PHR2004 - Federal Republic of Germany

Federal Republic of Germany

Article 10 of the Basic Law (or Grundgesetz, the German Constitution) states: "(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute. Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament." Attempts to amend the Basic Law to include a right to data protection were discussed after reunification, when the Constitution was revised, and were successfully opposed by the then-conservative political majority.

In a 1983 case against a government census law, the Federal Constitutional Court formally acknowledged an individual's "right of informational self-determination" which is limited by the "predominant public interest." The central part of the verdict stated, "Who can not certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them."[1] This landmark court decision derived the "right of informational self-determination" directly from Articles 1 (1) and 2 (1) of the Basic Law, which declare personal rights (Persönlichkeitsrecht) to freedom are inviolable.

Germany has one of the strictest data protection laws in the European Union. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Law (Bundesdatenschutzgesetz or BDSG) followed, which was reviewed in 1990, amended in 1994[2] and 1997. The final revision took place in 2002 to be in line with the EU Data Protection Directive.[3] The general purpose of this law is "to protect the individual against violations of his personal rights by handling person-related data." The law covers collection, processing and use of personal data collected by public federal and state authorities (as long as there is no state regulation), and by non-public offices, if they process and use data for commercial or professional aims.

The 2001 revisions to the BDSG include regulations on transmitting personal data abroad, video surveillance, anonymization and pseudonymization, smart cards, and sensitive data collection (relating to race/ethnic origin, political opinions, religious or philosophical convictions, union membership, health, and sexual orientation). It grants data subjects greater rights of objection. It also states that companies must now appoint a data protection officer if they collect, process, or use personal information; that databases collecting such information must be registered with German data protection authorities (DPAs); and that consent from the individual whose data is collected is required after full disclosure of data collection and its consequences. According to the Federal Data Protection Commissioner (BfD), secondary legislation will need to be introduced on the auditing requirements and a more general revision of German data protection law may be outlined by the end of 2005.[4] According to the Conference of German DPAs, the main challenges will be to introduce "opt in" instead of "opt out" solutions for marketing; improve the ability to use the Internet anonymously, and ensure consent to use personal data.[5]

The Federal Data Protection Commission (Bundesbeauftragter für den Datenschutz, or BfD) is an independent federal agency that supervises the Federal Data Protection Act.[6] Its chief duties include receiving and investigating complaints, as well as submitting recommendations to parliament and other governmental bodies. The BfD publishes a bi-annual activity report.[7] In 2003 there were between 10,000 and 20,000 data controllers registered by the agency.[8] However, the number of controllers is steadily decreasing as federal agencies, in compliance with the 2001 changes to the Act, appoint in-house data protection officers, as an alternative to registration under the Act.[9] The BfD, which has 70 people on staff, handles about 4,500 written and oral complaints and carries out approximately 45 investigations each year.[10]

All of the sixteen Länder have their own specific data protection regulations that cover the public sector of the Länder administrations. All Länder have adopted new data protection laws pursuant to the EU Data Protection Directive.[11] Each Land also has a data protection commissioner to enforce the Länder data protection acts and supervise the private sector.[12]

Another important federal law in Germany is the G-10 law, which imposes limitations on the secrecy of certain communications. The G-10 law was amended in 2001 to require that service providers give law enforcement the means to monitor data as well as voice lines.[13] Officials are trying to convince Internet Service Providers to self-regulate content,[14] and European ISPs and data protection commissioners continue to resist demands from police agencies to allow expanded surveillance of e-mail and store related data. These demands proposed by the Ministry of Internal Affairs are similar to the ENFOPOL 38 proposals at the EU level.

In May 2002 the European Parliament voted to adopt a series of amendments that modifed current telecommunications privacy law and took effect in October 2003.[15] These amendments do not impose limitations on how long EU member governments can retain personal information for use in criminal investigations, and require ISPs to lengthen the time they store information regarding subscribers' online and phone activity.[16] The Federal Constitutional Court has set out strict limitations for the retention of personal data for purposes other than the original ones (for official requirements or the conclusion of a contract). For these reasons, Germany has been very reluctant to accept new European laws providing for the retention of data for a period of up to two years.[17] Nevertheless, there are many proposals published by the European Community and the Bundserat (second chamber of the federal legislature representing the Länder governments) requiring not only ISPs, but all telecommunications and multimedia service providers to systematically retain all data without any suspicion for at least six months. A recent questionnaire circulated by the EU working party on cooperation in criminal matters indicates a proposal to mandate retention of such data for law enforcement purposes for a period of 12-36 months. This proposal and others continue to be strongly opposed by the German data protection authorities because of the implications for the hindrance of freedom of speech, access to information, and privacy of communications,[18] and were left out altogether when adopting the new Telecommunication Law (TKG).[19]

In October 2001, the German government passed a law requiring fixed and wireless telecommunication companies to install, at least until January 2005, technology that gives police and security agencies access to most German communications. ISPs are not affected by this law.[20]

Wiretapping is also regulated by the G-10 law and requires a court order for criminal cases.[21] In July 1999, the Constitutional Court issued a decision on a 1994 law which authorizes warrantless automated wiretaps (screening method) of international communications by the Intelligence Service (BND) for purposes of preventing terrorism and illegal trade in drugs and weapons.[22] It was reported in 1999 that the BND had 1,400 operatives listening in on satellite communications.[23] The Constitutional Court ruled in December 1999 that the government could conduct surveillance of political parties if it is believed that they are hostile to the Constitution and information cannot be obtained by public means.[24] Also, telephone monitoring has been on the increase since 1995, when there were 4,674 instances of monitoring, up to 21,874 in 2002.[25] Four out of five wiretappings monitor cell-phones. This renewed rise of interventions in secret communications gives the federal commissioners great concern for data security. For years, the commissioners have appealed to prosecution authorities to use this means sparingly.[26]

Recently, the so called "Grosser Lauschangriff" (Big Eavesdropping Attack), a law that contained a set of various additional authorizations for police to survey potential criminals, was challenged before the Federal Constitutional Court. After a fiercely fought six-year political debate, a two-thirds majority of the German Parliament eventually approved a change to Section 13 of the Constitution in April 1998, making it legal for police authorities to place bugging devices even in private homes (provided there is a court order). This change was the provision for the Law for the Enhancement of the Fight Against Organized Crime, which became effective in 1999.[27] In March 2004, the German Federal Constitutional Court ruled[28] that significant portions of the 1998 Grosser Lauschangriff[29] wiretapping laws infringed upon the guarantees of human dignity and the inviolability of the home under Articles 1 and 13 of the constitution, or Basic Law.[30] The court held that certain communications are protected by an absolute area of intimacy where citizens can communicate privately without fear of government surveillance.[31] This includes conversations with close family members, priests, doctors and defense attorneys, but excludes conversations about crimes that have already been committed or the planning of future crimes. However, to justify surveillance between the target and such persons of trust, the government must show "there is strong reason to believe that the content of conversation does not fall in the area of intimacy,"[32] and that the crime is "particularly serious".[33] Once a specially protected conversation begins the eavesdropping must stop immediately and any recordings of that portion of the conversation must be erased. The German legislature has until June 2005 to amend Grosser Lauschangriff to comply with the court's decision.

In 2001, the Bundestag (the German Parliament) passed a new law providing access for police and law enforcement to "telecommunication connection data" for the investigation of serious crimes (in addition to, and independently of, wiretapping the contents of a telephone conversation). The law took effect in January 2002 and requires telecommunications service providers to disclose data, such as time and duration of use, place of use and identifying numbers.[34] However, the law contains a sunset clause of five years and requires further evaluation before its extension.[35] According to a recent survey, 75 percent of conducted telephone wiretapping actions violated the law. In most instances of wiretapping, law enforcement agencies did not inform the subjects after the eavesdropping took place, contrary to what is stipulated by the law.[36] Therefore, the data protection authorities have urged the federal government to conduct independent scientific evaluations to control the expansion of wiretapping, to cut it down where necessary, and to strengthen judicial oversight of its use.[37]

In April 1998, a law was passed that allows the Bundeskriminalamt (Federal Police) to run a nationwide database of genetic profiles related to criminal investigations and convicted offenders. One month later, the Bundesgrenzschutz (Border Protection Forces), originally a para-military border police force, now responsible for guarding railways and stations, received permission to check persons' identities and baggage without any concrete suspicion.[38]

Wherever they deal with the handling of personal information on natural persons, either directly or by amendments, nearly all German laws contain references to the respective data protection law or carry special sections on the handling of personal data that reflect the right to privacy. Most recently there have been several laws relating to communications privacy. The new Telecommunications Act of 2004 contains a whole chapter on data protection, incorporating provisions of an earlier Telecommunications Data Protection Ordinance.[39]

The Information and Communication Services (Multimedia) Act of 1997 sets protections for information used in computer networks.[40] Despite these statutory protections, a September 2001 poll revealed that two of every five German PC owners over the age of fourteen do not use the Internet because of data security concerns.[41] The Act also sets out the legal requirements for digital signatures, which were made legally binding by legislation passed in 2001 to conform to the EU Directive on a Community framework for electronic signatures (1999/93/EC).[42] In January 2002, the German government announced plans to provide, within three years, more than 200,000 federal employees with the ability to sign electronic documents with chip cards containing encrypted keys. Such signatures would hold the same legal weight as handwritten signatures on paper documents.[43]

Additionally, there are some privacy issues addressed by laws covering other areas. For example, it is an offense under Section 1 of the German Unfair Competition Act to send unsolicited commercial communications (spam) in Germany. This effectively means that sending direct marketing e-mail without the consumer's consent is illegal under German law, as the e-mail would be regarded as unsolicited.[44] Despite these legal protections, a June 2002 study conducted by the German Electronic Commerce Forum revealed that spam is considered a significant problem by German consumers.[45]

In 1996, the Berlin Data Protection Commissioner reached an agreement with German Railway and a US bank (Citibank), which were planning to issue combined Railway and Visa cards. As all the processing of information would have taken place in the United States, the Berlin Data Protection Commissioner invoked the EU Data Protection Directive's prohibition on transborder dataflows to stop the deal. The transaction was allowed to go through once German Railway and Citibank signed a contract guaranteeing German citizens the same protection for their personal information in the US as they enjoyed in Germany.[46] The agreement (later terminated for economic reasons) was an important precursor for transborder dataflows to the US and other countries without privacy laws.[47]

In May 2002, Germany's Minister of Health, Data Protection Commissioner, and healthcare organizations announced plans for the development of an electronic universal healthcare card. The proposed card will contain, among other data, a patient's identification and emergency healthcare information. Patients will be able to use the card to fill prescriptions and disclose healthcare information to physicians on a voluntary basis.[48] The card will likely be implemented in 2006.[49]

In June 2001, the German Ministry of the Economy and Labor presented a software prototype that would let consumers make anonymous Internet purchases and payments. The software was scheduled for general availability for testing in 2002. This is part of a project called Data Protection in Teleservices, the goal of which is to develop software that can accommodate data privacy law requirements. The Ministry of the Economy and Labor announced that seventy-nine percent of online shops fail to adequately inform customers about their data privacy rights, and that eighty-four percent of Germans have privacy concerns about surfing the web. The program meets the quality criteria for Internet data privacy protection and the Teleservices Data Privacy Law.[50]

There is currently no general Freedom of Information (FOI) act in Germany. On September 26, 2001, the Federal Government presented the design for a FOI law, Informationsfreiheitsgesetz. (IFG)The law, which was supposed to be modeled after the US Freedom of Information Act, would have allowed citizens to request access to basically all information on federal authorities. In 2002, however, the proposed law was dropped by its sponsors.[51] The IFG is supposed to be reintroduced through 2006.[52] Some Länder already have their own FOI laws in effect. The Land of Brandenburg adopted a FOI law in 1998 to allow citizen access to government records.[53] The Information and Data Protection Commissioner enforces the act. More recently, Berlin, Schleswig-Holstein, and Nordrhein-Westfalen[54] have also adopted FOI laws.

Since 1990, a law[55] has allowed access to the files of the Stasi (Ministerium für Staatssicherheit), the security service of former East Germany, for individuals and researchers. The law created a Federal Commissioner for the Records of the State Security Services of the former German Democratic Republic (formerly the Gauck Authority, named after its first Commissioner), which has a staff of 3,000 piecing together shredded documents and making files available.[56] There have been 1.6 million requests from individuals for access to the files and 2.7 million requests for background checks since the archives became available.[57] Many of the files were destroyed in 1989, but in 1990, the US Central Intelligence Agency was able to obtain the names, aliases and payment histories of 4,000 spies who worked in various countries for the Stasi or informers from the Soviet Union. The US Government refused to give the files to the German government until December 1999, claiming that it would harm the people in the files.[58] In May 2000, files about former Chancellor Helmut Kohl's telephone calls were found to be missing from the archives when they were going to be used to investigate corruption. The Stasi had conducted extensive wiretapping of Kohl for years.[59] In late 2000, Kohl's lawyers launched legal action to prevent the publication of transcripts of his telephone conversations recorded by the Stasi. The government wanted to release those it believes are of historical interest, but Kohl's lawyers argued that the information was gathered illegally.[60] In July 2001, the Federal Administrative Court ruled that information collected by the Stasi about Kohl could not be disclosed to researchers or the media without Kohl's express consent. Subsequently, the German Parliament amended the Stasi Files Act to allow Kohl's files to become accessible by the media, at least to some extent.[61] The amendment, which came into force in September, 2002, allows Stasi files to be disclosed to journalists and researchers, even where the subject is a victim of surveillance, if the information requested is linked with the political function or office of the person in question.[62] Kohl again brought suit, this time claiming that this amendment is unconstitutional. A lower Adminstrative court in Berlin dismissed their claim in September 2003. The case was appealed directly to the Federal Adminstrative Court. On June 23, 2004, this court upheld most of its original 2001 judgment, interpreting the amendment to the Stasi Files Act restrictively, with the effect that large parts of the files concerning the former chancellor will not be disclosed to the media. The court took the view that the Stasi violated the principles of the rule of law when spying on people, and that victims of such practices should therefore have control over whether this information is given to the media. However, researchers will still be allowed to access Stasi files with personal data if further disclosures to the public would be effectively prohibited.

Germany enacted several provisions intended to deter terrorist activity after the September 2001 attacks in the US. The Counterterrorism Act, which took effect in January 2002, comprehensively changed several existing laws. Among the most prominent revisions are those that create legal bases for biometric identification in passports and identity cards; make it easier for authorities to share information; allow the BND to request user information from ISPs, airlines, and travel agencies; and create a speech framework database to make possible speech recognition of asylum seekers.[63] In February 2002, the Interior Ministry announced that its counterterrorist efforts would include encrypted biometric identification cards for all citizens, as well as fingerprinting and face recognition technologies.[64] However, biometric identification cards have not yet been introduced. The Federal Ministry is searching for a common approach at the EU level. The data protection authorities (DPAs) do not oppose their use in general. Nevertheless the DPAs stress that the following criteria will be met: 1. the Ministry must ensure that biometric data will not be used to gain other information about additional personal attributes; 2. persons must know which biometric data of them will be stored and used; 3. biometric data should be used only for the purpose of identification; 4. quick mechanisms to secure accuracy must be developed in order to prevent any discrimination.[65]

Citizens have challenged several the tactics used by German law enforcement to uncover terrorist suspects. By February 2002, courts in Berlin and Frankfurt had upheld objections to the use of "computerized searches of government records" (or Rasterfahndung) to profile terrorist suspects based partly on religious identification.[66] Other courts thought the search was legal. However, the Federal DPA points out that all data of persons not related to terrorist activities have to be deleted immediately and new evaluations have to be carried out to test its efficiency.[67] Despite concerns raised by the public and the obvious inefficiency of the Rasterfahndung initiated after September 11, Germany submitted in April 2002 to the EU a proposal to make it possible to conduct investigations using this surveillance tool (Rasterfahndung) throughout the Union to help combat terrorism.[68]

In 2002, Germany decided to install a new system to electronically collect tolls for trucks using the national highways. The system tracks vehicles through GPS (Global Positioning System) and cellular phone networks. According to a common standpoint of the DPAs in 2001,[69] the Federal government implemented special data protection measures in the laws governing toll systems: data collection and processing is limited only for the purpose of billing; all data must be deleted after the payment; and all data collected from vehicles that are not subject to a toll must be immediately deleted. [70] German authorities have also recently proposed implementation of a video surveillance system at toll collection points, to ensure that trucks from other countries are paying the proper tolls on the autobahn.[71] Video footage would be compared against a central database. Privacy and data security groups have protested this proposal, citing the possibility for using the data for purposes other than toll-collection. Indeed, although this surveillance data is only supposed to be used for toll-collection and enforcement purposes, the German police recently gained access to the data when trying to locate a stolen garbage truck.[72]

There are been several other video surveillance projects in Germany which have generated a response from privacy and data protection advocacy groups. For example, a private group called Der Grosse Bruder (Big Brother)[73] has created a map of Munich, highlighting all the video surveillance cameras installed there.[74] In 2003, the Humanistische Union (Humanistic Union)[75] sued a Berlin shopping center employing a video surveillance system with a range of vision which included a public street.[76] In Weimar, Germany, a local newspaper protested the installation of video surveillance cameras which watched the entrance of a newspaper building (along with medical and political offices), and the local government eventually uninstalled the cameras.[77]

Germany also implemented in the Criminal Code (StPO) the possibility of using a so-called IMSI-Catcher system to track individuals trough the location of their cell phones. The bill, which entered into force on August 14, 2002, provides for law enforcement the ability to obtain, upon court request and from the time their request is granted, the data of individuals' movements and their cell phone device number (IMEI number) for a period of up to 6 months.[78]

The revision of the credit sector of the economy imposes rules for banks to disclose client data to the Federal Institution for the Supervision of the Credit Economy (FISCE).[79] The FISCE will store data about all owners of bank accounts or depots and is required to transfer them to other public agencies upon request. Banks also have to run special surveillance programs to detect suspicious money transfers. In a recent statement, the data protection commissioners urged banks to inform their clients in writing and obtain a written consent.[80]

The DPAs also stress that new opportunities to test human genetic code (DNA) for different purposes must be regulated in order to prevent misuse of genetic data. The commissioners point out that no one should be forced to take any genetic tests. They also require that the use of data gained through genetic tests not legally approved and without explicit consent of the concerned person should be criminalized.[81]

In May 2003 the German retail giant Metro started a trial project to introduce a new cashing and customer convenience program with small chips, called Radio Frequency Identification (RFID) chips, at their Metro Future Store. The chips will be attached to all products. When queried by a radio device, RFID chips respond by transmitting a unique ID code. It therefore allows customers to pay and checkout automatically by pushing a loaded trolley past a sensor. Combined with an automatically readable customer client card, the system would allow the tracking of all purchases and the linking to the customer's identity.[82] Metro claimed that the RFID chips could easily be deactivated, thus erasing any privacy invasions, but their process for deactivation leaves intact the unique identifying number on the RFID chip, so even "deactivated" cards can be traced back to their origin.[83] In March, 2004, Metro halted the trial program in response to protests from digital rights groups regarding possible privacy violations.[84] Outcry was particularly forceful upon discovery that Metro had placed RFID devices in their "Extra Future Card" (personal customer shopping card) without notifying consumers.[85] [86]This use of RFID was uncovered by a German NGO called FoeBuD by taking x-ray photos of the card.[87] FoeBuD also staged two protests, one in front of the Metro Future Store and one at a "pro-RFID" conference, and has recently been granted money by the Bewegungsstiftung[88] (a German group which supports and promotes social movements and reform projects) to develop the "privatizer," a small device which consumers could use to find hidden and embedded RFID chips in consumer products.[89] In a recent speech, the Federal Data Protection Commissioner pointed out the privacy implications of RFID, and called on the legislature to make provisions on RFID tags.[90]

There is a recent proposal to introduce an obligatory "smart jobcard" for all employees in Germany.[91] The proposal is motivated by the reduction of employers' costs of certification in social security matters. Data such as current employer, salary and working hours would be stored in a centralized database, which all social security entities could access on request, with consent of the owner of the job card. However, the Länder data protection commissioners claim that this project constitutes a systematic data collection without a specific purpose, and therefore violates the right of self-determination as enumerated by the Constitutional Court. The commissioners also feared that the use of the social security number (Rentenversicherungsnummer) as a personal identification number would create serious privacy implications. At a conference on April 25, 2004, the data protection commissioner for Schleswig Holstein proposed some standards for the jobcard, such as a right of access to stored information by the employee, encryption of the data using a public key, and restricted access to the database.[92]

In a May 3-4, 2004 speech, the Federal Data Protection Commissioner Peter Schaar called for a new reform of German privacy laws. He referred to a widely-read study[93] which proposed huge legislative reforms in order to reduce the number of laws governing specific details of privacy protection. The study proposes to create one general statute, which refers only when necessary to more detailed regulations.[94] An ideal statute would provide general rules about the use of privacy-friendly techniques, data security, privacy standards, control of data processing, and self-regulation tools.[95] Peter Schaar also cites a need for a new data protection statute regarding the use of employees' personal data in the context of controlling web-surfing behavior and the protection of the employers' computer systems against viruses and spam.[96]

Germany is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108)[97] and later signed an Additional Protocol to this convention.[98] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms (Convention No. 005).[99] In November 2002 Germany signed the Convention on Cybercrime but has not yet ratified it.[100] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[1] BVerfGE 65, 1.

[2] Federal Act on Data Protection ("BDSG") January 27, 1977 (Bundesgesetzblatt, Part I, No 7, February 1, 1977), amended in 1990 <http://www.datenschutz-berlin.de/gesetze/bdsg/bdsgeng.htm>.

[3] Federal Act on Data Protection ("BDSG"), January 14, 2003 (Bundesgesetzblatt, Part I, No 3, 66 January 2003) <http://www.datenschutz-berlin.de/recht/de/bdsg/bdsg03.htm> (in German).

[4]See Overview of the current legislation of the Federal Data Protection Commission (October 1, 2002) <http://www.bfd.bund.de/information/aktbuges011002.pdf>.

[5] "65. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, 27. – 28.03. 2003" <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>.

[6] Homepage <http://www.bfd.bund.de/>.

[7] "19. Tätigkeitsbericht – 2001/2002," <http://www.bfd.bund.de/information/19tb0102.pdf>; Description of the duties of the Federal Data Protection Commissioner<http://www.bfd.bund.de/information/datprotec_en.html>.

[8] E-mail from Ulrich Dammann, Bundesbeauftragte für den Datenschutz, to Christian Schröder, Law Clerk, Electronic Privacy Information Center, April 4, 2003 (on file with EPIC).

[9] Id.

[10] Id.

[11] <http://europa.eu.int/comm/internal_market/privacy/law/implementation_en.htm#germany>; <http://www.datenschutz-bremen.de/gesetze/datenschutzgesetz/inhalt.htm>, <http://www.umwelt-online.de/recht/abfall/laender/sa/z03.htm>.

[12] Landesbeauftragten für den Datenschutz (the Representatives of the Länder's data protection authorities) <http://www.datenschutz-berlin.de/sonstige/behoerde/ldbauf.htm>.

[13] "Germany: New Law Allows More Extensive Government Monitoring of Phone Calls and Email," World Socialist Web Site, February 20, 2001.

[14] "IPs Must Help Stop Hate Web Content," Newsbytes, July 27, 2001.

[15] Tamsin McMahon, "European Parliament Accepts Privacy Law," EuropeMedia.net, May 30, 2002 <http://www.europemedia.net/shownews.asp?ArticleID=10749>.

[16] Paul Meller, "EU Set to Weaken Net Privacy Regime," New York Times, May 30, 2002.

[17] "Answers to a questionnaire on traffic data retention," Council of the European Union, November, 20, 2002 <http://blubb.at/kuhm/temp/20112002tidy.html>; John Leyden, "Germany, Austria take stand against EU ISP data retention laws," The Register, November 21, 2002 <http://www.theregister.co.uk/content/6/28228.html>.

[18] 64 Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Trier 24, October 25, 2002 <http://www.bfd.bund.de/information/DS-Konferenzen/64dsk_ent1.html>; 65. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, 27, March 28, 2003 <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>.

[19]"Vermittlungsausschuss winkt Telekommunikationsgesetz durch", May 5, 2004 <http://www.heise.de/newsticker/meldung/47141>.

[20] "Telekommunikations-überwachungsverordnung – TKÜV," January 22, 2002, BGBl. I Nr. 5, 458, <http://217.160.60.235/BGBL/bgbl1f/bgbl102005s458.pdf>; Steve Gold, "German Carriers Told To Install Cyber-Snooping Tech," Newsbytes, October 25, 2001.

[21] "Gesetz zur Beschraenkung des Brief-, Post- und Fernmeldegeheimnisses - Gesetz zu Artikel 10 des Grundgesetzes (GG10)" (Law Restricting the Secrecy of Correspondence of Letters, Mail and Telecommunications - Law Applying to Article 10 of the Constitution), August 13, 1968 (G10 BGBl. I, p. 949) and was changed the last time by the bill of October 28, 1994 (BGBl. I, p.3186ff) "Verbrechensbekämpfungsgesetz" (Crime-Fighting Law).

[22] <http://www.uni-wuerzburg.de/dfr/bv093181.html>.

[23] "German Phone Taps Are Routine," The Independent, July 10, 1999.

[24] "Constitutional Court Upholds Covert Investigation of Political Parties," The Week in Germany, December 10, 1999.

[25] "Telefonüberwachung, Freund und Helfer hört mit," Spiegelonline, May 2, 2003, available at <http://www.spiegel.de/netzwelt/politik/0,1518,247029,00.html>.

[26] "Telefonüberwachung, Freund und Helfer hört mit," Spiegelonline, May 2, 2003, available at <http://www.spiegel.de/netzwelt/politik/0,1518,247029,00.html>.

[27] Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, 27, March 28, 2003, available at <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>.

[28] BVerfG, 1 BvR 2378/98 vom 3.3.2004, Absatz-Nr. (1 - 373), available at <http://www.bverfg.de/entscheidungen/rs20040303_1bvr237898.html> (in German).

[29] "Grosser Laushcangriff: Definition, Bedeutung, Erklärung im Lexikon", Net Lexicon, available at <http://www.lexikon-definition.de/Grosser-Lauschangriff.html> (in German).

[30] Basic Law for the Federal Republic of Germany, I. Basic Rights, Articles 1, 13, available at <http://www.bundesregierung.de/en/Federal-Government/Function-and-constitutional-ba-,10222/I.-Basic-rights.htm>.

[31] C. Schröder, "Wiretap in Germany", German American Law Journal: American Edition (March 11, 2004), available at <http://www.recht.us/amlaw/2004/03/11>.

[32] Schröder, Id.

[33] University College of London, Faculty of Laws, Institute of Global Law, "German Legal News - Constitutional Law," available at <http://www.ucl.ac.uk/laws/global_law/legal-news/german/index.shtml?constitution>.

[34] Federal Bulletin, BGBL I 2001, 3879, available at <http://217.160.60.235/BGBL/bgbl1f/b101073f.pdf>.

[35] Id.; "Pressemitteilung des Bundesbeauftragten für den Datenschutz zum Tätigkeitsbericht 2001/2002" May 7, 2003 <www.bfd.bund.de/Presse/pm20030507.html>.

[36] "Dreiviertel aller Lauschangriffe rechtswidrig," Der Spiegel Online, January 9, 2003 <http://www.spiegel.de/politik/deutschland/0,1518,229958,00.html>.

[37] Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, 27, March 28, 2003 <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>.

[38] "New Powers for the Border Police: Checks Anywhere at Any Time," Fortress Europe, FECL 56 (December 1998).

[39] Telecommunications Carriers Data Protection Ordinance ("TDSV") of July 12, 1996 (Federal Law Gazette, I, 982), Federal Ministry of Posts and Telecommunications <http://www.datenschutz-berlin.de/gesetze/medien/tdsve.htm>.

[40] Federal Act Establishing the General Conditions for Information and Communication Services - Information and Communication Services Act - (Informations- und Kommunikationsdienste-Gesetz - IuKDG) June 13, 1997 <http://www.datenschutz-berlin.de/gesetze/medien/iukdge.htm>. See also Resolution of the Conference of Data Protection Commissioners of the Federation and the Länder of 29 April 1996 on key points for the regulation in matters of data protection of online services <http://datenschutz-berlin.de/sonstige/konferen/sonstige/old-res2.htm>.

[41] "Data Theft Terror: German PC Owners Refuse to Surf," Deutsche Presse-Agentur, September 23, 2001.

[42] Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures <http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=EN&numdoc=31999L0093&model=guichett>; see also "Fifth Annual Report on the Situation Regarding the Protection of Individuals With Regard to the Processing of Personal Data and Privacy in the European Union and in Third Countries," Data Protection Working Party, March 6, 2002, Part II, 37, available at <http://europa.eu.int/comm/internal_market/privacy/docs/wpdocs/2002/wp54en_2.pdf>.

[43] Rick Perera, "German Federal Employees Get Digital Signatures," CNN.com, January 21, 2002 <http://www.cnn.com/2002/TECH/ptech/01/21/german.government.idg/index.html>.

[44] "Personal Protection," The Lawyer, May 14, 2001.

[45] "Spam Fuelling Consumer Backlash: Study," The Sydney Morning Herald, June 6, 2002 <http://www.smh.com.au/articles/2002/06/06/1022982732852.html>.

[46] Christopher Millard & Mark Ford, Data Protection Laws of the World, (Sweet and Maxwell 2000), Volume 1, Data Protection and the Internet, at 9.

[47] Dr. iur. Alexander Dix, "Case Study: North America and the European Directive - The German RailwayCard: A Model Contractual Solution of the "Adequate Level of Protection" Issue?" September 1996 <http://www.datenschutz-berlin.de/sonstige/konferen/ottawa/alex3.htm>.

[48] "Heathcare Groups Agree Parameters for Health Card," World Data Protection Report, vol. 2, issue 6 (June 2002). See generally about the specific privacy issues related to the Health Card, 65. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, 27, March 28, 2003 <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>.

[49] "Elektronische Gesundheitskarte und elektronisches Rezept" <http://www.bundesregierung.de/Themen-A-Z/Gesundheit-und-Soziales-,7209/Arzneimittel-und-Gesundheitspa.htm>.

[50] "German Government Searches Net Music Lovers' Homes," BNA World Data Protection Report, May 2001.

[51] E-mail from Alexander Dix, Commissioner for Data Protection and Access to Information, Brandenburg, to EPIC, June 5, 2002 (on file with the EPIC).

[52] Overview over the current legislation (10/01/2002) of the Federal Data Protection Commission <http://www.bfd.bund.de/information/aktbuges011002.pdf>.

[53] Akteneinsichts- und Informationszugangsgesetz ("AIG"), 1998.

[54]<http://www.informationsfreiheit.de/info_deutschland/index.htm>.

[55] See the Stasi Records Act, available at<http://www.bstu.de/englisch/index.htm> (English translation).

[56] Web Site: <http://www.bstu.de/home.htm>.

[57] "Gauck Reports Steady Flow of Inquiries about Stasi Records," The Week in Germany, July 16, 1999.

[58] "U.S.-Held Files Seen Uncovering E. German Spies," Reuters, February 4, 1999.

[59] "Stasi Files on Kohl's Tapped Calls Vanish," The Times, May 17, 2000.

[60] "Kohl Sues to Gag Stasi Files," BBC News, December 8, 2000.

[61] E-mail from Alexander Dix, Commissioner for Data Protection and Access to Information, Brandenburg, to EPIC, December 23, 2003.

[62] Act Regarding the Records of the State Security Service of the Former German Democratic Republic (Stasi Records Act), v. 20.12.1991 (Federal Law Gazette I S. 2272), available at<http://www.bstu.de/rechtl_grundl/stug/stugenglisch.rtf>.

[63] See Terrorismusbekämfungsgesetz BGBl 2002, I, 361<http://www.bmi.bund.de/Annex/de_15999/Terrorismusbekaempfungsegsetz_PDF-Datei.pdf>.

[64] Teresa Anderson, American Security Management, February 1, 2002.

[65] 63. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, March 7-8, 2002, <http://www.bfd.bund.de/information/DS-Konferenzen/63dsk_ent1.html>.

[66] John Hooper, "German Courts Put Terror Hunt In Doubt," The Guardian, February 2, 2002 at <http://www.guardian.co.uk/international/story/0,3604,643720,00.html>.

[67] "Pressemitteilung des Bundesbeauftragten für den Datenschutz zum Tätigkeitsbericht 2001/2002," May 7, 2003 <www.bfd.bund.de/Presse/pm20030507.html>.

[68] Jelle van Buuren, "Rasterfahndung at European Level?," Telepolis, April 4, 2002 <http://www.heise.de/tp/english/inhalt/te/12274/1.html>.

[69] 62. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, October 24-26, 2001 <http://www.bfd.bund.de/information/DS-Konferenzen/62dsk_ent3.html>.

[70] Gesetz zur Änderung des Fernstrassenbauprivatisierungsgesetzes, BGBl. I 2002 Nr. 63, 3442; <http://217.160.60.235/BGBL/bgbl1f/bgbl102s3442.pdf>.

[71] E-mail from Bettina Winsemann, Staff Member, STOP1984, to the Electronic Privacy Information Center, July 9, 2004.

[72] Christiane Schulzki-Haddouti, "Fahnder wollen Daten aus LKW-Mautsystem" (Investigators Want Data from Truck Mautsystem"), Heise online, October 31, 2003 <http://www.heise.de/newsticker/meldung/41560>.

[73] Der Grosse Bruder (Big Brother) <http://dergrossebruder.org>.

[74] Munich Atlas <http://dergrossebruder.org/main.php?id=74000>.

[75] Humanistische Union (Humanistic Union) <http://www.humanistiche-union.de>.

[76] Stefan Krempl, "Urteil schränkt Videoüberwachung ein" ("Judgement limits video monitoring"), Heise online, December 12, 2003 <http://www.heise.de/newsticker/meldung/43130>.

[77] Peter Nowak, "Weimarer Provinzposse mit Kamera," Telepolis, October 27, 2003 <http://www.heise.de/tp/deutsch/inhalt/te/15950/1.html>.

[78] 19. Tätigkeitsbericht – 2001/2002 at 54-55 <http://www.bfd.bund.de/information/19tb0102.pdf>.

[79] Christian Schröder, Germany Prepares Extension of Anti-Money Laundering Law, 18 Int'l Enforcement L. Rep. 315 (2002); "Maßnahmen zur Bekämpfung der Terrorismusfinanzierung und der Geldwäsche in Deutschland," (Ministry of Finance Publishing New Measures to Fight Terrorism Financing and Money Laundering) June 19, 2002 <http://www.bundesfinanzministerium.de/Finanz-und-Wirtschaftspolitik/Terrorismusbekaempfung-.833.12650/Massnahmen-zur-Bekaempfung-der-Terrorismusfinanz.htm>; Gesetz zur Verbesserung der Bekämpfung der Geldwäsche und der Finanzierung des Terrorismus (Geldwäschebekämpfungsgesetz), BGBl. I 2002, at 3105 ff.

[80] 63. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, March 7-8, 2002 <http://www.bfd.bund.de/information/DS-Konferenzen/63dsk_ent4.html>.

[81] 65. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Dresden, March 27-28, 2003 <http://www.bfd.bund.de/information/DS-Konferenzen/65dsk_ent1.html>; Pressemitteilung des Bundesbeauftragten für den Datenschutz zum Tätigkeitsbericht 2001/2002, May 7, 2003 <www.bfd.bund.de/Presse/pm20030507.html>.

[82] "Retail Future: Painless Checkout, Knowing Scanners," Reuters, May 14, 2003 <http://www.forbes.com/home_europe/newswire/2003/05/14/rtr970418.html>.

[83] E-mail from Bettina Winsemann, Staff Member, STOP1984, to EPIC, July 12, 2004.

[84] "German Revolt Against RFID," The Register, March 1, 2004 <http://www.theregister.co.uk/2004/03/01/german_revolt_against_rfid/>.

[85] See FoeBuD, RFID web page <http://www.foebud.org/rfid/>.

[86] Under § 6(c) of the BDSG, notice must be provided to data subjects of communications with "intelligent" RFID (devices with integrated processors), thus prohibiting secret reading or writing of personal information. However, Germany does not yet have any regulations specifically addressing "non-intelligent" RFID, which still create a privacy risk, as they can be linked to personal information held elsewhere without violating § 6(c). (E-mail from Christian Schröder, former Law Clerk with EPIC, June 18, 2004 (on file with EPIC).)

[87] FoeBuD, RFID web page <http://www.foebud.org/rfid/>.

[88] Bewegungsstiftung <http://www.bewegungsstiftung.de/>.

[89] E-mail from Bettina Winsemann, Staff Member, STOP1984, to EPIC, July 12, 2004. See also "Funkchip-Kontrolle für Konsumenten" (Radio Chip Control for Consumers) <http://www.google.com/search?q=foebud+privatizer&ie=UTF-8&oe=UTF-8>.

[90] Peter Schaar (Federal Data Protection Commissioner), "Datenschutz als Verbraucherschutz: Neue Herausforderungen am Beispiel von Smart Chips und Kundenkarten," April 5, 2004, available at <http://www.bfd.bund.de/aktuelles/akt20040513.pdf>.

[91] E-mail from Christian Schröeder, supra.

[92] See Stellungnahme des Unabhängigen Landeszentrums für Datenschutz (Statement of the Independent National Center for Data Security) <http://www.datenschutzzentrum.de/material/themen/jobcard/>.

[93] "Gutachten zur Modernisierung des Datenschutzrechts" (Proposals for the Modernization of the Data Protection Law), September, 2001, <http://www.bmi.bund.de/Annex/de_11695/Gutachten_zur_Modernisierung_des_Datenschutsrechts.pdf>.

[94] E-mail from Christian Schröeder, supra.

[95] Id.

[96] Schaar also questions proposals to reform the Electronic Signature Statute, which the Parliament wants to change to require all certification centers to disclose the identity of all signature key owners to law enforcement, intelligence, or tax agencies upon request. The law as it stands merely stipulates the disclosure in cases where the signature owner is using a pseudonym. Peter Schaar, supra.

[97] Council of Europe, Legal Affairs, Treaty Office <http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm>.

[98] Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, Regarding Supervisory Authorities and Transborder Data Flows, <http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=181&CM=8&DF=>.

[99]Council of Europe, Legal Affairs, Treaty Office <http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm>.

[100] Council of Europe, Convention on Cybercrime <http://conventions.coe.int/treaty/EN/searchsig.asp?NT=185&CM=7&DF=09/01/02>.