Boosted or busted? – The impact of data protection on the digitalisation of public administration

The extensive digitalisation of both internal public administration processes and their services for users is an uncontested goal of politics and society in most countries. However, besides technical challenges, cultural change and data protection regulations appear to be a problem for the visible success of these digitalisation efforts. The paper argues that projects with the goal of digitalising public administration often lead to measures and implementation processes that are characterised either by anticipatory obedience or "practical illegality". Expecting that data protection considerations could stand in the way of a technical solution, bureaucratic organisations reject possible solutions in the early stages of a project. Commercial enterprises, on the other hand, tend to act on the premise that the first step should be to develop solutions, which do not explicitly violate data protection rules. Users (citizens/clients) are partly directly affected and acting stakeholders, partly their interests are represented by data protection authorities. These authorities play the role of "prophets" who interpret and construe the GDPR. Their judgement on good and appropriate data protection is justified by the belief that they are acting as a trustee for the users as beneficiaries. However, the powerful role of data protection authorities means that the good intention of protecting personal data becomes a compulsory exercise that is perceived as a burden. Against this background, data protection rules cannot be identified as a driver of innovation and improvement. Rather, the menacing interpretation of regulations has the effect of putting the brakes on projects, where technological implementation and digital transformation are breaking new ground. Hence, digitalisation projects have to deal with data protection issues in a more strategic way. The case study of the project "ID Ideal" in Saxony (Germany) demonstrates the impact of data protection on the development and realisation of applications based on the concept of Self-Sovereign-Identities (SSI). In the area where administration, economy and society overlap, use cases are designed for the real life adoption of SSI-based solutions. Only privacy compliant applications achieve the necessary level of trust, which enables their (voluntary) provision and use. Thus, data protection in the broader sense is addressed under the heading of "acceptability and usability". However, the topic of data protection is always an elephant in the room in the "ID Ideal" showcase project. When it comes to project management, data protection issues are in fact sidelined for the time being, even for internal procedures within the public administration. The work on appropriate SSI applications spotlights the issues of acceptance, operational efficiency and user orientation. The expectation is that by demonstrating user acceptance under real-lab conditions, a positive judgement on data protection rules will be made later on. So the project is driven by the spirit of demonstrating which regulatory provisions may have to be adapted - and not so much about which technology is allowed by the regulatory framework.