Data Safety Data Privacy Made in Germany

Data privacy
Data privacy | Photo (detail): © momius - Fotolia.com

Data privacy protection laws are stricter in Germany than anywhere else. While scoffed at in the US, this attitude could be decisive for urgently needed reforms.

Nazis, the discussion always comes round straightaway to the Nazis, observes Austrian lawyer and net activist Max Schrems in the June 2014 issue of the German weekly Der Spiegel. In a case that has only recently gained notoriety, Schrems has been battling Facebook in the courts for years, accusing the social networking service of a lack of transparency in its handling of users’ personal information. Lately he’s been getting lots of calls, even from US journalists: the first thing they always want to know is why Europeans are so terribly anxious about their data. Might that have something to do with the trauma of National Socialism?

To Schrems, who does not see himself as a victim of any historical trauma or as a technophobe, this is rather screwy logic. As he told Der Spiegel: “Just because I’d generally rather cross the street knowing there are traffic rules doesn’t automatically mean I’m opposed to private transport.” However, when one delves into the origins of a European tradition of privacy protection often derided overseas as a symptom of typical “German fear”, one does discover points of contact with the dark sides of German history.

Deep-seated fear of data abuse

The German and European tradition of data protection has been marked from the outset by past experience of foreign occupation, dictatorship and surveillance in many parts of Europe. Beginning with the 1960s civil rights movements in the US, people began wondering how to protect themselves against the misuse of their personal data. While US legislation viewed the problem chiefly in terms of the risk of government overreach and therefore armed citizens with a shield to ward off the prying eyes of the state, it was in Europe and particularly in Germany that the concept of privacy protection evolved as a government responsibility, encompassing all data processing and the consequences thereof for the individual and society as a whole.

Data protection as a basic right

The processing of any and all personal data, as German common sense in particular now sees it, can have the gravest consequences for the person concerned under certain circumstances. It was, after all, the registers of residents and punch card systems that enabled the Nazi regime to carry out their genocide with such notoriously cruel efficiency. Europeans also recalled the constraints on individuals’ civil liberties imposed by data-gathering totalitarian regimes in countries like East Germany, for example.

In line with this prevailing sentiment, the German Constitutional Court in its 1983 census decision posited a “fundamental right to informational self-determination” and based data protection not on the secrecy of telecommunications or the protection of private property, but directly on articles 1 and 2 of the Grundgesetz (“Basic Law”), West Germany’s constitution. Ever since then, data protection in Germany has been an expression of the most important principle of our constitution: human dignity and our fundamental right to the protection of individual personality.

Lobbying war in Brussels

But what exactly does all this mean for the current debate? Passing data protection legislation based on the German model has probably never made more sense than it does today, as evidenced by the mass surveillance affair disclosed by whistleblower Edward Snowden. And yet the parameters have shifted in the meantime. The scope of data protection has long since gone beyond national boundaries. So in case of a legal dispute, German law will be of no avail to German citizens who have entrusted personal information to Facebook or Google. These companies have cannily domiciled their European head offices in Ireland, a country with extremely lax data protection laws. An EU data protection directive has been in force since 1995, but it does not have to be uniformly implemented by every member state.

A newly proposed EU data protection regulation currently being thrashed out in Brussels is intended to remedy this deplorable state of affairs and to lay down for the first time a uniform Europe-wide data protection law modelled on Germany’s high standards: individuals will then be allowed to object to the processing of their personal data and to targeted* advertising. They will also be entitled to have their personal data corrected or deleted. They are at all times entitled to demand information and must be notified and asked for their prior consent before the processing of any data exceeding the purpose of the actual service the company provides.

But a lobbying war is still being waged in Brussels. American companies in particular are trying to bring massive influence to bear. The law is expected to take effect before 2015. Even in the German government, however, there is no clear-cut consensus on whether it makes sense at all to cleave to high standards of data protection in view of the current situation. After all, data collection has long since become an economic factor, which in turn makes data protection a potential drag on economic growth.

Looking for a new narrative

This is why representatives of German IT associations are often pleased to point out that many IT companies feel the current data protection legislation is outdated. We now have a situation in Germany, according to Susanne Dehmel, data protection expert at the Bitkom high-tech association, in which there is tough legislation, to be sure, but it’s rather weakly implemented: “Some say that’s the only corrective for the current data protection law to work at all in Germany.” Quite the opposite of the US, she adds, where the existing legislation protects individuals less effectively in theory than the German model, but is far more rigorously enforced in practice.

The fact is that the sensibility to data protection issues is not very highly developed here in Germany either, despite our high standards and the clichés about fearful Germans. Given the widespread appeal of the American viewpoint, which sees in the disclosure of information benefits above all for users themselves, here in Germany we need to keep making an effort to heighten awareness of the risks involved. “It’s not (yet) clear how we are changing, how we don’t write down our thoughts anymore because we’re censoring ourselves and at some point don’t even think them anymore,” writes Steffen Wenzel, secretary of the Politik-Digital association, in a recent commentary.
The German tradition of data protection could play a leading role here. “I also see a trend of other countries coming round to thinking it over. They’re finding that what they deride as German fear is actually sensible, that they need to give it some thought,” says German net activist padeluun.