The planned use of Palantir: a risk to data protection and digital sovereignty?

Palantir Technologies was founded in Silicon Valley in 2003 and is now one of the best-known providers in the field of data analysis. Originally founded with financial support from In-Q-Tel, which has close ties to the CIA, Palantir initially developed software for intelligence agencies and the military. Its customers now also include public institutions and large companies.

Palantir's best-known products are “Gotham” (for governments and security agencies) and “Foundry” (for companies). Both platforms make it possible to link a wide variety of data sources, visualize them, and search for specific patterns or risks. The technologies used employ artificial intelligence, machine learning, and graph-based data analysis.

In Germany, Palantir is already being used by police authorities in Hesse and North Rhine-Westphalia. The aim is to enable faster, networked evaluation of information relevant to investigations. For example, communication data, movement profiles, and social connections can be merged and analyzed in a single system. This capability promises greater efficiency, but also poses significant data protection challenges.

The discussion focuses not only on technical performance, but also on whether there is sufficient transparency with regard to data processing and system decisions. Critics complain that proprietary software solutions such as those from Palantir often act like a “black box” whose inner workings are difficult to understand. This is particularly problematic in the public sector.

Palantir Technologies is a US company that develops software for data integration and analysis. Its products are used by security agencies, intelligence services, and companies worldwide to evaluate large amounts of data and reveal connections.

In Germany, Palantir's software is already being used by certain police authorities, for example to merge data sources such as telecommunications and movement data. The aim is to enable faster, networked analysis during investigations. Support for this approach is based on the hope that it will enable a better understanding of complex situations and a faster response.

GDPR

The General Data Protection Regulation (GDPR) applies throughout the EU and specifies the conditions under which personal data may be processed. Relevant principles are:

• Purpose limitation
• Data minimization
• Transparency
• Proportionality
• Security of processing
• Rights of data subjects (e.g., access, erasure, objection)

Particularly relevant in the case of Palantir: The GDPR imposes strict requirements on the transfer of personal data to third countries outside the EU, e.g., to the US. Such transfers are only permitted if an adequate level of data protection is guaranteed.

revDSG

Since September 2023, the revised Data Protection Act (revDSG) has been in force in Switzerland, which corresponds to many aspects of the GDPR. Here, too, principles such as purpose limitation, transparency, and data security apply. It is particularly important for internationally active companies to observe both GDPR and revDSG compliance.

Opportunities through data-based analysis

Data analysis software such as Palantir can help law enforcement and security agencies to sift through large and heterogeneous data sets more quickly and identify relevant information at an early stage. This can lead to more efficient use of resources and improve operational decision-making.

In the fight against organized crime, terrorism, or cybercrime in particular, automated pattern recognition can be used to identify potential sources of danger at an earlier stage and create risk profiles for targeted intervention. The consolidation of previously isolated data sources can also create operational synergies and enable new investigative approaches.

In addition, there is potential for the use of such systems in other areas of public administration, such as crisis management, pandemic response, or risk analysis in disaster control, provided that data protection regulations are complied with.

Data protection challenges

The use of data analytics systems such as Palantir poses a number of potential challenges in terms of data protection, particularly with regard to sensitive personal information.

• Processing of particularly sensitive data: This may include health data, political opinions, or data on ethnic origin, the protection of which is subject to particularly strict regulations under the GDPR and the revDSG.
• Possible misuse: If data collected for a specific purpose is used in new contexts, there is a risk of violating the principle of purpose limitation. This risk is particularly high when different data sources are linked retrospectively.
• Uncontrolled data transfer or linking: Complex systems can lead to data being combined to an extent that was neither originally intended nor transparently communicated.
• Access by US authorities under the CLOUD Act or FISA 702: US providers may be required to access or disclose data even if the servers are physically located in the EU. This leads to legal uncertainty.
• Ensuring technical and organizational measures (TOMs): In order to meet legal requirements, mechanisms such as access controls, encryption, logging, and separation of roles must be verifiably and effectively implemented.

These challenges require an early and comprehensive data protection impact assessment and, where necessary, consultation with the competent supervisory authority.

Data protection supervisory authorities assess whether systems such as Palantir are compatible with applicable data protection law. Ulrich Kelber (BfDI) emphasizes the importance of clear legal foundations and points out the risks of automated data linking. State data protection authorities also call for strict purpose limitation and transparent control mechanisms. For companies, these assessments provide guidance on how to design their own data processing systems in compliance with the law and identify data protection risks at an early stage.

• Create transparency: Document data flows, storage locations, and access
• Review AVV & TOMs: Document contracts and security measures with service providers
• Analyze data transfers: Critically evaluate transfers to third countries and supplement technical protective measures if necessary
• Strengthen internal processes: Involve data protection officers in IT projects at an early stage
• Regular audits: Identify and document risks

Technological developments in the field of big data and AI offer great opportunities, but at the same time, the requirements for data protection, security, and transparency are increasing. Whether Palantir or other providers: The decisive factor is how carefully selection, integration, and control are carried out.

Political decision-makers and companies alike should be aware that data protection is not only a legal responsibility but also an ethical one.

The potential use of Palantir at the federal level highlights the challenges of modern data processing in the conflict between security, innovation, and data protection. What matters is not the origin of a tool, but how responsibly it is used.

Companies should take this discussion as an opportunity to reflect on their own data protection practices and strengthen their digital sovereignty.

Does the use of US software automatically constitute a violation of the GDPR?
No, but there are special requirements for data transfers and access protection. Standard contractual clauses and technical measures are essential.

When is a data protection impact assessment required?
Whenever there is a high risk to the rights and freedoms of the data subjects. This applies, for example, to systems that use profiling or comprehensive data analysis.

What alternatives are there for companies? 
The European market increasingly offers data protection-compliant software solutions that are subject to EU law. It is crucial to check provider locations, encryption technologies, and transparency criteria.