Data privacy laws
July 16, 2010In recent months, various government officials across Germany have investigated possible privacy violations committed by tech companies including Google and Facebook. Street View, which Google would like to bring to Germany, is a worldwide service that provides detailed, street-level photographs of various cities. It is currently available in many parts of the United States, United Kingdom, France and other countries but various German ministers have complained about Google's lack of transparency with their data collection policy, which has led to a delay in the rollout of the service. Similarly, Facebook has undergone similar scrutiny for being non-compliant with German privacy laws. Just last month, Germany's consumer protection minister, Ilse Aigner, said that she would quit Facebook over her frustration with the company's attitude. Deutsche Welle spoke with Dominik Boecker, an IT lawyer with Greyhills Rechtsanwaelte in Cologne, to learn more about the historical context of these recent government actions.
Deutsche Welle: Where do we get these privacy protection laws in Germany – where do they come from?
Dominik Boecker: The history of privacy protection laws in Germany is quite old. Historically seen, the Nazis and the Third Reich had lists of people that they thought of as being Jewish. And therefore the Germans were very sensitive or very careful about lists that were made by the federal state. The oldest privacy and data protection law is from 1970. It's the law of the state Hessen. Hessen's law is the oldest data protection law in the world. All the other states of Germany filed laws until the 1990s when Eastern Germany became part of the Federal Republic.
Was it immediately after the reconstruction of Germany that there was starting to be some thinking about these laws? You said that the state of Hessen didn't have a law until 1970 and that's obviously 25 years after the end of the war. So was there anything that happened during that period?
There was some kind of data protection by common laws, like the right to be left alone, and privacy issues were handled without explicit legal rules. The courts took the privacy issue into the rights of the person and when it became obvious that that wasn't enough, then the specialized laws were made. So the data protection didn't start in the 70s, but started earlier, but it became obvious that an explicit law had to be made.
So what would be an example of what this law was protecting against?
For example, if the city of Cologne thinks about adding information about their inhabitants and the religion they belong to. Then, there has to be a law allowing the city to collect this data.
To explicitly allow the collection of that type of data?
Exactly. It has to be explicitly allowed to collect that kind of data. If there is no law, only if the person is wiling to give away this information for free.
It seems like one of the results of the over-collection of data and abuse of data in Germany, particularly by the Third Reich and maybe later on by the Stasi, is that the default has been that collecting less data is better. Or that in order to use the data that you do collect, or to collect at all that you need explicit, opt-in, permission?
That was the intention of the law, that those data can only be collected legally if there's a law allowing this or if the person says it's ok if you collect my data.
Would you say that what's going on now with Google, can be tied back to this explicit thing, and that's why Germany has this problem with Google going around taking pictures of people's houses? They're not giving their explicit permission to do it?
That's one part and one legal argument in the case against Google that might or might not be filed.
Of the privacy and data protection laws that we have now, we talked about how those were a response to what happened now 60 years ago. But that was 60 years ago. Do you think that the laws are appropriate?
I really do think and I do believe that those laws were appropriate. One of the big problems and one of the strange things happening is that you need a law to collect the data or you need the person's permission. If you have the person's permission you can nearly do everything you like with the data as long as you inform them beforehand what you're going to be doing with this data.
As a private company, if you go to people on the street and ask them private questions and tell them that you're going to be anonymizing the data and the people give their permission to do that, then that's fine. But the problem is that not every German person, especially pupils, are particularly fluent in English. The language of the Internet is English and if someone wants to be in Facebook, he has to comply with the rules Facebook dictates. Facebook, and not only Facebook, but other media companies have very very lax restrictions in consideration of privacy protection. And that's a problem between the German law and the US private companies that are acting in Germany. That's unsolved and I'm not sure how it can be solved, making a profit for the companies and protecting the data.
So the law is out of date?
It's quite out of date. It's became more international. US firms are selling their goods and services in Germany. Spanish firms are selling their goods and services in Germany. There has to be a harmonization in Europe and more importantly preferably worldwide to get a minimum of consensus on data protection.
Author: Cyrus Farivar
Editor: Mark Mattox