German state has too much access to online data: top court
July 17, 2020Germany's top court on Friday ruled that police and intelligence officials have excessive access to personal data on mobile phone and internet users, a decision that will have far-reaching consequences in the fight against crime.
The Constitutional Court in Karlsruhe ruled that several regulations that allowed access to so-called "inventory data," which includes internet and mobile users' names and birth dates, were unconstitutional.
In a press release on its website, the court said that current law violates users' "fundamental rights to informational self-determination and to the protection of telecommunications secrecy."
The court said that while accessing such data is generally permissible under German constitutional law, "transmission and retrieval regulations must sufficiently limit the purposes for which the data is used."
Lack of 'concrete danger'
"The Senate has made it clear that the general powers to transmit and retrieve inventory data...generally require a concrete danger present in the individual case and an initial suspicion for criminal prosecution," it said.
In the eyes of the court, authorities had been allowed to access data for causes that did not meet the threshold of legal interest.
The ruling means that Germany's Telecommunications Act and several other laws will need to be revised.
Read more: EU court overturns US data transfer agreement in Facebook privacy case
Data used to prevent terrorist attacks
The current law allows Germany's federal police to query personal data during criminal investigations, though they are limited from accessing data showing connections with other users.
Investigators are also permitted to request further data from telephone and telecommunication companies as well as from hospitals and hotels. Law enforcement authorities use private data to solve crimes and prevent acts of terror.
The Constitutional Court had largely upheld the practice in a ruling in 2012. Judges determined that the increasing importance of electronic communication meant law enforcement required the "simplest possible method for tracing telephone numbers to individuals."
However, they also ruled that an existing telecommunications act was too liberal in the access it permitted, prompting revisions.
Read more: Germany's data chief tells ministries WhatsApp is a no-go
Privacy activists push back
Friday's ruling was in response to two lawsuits that had sought to limit data access to serious crimes only.
In one of the complaints, plaintiffs argued that the current telecommunications act gave police even easier access to personal data and on a larger scale. Investigators could, for example, often circumvent the need for a judge's approval in accessing e-mail account passwords or the PIN numbers of mobile phones.
Every Internet user can also be identified by name at any time using the IP address.
The suit, brought by over 6,000 plaintiffs, was filed in 2013 by the current European Pirate Party politician Patrick Breyer and former party colleague Katharina Nocun. The Pirate Party champions Internet and data protection rights.
Germany's data protection commission had also expressed disapproval at allowing access to such information in the case of administrative offenses or more abstract threats.
Read more: EasyJet passengers targeted by 'sophisticated' hacking
Influence in fight against online hate speech
The ruling is likely to influence the application of a new law in Germany that aims to combat right-wing extremism and hate crime on the Internet, .
The measure will require social networks such as Facebook and Twitter to disclose IP addresses to identify users who post neo-Nazi propaganda, incite people to violence, or make threats of murder or rape.
In serious cases such as terrorism and homicides, a judge's decision will also allow access to passwords.
kp/mm(AFP, dpa, Reuters)