Germany focuses on data protection and privacy

Americans may be tempted to think of EU data protection and privacy laws as being an obstacle deliberately placed in the way of conscientious US lawyers who are merely trying to do their job. That reaction is unsurprising, since that is the context in which they come across a set of laws which are remote from their domestic experience. It may help if I point you to four recent articles about Germany, only one of which has a direct connection with electronic discovery. The others may serve to provide a context.

The first is a ruling by the European Court of Justice on 9 March in which the court criticised the structure of the German data protection authorities and their relationship between each other. I came across it in the Privacy and Information Security Law blog published by the Brussels office of Hunton & Williams with the title European Court of Justice rules on German DPA system. It is not important for my purposes either for me to summarise the article or, necessarily, for you to understand the details. My point is served by drawing attention to the fact that data protection compliance involves more than a single set of rules. It may all derive from EU Data Protection Directive 95/46/EC, but each member state has its own laws under the Directive.

Furthermore, as the article makes clear, there is a distinction in Germany between public and non-public bodies, and different tiers of supervision and control. The various bodies must, on the one hand, comply with the Directive which is the fount of ultimate authority, and with their own national variant on it but, on the other hand must also act independently. That in turn means that different considerations may apply, not only country by country but at a finer level of geographical and organisational detail – an important message for those who think they will just pop over to Europe to collect some data.

Next up is a conflict between the German government and its High Court over a law requiring data about telephone calls and e-mail to be stored for six months in case it is required for law enforcement. My source here is an article in Der Spiegel called German High Court limits phone and e-mail data storage. Here again, the ultimate source of the law is an EU Directive, and Americans are not the only ones puzzled by the apparent contradiction inherent in this – on the one hand, the EU imposes strict controls on the handling and use of data whilst, on the other hand, it requires governments to monitor our private telephone and e-mail traffic.

The same EU directive applies, obviously, to the UK, where discussion about monitoring communications has inevitably become bound up in wider issues of state power over personal lives. Seventy years ago, Britain stood firm against German attempts to impose centralised control on every aspect of life; now Germany takes the lead in asserting the right to individual privacy where we have surrendered it. The Labour Government has (in no particular order): sought to introduce ID cards; encouraged people to report their neighbours to the authorities; set up new licensing and supervision requirements on the slightest excuse (dog owners are a recent, but swiftly-abandoned target); given the police stop-and-search powers so severe that the European Court has condemned both the powers and their execution; and is proposing to give powers of instant punishment to every Town Hall pen-pusher. It inevitably welcomes any excuse to monitor our communications. If I am not myself clear what the present status is of the monitoring powers, it is because every week brings us some new threat to our liberties, or a report indicating either some abuse of power (policeman demanding the deletion of photographs is a common one) or a government data security failure.

The next story appears in an article headed Germany’s Merkel gives blessing to Google Street View. Google has, I suspect, been taken aback by the criticism which Street View has attracted in Europe – another example, perhaps, of the US failure to understand that privacy protection (whether from commercial enterprises or governments) arouses deep passions. We consent to the erosion of our privacy continually, usually as a result of an unconscious trade-off between that erosion and some benefit – if we choose to carry a mobile phone, then our location is traceable, but the benefit outweighs the downside. The same is true of many other web or GPS-based functions. The difference between them and Street View is that the latter is disconnected from our own choice – we may choose not to use Street View but we have little control over its usefulness to those who want to eye up our houses for burglarious purposes, or over the risk that it happens to catch us coming out of a massage parlour, as happened to one man.

The article suggests that different interest groups, including various ministries, have used the arguments over Street View for their own purposes. I do not suppose that Google envisaged that it would take a pronouncement from Germany’s Chancellor to smooth the use of Street View in Germany.

My last example brings us back into the familiar territory of data collection for US court proceedings. I have already mentioned in this context the case of AccessData v Alste in which an Iowa court dismissed the defendant’s contention that it should not be required to give disclosure of German-sourced documents for data protection reasons. My references to the subject have largely concerned the under-used and misunderstood Hague Convention, and the fact that neither the AccessData case nor the Global Power case which preceded it were particularly helpful because of the manner in which the issues came before the court. Mayer Brown has done an article US District Court Requires Production of Overseas Data Notwithstanding Applicable Foreign Data Protection Law which looks more closely at the powers which US courts have (or do not have) to ignore EU laws on  data protection.

I have not gone looking for articles about Germany – they were sent to me or I followed Twitter links or Google alerts which came my way. I am not sure that it is entirely down to coincidence that four articles should have come my way in as many days.


About Chris Dale

I have been an English solicitor since 1980. I run the e-Disclosure Information Project which collects and comments on information about electronic disclosure / eDiscovery and related subjects in the UK, the US, AsiaPac and elsewhere
This entry was posted in Data privacy, Data Protection, Discovery, eDisclosure, eDiscovery, EU. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s