Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional Privacy and Data Protection Framework

Article 10 of the Basic Law (or Grundgesetz,the German Constitution) states: "(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute.1Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament."

In a 1983 case against a government census law, the Federal Constitutional Court formally acknowledged an individual's "right of informational self-determination," which is only limited by the "predominant public interest." The central part of the verdict stated, "Who can not certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them."2This landmark court decision derived the "right of informational self-determination" directly from Articles 1(1) and 2(1) of the Basic Law, which declare personal rights (Persönlichkeitsrecht) to freedom are inviolable. Attempts to amend the Basic Law to include a right to data protection were discussed after reunification, when the Constitution was revised, and were successfully opposed by the then-conservative political majority.

Privacy and Data Protection Laws and Regulations

Comprehensive law

Germany has one of the strictest data protection laws in the European Union. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) followed, which was reviewed in 1990, amended in 1994 and 1997. The major revision in 2001 was used to adjust the BDSG to the EC Data Protection Directive.3Some more revisions took place in 2006 and 2009. The general purpose of this Act is to protect the individual against his right to privacy being impaired through the handling of his personal data. The Act covers collection, processing and use of personal data by public federal authorities and state administrations (as long as there is no state regulation and insofar as they apply federal laws), and by private bodies, if they rely on data-processing systems or non-automated filing systems for commercial or professional use. The majority of federal statutes that have an impact on personal information and privacy contain references to the BDSG if they do not carry special sections on the handling of personal data themselves.

The 2001 revisions to the BDSG include regulations on personal data transfers abroad, video surveillance, anonymisation and pseudonymisation, smart cards, and sensitive data collection (relating to race or ethnic origin, political opinions, religious or philosophical convictions, union membership, health, and sexual orientation). It grants data subjects greater rights of objection. It also states that, apart from public bodies, private companies are now also required to appoint a data protection officer if they collect, process, or use personal information. Without this responsible person, each introduction of automated data processing must be registered with the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The BDSG also provides that consent from the individual whose data is collected is required after full disclosure of data collection and its consequences.

A general revision of the BDSG had been considered for 2005.4Albeit an expert report on the modernization of the data protection law was published in 2001, there has been for a long time no visible legislative progress.5This reputable report recommends reducing the number of laws governing specific details of privacy protections and creating one general statute, which would only refer to more detailed regulations where necessary.6An ideal statute would provide general rules about the use of privacy-friendly techniques, data security, privacy standards, control of data processing, and self-regulation tools.7On 17 February 2005, the German Parliament called upon the government to swiftly submit a draft for a Federal Data Protection Act incorporating these recommendations.8The German Parliament (Bundestag) renewed its request for secondary legislation on auditing requirements.9

Only minor modifications regarding the requirements for in-house data protection officers had been implemented in 2006. The threshold number of employees that would trigger a company data protection officer was raised from four to nine. This change has significant impact, because many small companies who were previously encouraged to have a privacy officer are no longer enticed by statute to have one. Further reforms, mainly regarding the use of credit scoring systems, data processing on behalf of a data controller by a data processor, the data subject's right of access to credit databases and the duty of companies to notify them or the public in case of a massive data loss, have been adopted in 2009 by the Cabinet of Ministers and the Parliament.10

Due to several data breaches committed by discount retailers,11a call to reform the Employee Data Protection Rules has been discussed since 2008. A first article (§ 32, Beschäftigtendatenschutz, Employee Data Protection Rules) has been added in 2009 to the BDSG. This article, however, only incorporated applicable case law so that there are only minor changes about how to deal with employees' personal data. A more detailed draft of the Employee Data Protection Rules has been adopted in August 2010 by the Cabinet of Ministers, but that the Parliament hasnot adopted yet.12

Sector-based laws

All of the 16 states (Bundesländer) have their own specific data protection regulations that cover the public sector of the state administrations as well as the communal administration of each state. All states have adopted new data protection laws pursuant to the EC Data Protection Directive.13Each state also has a data protection commissioner to enforce the state data protection acts.14It falls within the competence of the statesupervisory authorities for the non public sector15to supervise the compliance of the non public sector with the Federal Data Protection Act. The federal and state data protection officers as well as the supervisory authorities for the non public sector hold conferences on a regular basis to exchange information and issue common statements.16

Data Protection Authority

The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, or BfDI) is an independent federal agency that supervises the Federal Data Protection Act (BDSG) as well as the Federal Freedom of Information Act.17Its chief duties include monitoring the compliance with the provisions of the BDSG by public bodies of the Federation as well as providers of telecommunications and postal services, receiving and investigating complaints, as well as submitting recommendations to parliament and other governmental bodies. The BfDI publishes a biannual activity report.18However, the number of controllers is steadily decreasing as federal agencies, in compliance with the 2001 changes to the Act, appoint in-house data protection officers, as an alternative to registration under the Act.19The BfDI, which has 70 people on staff,20handles about 5.516 written and oral complaints (an increase of 28 percent) and carries out approximately 75 investigations each year.21

Major Privacy Case Law

In March 2004, the Federal Constitutional Court ruled22that significant portions of the Eavesdropping Law infringed the Constitution, or Basic Law, especially Article 1 on human dignity and Article 13 on the inviolability of private homes.23The court held that certain communications are protected by an absolute area of intimacy wherein citizens can communicate privately without fear of government surveillance.24The German legislature was granted a transitional period until June 2005 to comply with the court's decision, and in May 2005 the German Bundestag passed new legislation to comply with the court decision.25

(See more details under the "Wiretapping, access to, and interception of communications" section.)

In February 2008, in a landmark decision, the Federal Constitutional Court declared unconstitutional provisions of the North-Rhine Westphalia Law on the domestic intelligence service that allowed for secret online searches of private computers.26The Court interpreted the Basic Law (Articles 1 (1) and 2 (1)) as containing a fundamental right for every citizen to have the integrity and confidentiality of systems of information technology guaranteed by the state. The decision is considered to be the most important on privacy issues since the census decision of 1983.

(See more details under the "Wiretapping, access to, and interception of communications" section.)

After 34.000 people filed a case before the Federal Constitutional Court against the implementation of the EU Data Retention Directive (2006/24) into German law,27the Court issued a preliminary ruling on 11 March 2008 suspending the provisions of a new law that go beyond the Data Retention Directive.28A decision on the merits of the case, in particular on the constitutionality of data retention, did not occur until2nd March 2010, when the Federal Constitutional Court declared unconstitutional the data retention and void the relevant section of the Telecommunications Act.29

(See more details under the "Data retention" section.)

The Federal Constitutional Court has ruled that the police may use GPS technology to track suspects driving motor vehicles in cases of serious crimes even without a judicial warrant.30However, the Court stressed that Parliament had to monitor the fast technological developments in this field and may have to correct laws if the risks for fundamental rights caused by technical surveillance increase.

(See more details under the "Location privacy" section.)

The Federal Constitutional Court ruled that laws allowing police to indiscriminately scan automobile license plates using electronic surveillance devices, and match them against databases kept by law enforcement and state officials were unconstitutional.31This does not foreclose completely the automatic number plate data recognition which would still be possible under narrowly described circumstances.

(See more details under the "Video surveillance" section.)