Article 10 of the Basic Law (or Grundgesetz,the German Constitution) states: "(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute. Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament." Attempts to amend the Basic Law to include a right to data protection were discussed after reunification, when the Constitution was revised, and were successfully opposed by the then-conservative political majority.
In a 1983 case against a government census law, the Federal Constitutional Court formally acknowledged an individual's "right of informational self-determination" which is limited by the "predominant public interest." The central part of the verdict stated, "Who can not certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them."[1179] This landmark court decision derived the "right of informational self-determination" directly from Articles 1 (1) and 2 (1) of the Basic Law, which declare personal rights (Persönlichkeitsrecht) to freedom are inviolable.
Germany has one of the strictest data protection laws in the European Union. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Law (Bundesdatenschutzgesetz or BDSG) followed, which was reviewed in 1990, amended in 1994[1180] and 1997. The final revision took place in 2002 to be in line with the EU Data Protection Directive.[1181] The general purpose of this law is "to protect the individual against violations of his personal rights by handling person-related data." The law covers collection, processing and use of personal data collected by public federal and state authorities (as long as there is no state regulation), and by non-public offices, if they process and use data for commercial or professional aims.
Germany was slow to update its law to make it consistent with the EU Data Protection Directive. Under the terms of the directive Germany should have harmonized its law by October 1998. The European Commission announced in January 2000 that it was going to take Germany to court for failure to implement the directive. An amending bill was approved by the Government on June 14, 2000 and finally passed into law in May 2001.[1182] The 2001 revisions to the BDSG include regulations on transmitting personal data abroad, video surveillance, anonymization and pseudonymization, smart cards, and sensitive data collection (relating to race/ethnic origin, political opinions, religious or philosophical convictions, union membership, health, and sexual orientation). It grants data subjects greater rights of objection. It also states that companies must now appoint a data protection officer if they collect, process, or use personal information; that databases collecting such information must be registered with Germand data protection authorities (DPAs); and that consent from the individual whose data is collected is required after full disclosure of data collection and its consequences. According to the Federal Data Protection Commission (BfD), secondary legislation will need to be introduced on the auditing requirements and a more general revision of German data protection law may be outlined by the end of 2005.[1183] According to the Länder's DPAs, the main challenges will be to introduce "opt in" instead of "opt out" solutions for marketing; improve the ability to use the Internet anonymously, and ensure consent to use personal data.[1184]
The Federal Data Protection Commission (Bundesbeauftragter für den Datenschutz, or FDPC) is an independent federal agency that supervises the Federal Data Protection Act.[1185] Its chief duties include receiving and investigating complaints, as well as submitting recommendations to parliament and other governmental bodies. The FDPC publishes an annual activity report.[1186] In 2003 there were between 10,000 and 20,000 data controllers registered by the agency.[1187] However, the number of controllers is steadily decreasing as federal agencies, in compliance with the 2001 changes to the Act, appoint in-house data protection officers, as an alternative to registration under the Act.[1188] The Commission, which has 70 people on staff, handles about 4,500 written and oral complaints and carries out approximately 45 investigations each year.[1189]
All of the sixteen Länder have their own specific data protection regulations that cover the public sector of the Länder administrations. All Länder except Sachsen have adopted new data protection laws pursuant to the EU Data Protection Directive.[1190] Each Länder also has a data protection commissioner to enforce the Länder data protection acts and supervise the private sector.[1191]
Another important federal law in Germany is the G-10 law, which imposes limitations on the secrecy of certain communications. The G-10 law was amended in 2001 to require that service providers give law enforcement the means to monitor data as well as voice lines.[1192] Officials are trying to convince Internet Service Providers to self-regulate content,[1193] and European ISPs and data protection commissioners continue to resist demands from police agencies to allow expanded surveillance of e-mail and store related data. These demands proposed by the Ministry of Internal Affairs are similar to the ENFOPOL 38 proposals at the EU level.
In May 2002 the European Parliament voted to adopt a series of amendments that will modify current telecommunications privacy law and will take effect in October 2003.[1194] These amendments do not impose limitations on how long EU member governments can retain personal information for use in criminal investigations, and require ISPs to lengthen the time they store information regarding subscribers' online and phone activity.[1195] The Federal Constitutional Court has set out strict limitations for the retention of personal data for purposes other than the original ones (for official requirements or the conclusion of a contract). For these reasons, Germany has been very reluctant to admit new European laws providing for the retention of data for a period of up to two years.[1196] Nevertheless, there are many proposals published by the European Community and the German government requiring, not only ISPs, but all telecommunications and multimedia service providers to systematically retain all data without any suspicion for at least six months. The proposals are strongly opposed by the German data protection authorities.[1197]
In October 2001, the German government passed a law requiring fixed and wireless telecommunication companies to install, at least until January 2005, technology that gives police and security agencies access to most German communications. ISPs are not affected by this law.[1198]
Wiretapping is also regulated by the G-10 law and requires a court order for criminal cases.[1199] In July 1999, the Constitutional Court issued a decision on a 1994 law which authorizes warrantless automated wiretaps (screening method) of international communications by the Intelligence Service (BND) for purposes of preventing terrorism and illegal trade in drugs and weapons.[1200]It was reported in 1999 that the BND had 1,400 operatives listening in on satellite communications.[1201] The Constitutional Court ruled in December 1999 that the government could conduct surveillance of political parties if it is believed that they are hostile to the constitution and information cannot be obtained by public means.[1202] Also, telephone monitoring has been on the increase since 1995, when there were 4,674 instances of monitoring, up to 21,874 in 2002.[1203] Four out of five wiretappings monitor cell-phones. This renewed rise of interventions in secret communications gives the federal commissioners great concern for data security. For years, the commissioners have appealed to prosecution authorities to use this means sparingly.[1204] Currently, the so called "Grosser Lauschangriff" (Big Eavesdropping Attack), a law adopted in 1998, that contained a set of various additional authorizations for police to survey potential criminals, is being challenged before the Federal Constitutional Court. Plaintiffs and various DPAs argue that the law violates human dignity, the right to be left alone in one's home and that it is unnecessary to effectively combat crime.[1205] The Court held a hearing on July 1, 2003 but a decision has not been rendered yet.[1206] In 2001, the Bundestag (the German Parliament) passed a new law providing access for police and law enforcement to "telecommunication connection data" for the investigation of serious crimes. The law took effect in January 2002 and requires telecommunications service providers to disclose data, such as time and duration of use, place of use and identifying numbers.[1207] However, the law contains a sunset clause of five years and requires further evaluation before its extension.[1208] According to a recent survey, 75% of conducted telephone monitoring actions violated the law. In most instances of monitoring, law enforcement agencies did not inform the subjects after the eavesdropping took place, contrary to what is stipulated by the law.[1209] Therefore, the data protection authorities have urged the federal government to conduct independent scientific evaluations to control the expansion of wiretapping, to cut it down where necessary, and to strengthen judicial oversightof its use.[1210]
After a fiercely fought six-year political debate, a two-thirds majority of the German Parliament eventually approved a change to Section 13 of the Constitution in April 1998, making it legal for police authorities to place bugging devices even in private homes (provided there is a court order). The change was the provision for the Law for the Enhancement of the Fight Against Organized Crime, which became effective in 1999. In April 1998, a law was passed that allows the Bundeskriminalamt (Federal Police) to run a nationwide database of genetic profiles related to criminal investigations and convicted offenders. One month later, the Bundesgrenzschutz (Border Protection Forces), originally a para-military border police force, now responsible for guarding railways and stations, received permission to check persons' identities and baggage without any concrete suspicion.[1211]
Wherever they deal with the handling of personal information on natural persons, either directly or by amendments, nearly all German laws contain references to the respective data protection law or carry special sections on the handling of personal data that reflect the right to privacy. Most recently there have been several laws relating to communications privacy. The Telecommunications Carriers Data Protection Ordinance of 1996, revised in 2000, protects privacy of telecommunications information.[1212]
The Information and Communication Services (Multimedia) Act of 1997 sets protections for information used in computer networks.[1213] Despite these statutory protections, a September 2001 poll revealed that two of every five German PC owners over the age of fourteen do not use the Internet because of data security concerns.[1214] The Act also sets out the legal requirements for digital signatures, which were made legally binding by legislation passed in 2001 to conform to the EU Directive on a Community framework for electronic signatures (1999/93/EC).[1215] In January 2002, the German government announced plans to provide, within three years, more than 200,000 federal employees with the ability to sign electronic documents with chip cards containing encrypted keys. Such signatures would hold the same legal weight as handwritten signatures on paper documents.[1216]
Additionally, there are some privacy issues addressed by laws covering other areas. For example, it is an offense under Section 1 of the German Unfair Competition Act to send unsolicited commercial communications (spam) in Germany. This effectively means that sending direct marketing e-mail without the consumer's consent is illegal under German law, as the e-mail would be regarded as unsolicited.[1217] Despite these legal protections, a June 2002 study conducted by the German Electronic Commerce Forum revealed that spam is a considered a significant problem by German consumers.[1218]
In 1996, the Berlin Data Protection Commissioner reached an agreement with German Railway and a US bank (Citibank), that were planning to issue combined Railway and Visa cards. As all the processing of information would have taken place in the US, the Berlin Data Protection Commissioner invoked the EU Data Protection Directive's prohibition on transborder flows of data to stop the deal. The transaction was allowed to go through once German Railway and Citibank signed a contract guaranteeing German citizens the same protection for their personal information in the US as they enjoyed in Germany.[1219]The agreement was an important precursor for transborder dataflows to the US and other countries without privacy laws.[1220]
In May 2002, Germany's Minister of Health, Data Protection Commissioner, and healthcare organizations announced plans for the development of an electronic universal healthcare card. The proposed card will contain, among other data, a patient's identification and emergency healthcare information. Patients will be able to use the card to fill prescriptions and disclose healthcare information to physicians on a voluntary basis.[1221] The card will likely be implemented in 2006.[1222]
In June 2001, the German Ministry of the Economy and Labor presented a software prototype that would let consumers make anonymous Internet purchases and payments. The software was scheduled for general availability for testing in 2002. This is part of a project called Data Protection in Teleservices (DASIT), the goal of which is to develop software that can accommodate data privacy law requirements. The Ministry of the Economy and Labor announced that seventy-nine percent of online shops fail to adequately inform customers about their data privacy rights, and that eighty-four percent of Germans have privacy concerns about surfing the web. The program meets the quality criteria for Internet data privacy protection and the Teleservices Data Privacy Law.[1223]
There is currently no general Freedom of Information (FOI) act in Germany. On September 26, 2001, the Federal Government presented the design for a FOI law (Informationsfreiheitsgesetz, or IFG). The law, which was supposed to be modeled after the US Freedom of Information Act, would have allowed citizens to request access to basically all information on federal authorities. In 2002, however, the Bundestag elected not to enact the proposed law.[1224] The IFG is supposed to be reintroduced through 2006.[1225] Some Länder already have their own FOI laws in effect. The Land of Brandenburg adopted a FOI law in 1998 to allow citizen access to government records.[1226] The Information and Data Protection Commissioner enforces the act. More recently, Berlin, Schleswig-Holstein, and Nordrhein-Westfalen[1227] have also adopted FOI laws.
Since 1990, a law[1228] has allowed access to the files of the Stasi, the security service of former East Germany, for individuals and researchers. The law created a Federal Commission for the Records of the State Security Services of the former German Democratic Republic (formerly the Gauck Authority),which has a staff of 3,000 piecing together shredded documents and making files available.[1229] There have been 1.6 million requests from individuals for access to the files and 2.7 million requests for background checks since the archives became available.[1230] Many of the files were destroyed in 1989, but in 1990, the US Central Intelligence Agency was able to obtain the names, aliases and payment histories of 4,000 spies who worked in various countries for the Stasi or informers from the Soviet Union. The US Government refused to give the files to the German government until December 1999, claiming that it would harm the people in the files.[1231] In May 2000, files about former Chancellor Helmut Kohl's telephone calls were found to be missing from the archives when they were going to be used to investigate corruption. The Stasi had conducted extensive wiretapping of Kohl for years.[1232] In late 2000, Kohl's lawyers launched legal action to prevent the publication of transcripts of his telephone conversations recorded by the Stasi. The government wanted to release those it believes are of historical interest, but Kohl's lawyers argued that the information was gathered illegally.[1233] In July 2001, the Federal Administrative Court ruled that no information collected by the Stasi about Kohl could be disclosed to researchers or the media without Kohl's express consent.[1234]
Germany enacted several provisions intended to deter terrorist activity after the September 2001 attacks in the US. The Counterterrorism Act, which took effect in January 2002, comprehensively changed several existing laws. Among the most prominent revisions are those that create legal bases for biometric identification in passports and identity cards; make it easier for authorities to share information; allow the BND to request user information from ISPs, airlines, and travel agencies; and create a speech framework database to make possible speech recognition of asylum seekers.[1235] In February 2002, the Interior Ministry announced that its counterterrorist efforts would include encrypted biometric identification cards for all citizens, as well as fingerprinting and face recognition technologies.[1236] However, biometric identification cards have not yet been introduced. The Federal Ministry is searching for a common approach at the EU level. The data protection authorities (DPAs) do not oppose their use in general. Nevertheless the DPAs stress that the following criteria will be met: 1. the Ministry must ensure that biometric data will not be used to gain other information about additional personal attributes; 2. persons must know which biometric data of them will be stored and used; 3. biometric data should be used only for the purpose of identification; 4. quick mechanisms to secure accuracy must be developed in order to prevent any discrimination.[1237] Citizens have challenged several the tactics used by German law enforcement to uncover terrorist suspects. By February 2002, courts in Berlin and Frankfurt had upheld objections to the use of "computerized searches of government records" (or Rasterfahndung)to profile terrorist suspects based partly on religious identification.[1238] However, the Federal DPA points out that all data of persons not related to terrorist activities have to be deleted immediately and new evaluations have to be carried out to test its efficiency.[1239] Despite concerns raised by the public, Germany submitted in April 2002 to the EU a proposal to make it possible to conduct investigations using this surveillance tool (Rasterfahndung) throughout the Union to help combat terrorism.[1240]
In 2002, Germany decided to install a new system to electronically collect tolls for trucks using the national highways. The system tracks vehicles through GPS (Global Positioning System) and cellular phone networks. According to a common standpoint of the DPAs in 2001,[1241] the Federal government implemented special data protection measures in the laws governing toll systems: data collection and processing is limited only for the purpose of billing; all data must be deleted after the payment; and all data collected from vehicles that are not subject to a toll must be immediately deleted. [1242]
Germany also implemented in the Criminal Code (StPO) the possibility of using a so-called SMSI-Catcher system to track individuals trough the location of their cell phones. The bill, which entered into force on August 14, 2002, provides for law enforcement the ability to obtain, upon court request and from the time their request is granted, the data of individuals' movements and their cell phone device number (IMEI number) for a period of up to 6 months.[1243]
The Ministry of Economy and Technology has released a draft bill that requires telecommunication service providers to collect the name, address, date of birth and telephone numbers of theirs clients. Clients would also be obligated to show their personal identification cards (PIC) when applying for a service and the number of PIC would also be stored. The purpose of the bill is to enable law enforcement to track users of so called "prepaid cards" (cards that do not require a contract). The DPAs have strongly opposed this bill on a conference held in May 2002.[1244]
The revision of the credit sector of the economy imposes rules for banks to disclose client data to the Federal Institution for the Supervision of the Credit Economy (FISCE).[1245] The FISCE will store data about all owners of bank accounts or depots and is required to transfer them to other public agencies upon request. Banks also have to run special surveillance programs to detect suspicious money transfers. In a recent statement, the data protection commissioners urged banks to inform their clients in writing and obtain a written consent.[1246]
The DPAs also stress that new opportunities to test human genetic code (DNA) for different purposes must be regulated in order to prevent misuse of genetic data. The commissioners point out that no one should be forced to take any genetic tests. They also require that the use of data gained through genetic tests not legally approved and without explicit consent of the concerned person should be criminalized.[1247]
In May 2003 the German retail giant Metro started a project to introduce a new cashing and customer convenience program with small chips, called Radio Frequency Identification chips (RFID chips). The chips will be attached to all products. When queried by a radio device, RFID chips respond by transmitting a unique ID code. It therefore allows customers to pay and checkout automatically by pushing a loaded trolley past a sensor. Combined with an automatically readable customer client card, the system would allow the tracking of all purchases and the linking to the customer's identity.[1248]
Germany is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)[1249] and later signed an Additional Protocol to this convention.[1250] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1251] In November 2002 Germany signed the Convention on Cybercrime.[1252] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.