Privacy in Germany 2008: A new fundamental right, a privacy mass movement, and the usual surveillance suspects

This is an article I wrote together with Annika Kremer from the German Working Group on Data Retention for today's EDRi-Gram. This issue has a special focus on privacy developments all across Europe, because today is international data protection day. Some links on further details can be found in the original version.

The year of 2008 can be marked as the year where privacy moved high on the public agenda in Germany. On 1st of January, the law on data retention went into effect, which made Germany drop from number one to seven in the country ranking published by Privacy International. At the same day, a constitutional challenge was submitted at the supreme court. The German working group on data retention and its allies managed to have more than 34,000 people participate in this case - the largest constitutional complaint ever seen in German history. The paperwork had to be brought to the constitutional court in huge moving boxes, which also offered a nice photo opportunity for everyone wanting to demonstrate how many people oppose data retention.

In February we saw the constitutional court decision on secret online searches of peoples' hard drives (the "federal trojan"). The court limited the use of this tool for cases where there are "factual indications of a concrete danger" in a specific case for the life, body and freedom of persons or for the foundations of the state or the existence of humans, government agencies may use these measures after approval by a judge. The decision was widely considered a landmark ruling, because it also constituted a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution.

In March, the Chaos Computer Club published the fingerprint of the federal minister for the interior, Wolfgang Schäuble. This sparked high public attention and made frontpage news, and proved that biometric athentication as introduced in the German passport and identity card is not safe at all. Inspired by the recent successes, the growing number of privacy activists held a de-central action day in May. Different kinds of activities, like demonstrations, flash mobs, information booths, privacy parties, workshops, and cultural activities took place in all over Germany.

Over the summer, some of the biggest German companies helped in raising public awareness of the risks of large data collections. Almost every week, there were reports on a big supermarket chain spying on its employees, on cd-roms with tens of thousands of customer data sets from call centers - including bank account numbers - being sold on the grey market, on the largest German telecommunications provider using retained traffic data for spying on its supervisory board and on high-ranking union members, on an airline using its booking system to spy on critical journalists, on two large universities accidentially making all student data available online, or on a big mobile phone provider "losing" 17 million customer data sets.

The Federal Government, under building public pressure, introduced some small changes for the federal data protection law, but at the same time continued its push for more surveillance measures in the hands of the federal criminal agency (Bundeskriminalamt, BKA). These included the secret online searches the constitutional court had just cut down to very exceptional circumstances a few months earlier. The German public discussed these moves very critically, especially since journalists are exempted from special protections that are given to priests, criminal defense lawyers, and doctors.

Because of the public concern and debate about privacy risks, the call to another mass street protest was even more successful than ever before. The "Freedom not Fear"action day on 11th October was the biggest privacy event of the year. In Berlin, between 50,000 and 70,000 persons protested peacefully against data retention and other forms of "surveillance mania", making it the biggest privacy demonstration in German history. Privacy activists in many cities all over the world participated with very diverse and creative kinds of activities and turned this day into the first international action day "Freedom not Fear".

The anti-surveillance protests finally kicked off some serious discussion within the Social Democratic Party in a number of the German länder (states). This resulted in a loss of the majority for the law on the federal criminal agency (BKA) in the second chamber (Bundesrat) in the first vote. It only was passed weeks later, after some changes were introduced, and with heavy pressure from leading federal Social Democrats. The new law is still seen as unconstitutional by many legal and privacy experts and in January 2009 a case was submitted to the constitutional court.

Privacy activists in the fall of 2008 also campaigned against the retention on flight passenger name records, forcing Brigitte Zypries, the German minister of justice, to freeze her plans on the matter until after the federal elections in the fall of 2009. More recently, the working group on data retention attacked the "voluntary data retention" proposed in the EU telecom package, as well as the renewed data exchange agreements between the EU and the USA.