focus on the Digital Economy and the Committee for Digital, has a substantial connection to the topic of digital data protection. Despite his position, the implementation of data protection on his website fails.

hansjoerg-durz.de

Something is going wrong on this website: visitor data is transmitted to services such as Facebook without being asked.

These services are loaded without user consent:

Adobe Typekit

Amazon CloudFront

Cloudflare

embedly

Facebook

Google Ads

Google AdSense

Google Analytics

Google Fonts

Google Tag Manager

google.com

Keen

Mixpanel

New Relic

Strikingly

tiktok

Twitter

Unsplash

YouTube

last checked: May 22, 2024

Before any interaction occurs when you visit Hansjörg Durz's website, services such as YouTube, Facebook and Twitter are loaded. These services spy on visitor behavior and resell the data.

Durz's data protection declaration explains that the website uses tools from US companies, which can enable the transfer of personal data to US security authorities. But before visitors have the opportunity to access this information, the data has already been passed on.

One would actually expect Hansjörg Durz to have expertise in the area of ​​data protection due to his position in the Bundestag.

Before publishing this article, we asked Hansjörg Durz for comment. His office told us they take privacy on his website very seriously. In our first analysis of the website, even more cookies and services were loaded without consent. This was partially resolved based on our request and attributed to a technical defect.

Some cookies and services no longer load. Nevertheless, as stated above, not all errors could be corrected, which in turn shows how difficult the correct technical implementation of the GDPR is, even with the best intentions. In any case, it is commendable that Hansjörg Durz is trying to do everything right.

Andrew Ullmann – has seen a lot of personal data

Prof. Dr. Andrew Ullmann, FDP, is a doctor and chairman of the Global Health Committee. As a member of the traffic light coalition, Ullmann supports digitalization in the healthcare system. Government plans call for digital patient records for 80% of the population by 2025. It remains to be hoped that this sensitive health data will be handled more responsibly than personal data when visiting Andrew Ullmann's website.

andrew-ullmann.de

This website appears to be overly fussy about privacy issues. However, this is only a deception and personal data is transferred to YouTube on the homepage without consent.

These services are loaded without user consent:

Google Ads

Google Cloud Plattform

Google Fonts

Google Play

Google Video

google.com

gstatic.com

matomo

YouTube

last checked: May 22, 2024

Like the majority of his colleagues, Andrew Ullmann's website follows an internal party standard. Instead of being given direct access to the content when you visit the website, you are first directed to a window that is reminiscent of Pay or Okay and is the same for many FDP politicians. However, if you only decide on the technically necessary range of functions, certain data protection-critical services will be activated automatically after selection, which is a clear deception and creates a false security backdrop.

In addition to the attempt to make consent to data use transparent, other features of Andrew Ullmann's website also indicate that data protection issues were taken into account when designing the website. One of the positive aspects of his website is the use of Matomo, a Google Analytics alternative, which enables data protection-compliant analysis of the activities of website visitors. In addition, Facebook posts are integrated locally, which prevents unwanted data transmission to the social network.

Unfortunately, these efforts are thwarted by the integration of data protection-critical elements on the homepage. A YouTube video is displayed without the user's consent, which also loads services such as Google Ads and Google Fonts. This opens up the possibility for Google to collect data and potentially resell it, which could subsequently be used to specifically influence political behavior through election advertising. All of this because of an innocuous visit to Andrew Ullmann's website.

Annalena Baerbock – one way and yet another

Annalena Baerbock, Foreign Minister of the Federal Republic of Germany, is committed to the correct handling of personal data, even without specialized expertise in the area of ​​data protection.

annalena-baerbock.de

No cookies or external services are loaded on this website without consent. Apart from a small design flaw, everything on this website is perfect.

last checked: May 22, 2024

If you visit Annalena Baerbock's website, you can be sure that only harmless technologies are used. If content from social networks such as Twitter, Instagram or Facebook is shared, this only happens locally on the server, so that user data is not linked to these services.

Another point that was not part of our original analysis, but should still be taken into account, concerns the design of Annalena Baerbock's website. A possible deficiency is pointed out here: Using a consent banner with a color-highlighted “Accept” function could create “nudging” that unconsciously influences the user’s decision.
Since only “Matomo” is loaded after consent - a service that can be operated safely without cookies - the question arises as to the necessity of using Matomo cookies and, as a result, a consent banner. An exemplary website could do without one from the outset through a technically correct implementation.

The technical design of Baerbock's website in no way stands in the way of an aesthetically pleasing presentation. Even without integrating services from third countries, a simple and attractive design was created. Annalena Baerbock proves that with a more thoughtful approach, the protection of personal data can be guaranteed without having to accept any loss of usefulness or aesthetics.

Josef Rief – Apparently a model CDU member

Josef Rief is a CDU politician and Minister of Agriculture. Although his areas of responsibility in the Bundestag and his profession as a farmer do not necessarily suggest a direct connection to the issue of data protection, he takes this issue seriously on his website, but he also makes a few mistakes.

josef-rief.de

At first glance, this site does an exemplary job, but upon intensive analysis you will find several Facebook integrations.

These services are loaded without user consent:

Facebook

WordPress.org

last checked: May 22, 2024

The website is presented pragmatically and focuses on providing interested parties with the latest information about Josef Rief's activities without passing on personal data to third parties. There are only links to social media and videos on the first few pages - no personal data is passed on here. At first glance, everything seems to be perfectly compliant with data protection regulations.

However, when all subpages are intensively analyzed using our analysis tool, Facebook integrations that forward personal data are only found after over 200 subpages have been analyzed. Here you can also see how difficult it is to find and remove any integrations on a website.

Gregor Gysi – without anything

In our analysis, Gregor Gysi is one of the few MPs without a single violation on his website, because – like 27 others – he has none. It can be said: abstinence remains the best contraception.

Technical

Cookies

We also divided the result of the entire analysis into loaded cookies and external data connections. About a third of MPs who have a website do not load any cookies at all. About a quarter load 1-2 cookies, a third load 3-7 cookies, and 33 load over 8 cookies.

Cookies do not necessarily have to be bad; functional cookies do not require consent. However, there are many cookies that are automatically set by builder programs that you could easily do without. However, website operators are often not aware of this. For this reason, we would consider the loading of 3-7 cookies on websites that are actually only intended to serve as a source of information for citizens to be really worrying.

External data connections

External data connections on websites are connections that load content or resources from servers outside of your own website. These are used to include additional information such as fonts, videos, analytics tools or social media widgets. They enable a dynamic and interactive user experience, but can also pose data protection and security risks because with each of these connections, users also send personal data such as the IP address.

Since website operators initiate these connections via the website, they are also responsible for where this personal data goes.

A concrete example of this is the Google reCaptcha service, which 49 MPs upload to their website without prior consent. This is usually intended to protect the contact form from spam. There is a recently published judgment by the French data protection authority regarding Google reCaptcha.

The French e-scooter company Cityscoot was accused in a lawsuit, among other things, of passing on personal data to Google without the consent of the customer by integrating Google reCaptcha on its registration page.

The data protection authority referred to Google's data protection declaration, which clearly states that responsibility lies with whoever integrates the service and that Google also uses the data for tracking. It ruled that the company had failed to fulfill its obligations under Article 82 of the "Data Protection Law" by allowing the placement of cookies on users' devices via the reCaptcha mechanism provided by Google, without informing users and without obtaining their consent. The data protection authority ultimately imposed a fine of 25,000 euros for this violation. (The company received a fine of 100,000 euros for further violations of excessive data collection).

What are the consequences – sanctions and liability?

According to the Federal Data Protection Act (BDSG), MPs are considered public bodies¹ and as such are exempt from executive observation, control and supervision². As a public body, they do not fall within the scope of the GDPR, but must comply with it according to the BDSG³.

There is currently a legal vacuum for MPs here. In fact, you have to adhere to the requirements of the GDPR and there is also a data protection authority responsible for this, the Federal Commissioner for Data Protection and Freedom of Information (BfDI). However, this has no control over MPs and their compliance with the GDPR and can therefore only make non-binding requirements.

We asked the BfDI how it carries out its role based on the legal requirements. The BfDI sees its tasks as advising members of parliament and communicating with the Bundestag.

A possible rethink could result from a ruling by the European Court of Justice (ECJ) on January 16, 2024. In the preliminary ruling submitted by the Austrian Administrative Court, the ECJ decided that parliamentary committees of inquiry are in principle not excluded from the scope of application of the GDPR.

Furthermore, the ECJ decided that even for states that have only set up one supervisory authority, responsibility arises directly from the GDPR, regardless of the principle of separation of powers. The data protection supervision in Article 55 paragraph 3 GDPR was only restricted by the Union legislature with regard to courts in the context of their judicial activity.

The judgment shows that there must be no legal vacuum. According to our conversation with the BfDI, the Bundestag could set up its own supervisory authority based on this ruling or the control function could automatically be transferred to the BfDI as the authority.

In a current episode of the podcast "Data Freedom!", the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg, Prof. Dr. Tobias Keber also explains the ECJ ruling in more detail. In his opinion, it would make sense to set up a separate, independent committee, as committee work would quickly involve personal data and sensitive data protection and political issues.

What can you do as a citizen?

In the first step you can contact the politicians directly. The contact details can be found on their websites or on bundestag.de. In our experience, most people really want to take data protection on their website seriously, it's just something that is sometimes forgotten in everyday life. That's why a small impulse is often enough.

If this doesn't change anything, you can submit a complaint to the BfDI, the data protection authority currently responsible for the Bundestag⁴. However, as described above, this can currently only forward a complaint to the MP and advise on it, but cannot force its implementation.

So the last step is to file a civil lawsuit. If you feel that your data protection rights have been violated, you have the right to a judicial remedy according to Art. 79 GDPR and can assert this right in a civil court. If you have suffered material or immaterial damage, you are entitled to compensation in accordance with Article 82 (1) GDPR and can also claim this in a civil court.

Until the ECJ's recent ruling may also apply in Germany, it is up to citizens to contact their representatives. You have the responsibility but also the power to initiate changes among MPs and not let up. This offers all citizens the opportunity to actively participate in democracy beyond elections.

Summary

The analysis of the various websites of selected members of the Bundestag shows how multifaceted the use of technologies on the Internet is. While some MPs actively promote personal data protection and the preservation of the privacy of their constituents, for others the need for improvement becomes clear.

The majority of the websites examined exhibit misconduct and unlawfully pass on personal data. After all, a trend towards improvement has been observed over the last few months upon repeated analysis of the loaded services. The issue of data protection is apparently being addressed and is undergoing development in the Bundestag.

The importance of privacy and data protection is covered extensively in other sources and is illustrated by activism such as that of Max Schrems. At this point, it should be noted once again that the opportunity for people to actively decide on the transfer of their personal data, as well as transparent information about how this is handled, must be promoted in the future.

Although a large part of society has to reckon with the misuse of their private data on a daily basis on platforms such as Google, Facebook, & Co., this at least happens voluntarily. However, when you visit a political website such as that of Hansjörg Durz, a data profile of the visitor is created. And those people who use the services of Google, Facebook and co. use, must expect even more precise information about themselves when they visit one of the 513 eye-catching websites of members of the Bundestag. A condition that can no longer be accepted as the norm.

It is up to the members of the Bundestag to follow the specially adopted instruments such as the GDPR or the TTDSG on their websites and thus set an example when it comes to data protection. Only when politicians take their own laws seriously and follow them will their relevance for the rest of society become credible.

Disclaimer: Before publishing the article, we asked the members of the Bundestag mentioned by name for a statement. So far only Hansjörg Durz has reported back.

The data set with the analysis of the websites of all members of the Bundestag can be found here.

Photo credits:
Cover © Claudio Schwarz
Hansjörg Durz © Bureau Durz, MdB
Prof. Dr. Andrew Ullmann, MdB © Stefan Fercho (Schlappinho)
Annalena Baerbock MdB © Alliance 90/The Greens parliamentary group
Josef Rief Portrait 2013 © Janr07