German balancing act between cyber-safety and cyber-freedom
October 2015 | EXPERT BRIEFING | RISK MANAGEMENT
The European Union and Germany in particular have a long history and well implemented tradition of data privacy and the right to personal freedom. German data protection laws are strict and governmental rights to observe people in their real lives, as well as in cyberspace, are limited. However, on the other hand, cyber attacks on companies and individuals are becoming much more prevalent. Hacking attempts and fraudulent schemes are increasing both in quality and quantity. The current discussions and legal developments mirror the required, but difficult, balancing act between safety and freedom in cyberspace.
Current legal setting against cyber crime
Cyber crime is neither sharply defined nor a secluded area. The likelihood of being impacted by criminal activity online is rising exponentially. Some activities are specifically targeting online data, for example core hacking activities against websites, so called ‘phishing’ for online passwords via faked emails, and Trojan horses for taking over foreign networks. Other activities are more ‘traditional’ but utilise modern cyber facilities as they provide the means and opportunities to strike.
When the digital era began in the 1980s and the internet began to truly develop in the mid 1990s, no government could have foreseen the massive impact the new developments would go on to have in day to day life, or on the legal community. Hence, no country implemented a new legal regime to face up to these new digital challenges. Instead, investigative authorities and judges tried hard to get new problems covered by old laws. Legislative bodies were only forced to amend, or more often repair, existing legal rules on a point by point basis should these attempts prove unsuccessful.
Germany, increasingly influenced by the European Union, now provides for a wide mixture of laws that either jointly cover both situations – the old offline and the new online world – or specifically focuses on digital matters. The fraud provision, Sec. 263 of the Strafgesetzbuch (German Criminal Code), established in 1871, as well as the anti-pornography rules of Sec. 184 et. Seqq of the Strafgesetzbuch, to name two examples, still are effective pieces of legislation.
On the other hand, in 1986 the German legislator identified the first real loopholes in the criminal law provisions for the safety of electronic data and communication. The reaction was the implementation of completely new provisions into the core criminal law. Sec. 202a et seqq and 303a et seqq of the Strafgesetzbuch protects data and communication against misuse, hacking and sabotage. These core criminal law provisions are undergoing monitoring and were subject to many amendments, the last major change was introduced in 2007. Copyright protection, so far going back to the 1907 enacted Kunsturhebergesetz (Art Copyright Act) and Sec. 106 et seqq of the Urheberrechtsgesetz (Copyright Act) of 1965 received a boost in 2002, when the EU directive of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society was due for implementation into national law for protection against the circumvention of digital right management systems and other technical protection measures. Since then, copyright law and ‘digital directives’ followed and received a further readjustment.
In summary, German material law provides sufficient measures to cover and handle all kinds of digital crime challenges.
Pressuring concerns of the praxis in light of data privacy
However, the day-to-day-problem faced by German investigative authorities is much less a lack of criminal law statutes, but rather relates to the difficulties they experience getting their hands on offenders. Whereas the powers and authorisation of prosecutors and police investigators – still within the European Union, partly even within the states of Germany – are limited to their home territory, criminal offenders could, however, be anywhere given the internet’s anonymity and potential for concealment. Investigators are therefore constantly demanding more powers allowing them to observe, monitor and trace digital communications.
This obvious, and to a certain extent persuasive demand, however, quickly comes into conflict with the fundamental understanding of freedom and data privacy of the German citizens. In the 1970s some German Bundesländer (federal states) were the first legislators worldwide to enact Data Protection statutes. A federal Bundesdatenschutzgesetz (German Data Privacy Act) became effective as far back as 1977. These early developments, together with a significant decision of the Bundesverfassungsgericht (German Constitutional Court) in 1983 establishing the human right to data privacy, resulted in even stricter data protection regulations, which symbolises and illustrates the significance of data privacy in German hearts and minds. Accordingly, a police state and surveillance society with police and secret services granted almost unlimited powers and no transparency, which may be accepted in other highly developed countries, are not options for Germany and the majority of other central European countries.
A short history of German and EU data retention period act for telecommunication
One major and effective tool for tracing and prosecuting digital offenders is the surveillance of telecommunication – in particular, the requesting of stored communication data from telecommunication service providers, e.g., call and connection data like IP addresses, email-headers and dial-in logs.
Discussions and developments regarding the retention period provisions for connection data is symbolic of the balancing act between the needs of investigators and acceptable limits in both German society and the country’s legal system.
EU Directive 2006/24/EC of 15 March 2006 on “the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC” required Member States to ensure that communications providers retain certain connection and location data for a period of between six months and two years. This Directive was implemented by the German Bundestag in 2008 with the minimum retention period of six months. On 2 March 2010, the Bundesverfassungsgericht (German Constitutional Court) ruled the law unconstitutional because even the minimum retention period violates the fundamental right of the secrecy of correspondence in Article 10 I of the Grundgesetz (German Constitution). The Court of Justice of the European Union followed suit on 14 April 2014, declaring the Directive invalid for violating fundamental European rights.
Although it was required by EU law, a compromise for a new law that would implement the EU Directive between the two then ruling German government parties could not be reached in the time between the invalidation of the respective regulations.
Another approach has now been made under the current grand coalition, introducing a draft bill “for a duty to save telecommunications data and a maximum retention period for telecommunications data” to the Bundestag. The draft provides inter alia for a retention period of 10 weeks, and four weeks in the case of location data. Furthermore, the opportunity of the legislative initiative was used to suggest a new Sec. 202d to be implemented into the core criminal law provisions of the Strafgesetzbuch, criminalising the handling of stolen data.
So far, the German legal system has been able to materially manage the pressing problems of cyber crime. However, as the German data privacy and right to personal freedom legal regime is one of the strictest worldwide, the trade-off between security and freedom in cyberspace has to be adjusted carefully on an ongoing basis.
Daniel Gutman is partner at Knierim | Huber Rechtsanwälte. He can be contacted on + 49 (0) 30 887 28 39 0 or by email: email@example.com.
© Financier Worldwide
Knierim | Huber Rechtsanwälte