Coronavirus triggers soul-searching on privacy in Germany

By Janosch Delcker
·6 min read

BERLIN — Cracks are showing in the walls of Europe's fortress of data protection, Germany.

As the coronavirus outbreak rages around the world, some of Germany's most prominent privacy experts warn that the country's data protection standards — a result of over five decades of advocacy — could suffer lasting damage as the mostly locked-down country tries to revive its economy.

“Since the outbreak of the pandemic, you can certainly observe how some are trying to hollow out data protection standards,” Germany's Federal Commissioner for Data Protection Ulrich Kelber told POLITICO. “That’s nothing uncommon — there are always several actors who are trying to exploit an emergency situation for their objectives.”

So far, watchdogs like Kelber's office and other democratic institutions have been mostly successful in stopping Chancellor Angela Merkel's government and regional administrations from rolling out invasive measures to tackle the pandemic.

Under pressure from parliament, a new paragraph in the country’s Infection Protection Act drafted by tech-savvy Health Minister Jens Spahn — which would have made mobile phone providers hand over GPS data to health authorities — was scrapped at the last minute.

After local media reported that police in some federal states had been given lists of patients with COVID-19, the disease caused by the virus, regional watchdogs intervened to ban the practice.

So far, as neighbors like Poland push the EU's stringent data privacy rules to the limit with mandatory tracking apps, Berlin’s efforts have been confined to voluntary schemes. Researchers have rolled out an app that allows users of fitness-tracking devices to donate their data to authorities, while another pending application taps into Bluetooth signals to detect potential infections.

But data protection advocates warn that, as Merkel's government starts to think about how to lift at least parts of the lockdown, a debate about data protection standards is only just taking off.

“The case law is clear: You can only collect data here under very narrow conditions and never without concrete reason,” former German Justice Minister Sabine Leutheusser-Schnarrenberger told POLITICO. "But I do observe that some political actors argue that a difficult situation like this one, where there's danger not just for individual health but also the health care system, justifies dismissing some data protection standards while claiming that those standards should only apply for good-weather situations — and that's wrong.”

Others have drawn parallels to the 2001 terrorist attacks on the U.S., after which governments gradually expanded surveillance capabilities. Similarly, in the current situation, they warn, hard-earned data protection standards could end up as collateral damage in the coming months as the world is tackling the pandemic.

“Many are worried that just like back in the days during the War on Terror, new measures are introduced today that will never be taken back — and that must not happen,” said Kelber’s predecessor Peter Schaar, who served as Germany's federal commissioner for data protection between 2003 and 2013. “Restrictions of freedom that can be justified in a difficult time like today must not become the norm.”

In many ways, data protection as Europe knows it was born in Germany.

After administrations began to automate some of their operations and compile information in databases in the 1960s, a regional parliament passed what’s widely considered the world’s first modern data protection law in 1970. Similar national legislation across West Germany followed in 1977.

Those moves were prompted by legal scholars who became worried that with the emergence of new technology, states would gain ever more information about their citizens, which in turn would give them ever more coercive power. Scarred by the experience of the authoritarian Nazi regime, the legislation was meant to safeguard the balance of power between individuals and the state.

In the decades that followed, those laws were time and again used to limit German federal states' authority to collect data.

In a 1983 landmark ruling, the country's highest court decided that a census to measure the size of the population was in parts unconstitutional. The judges established that German citizens have a constitutional right to “informational self-determination,” cementing in law that public offices are effectively only allowed to process personal data if a law allows it or individuals have given their explicit consent.

Shortly after Germany’s reunification in 1990, the country’s new states in the former East — having experienced more than three additional decades of mass surveillance — passed corresponding laws.

This history explains how the country became arguably the most privacy-obsessed place in the world, where even murderers have a legal “right to be forgotten,” with a court ruling last year that a man sentenced for murder in the early 1980s has a right to having his name being deleted from online articles.

But although the country is now known as the global front-runner in data protection — at times to the frustration of authorities in other EU countries — those high standards remain disputed, even at home.

“Data protection has always been controversial, and there are many who don’t think very highly of it,” said Matthias Bäcker, a law professor and data protection expert at the University of Mainz. “Today, that's more or less projected onto the coronavirus pandemic.”

But Bäcker also stressed that “when it comes to data protection, 9/11 wasn’t such a radical caesura,” or break, as people tend to think today.

“The strategic concepts that were made law after 9/11 had, in a very similar form, already been debated in the 1990s in debates on how to fight organized crime — and you can already observe a steady expansion of state surveillance capacities in the 1990s,” he said.

Former Justice Minister Leutheusser-Schnarrenberger resigned from her post in Helmut Kohl’s Cabinet in 1996 to protest constitutional changes that allowed for acoustic monitoring of private space. She said that while she does observe parallels to the time after 9/11 “the situation back then was completely different — today, we are dealing with a pandemic.”

But the veteran politician, who spent around eight years in government, also warned that leaders are under extraordinary pressure today.

“This raises both expectations among citizens that a government should do everything that’s possible to get the situation under control,” she said. “And within governments, the idea grows stronger that one can and should take drastic measures — perhaps because one feels under pressure.”

Like other longtime data protection advocates interviewed for this article, former Federal Commissioner for Data Protection Schaar stressed that special times require special measures and that while some measures might infringe Germany's stringent data protection standards, this is justifiable in the age of pandemic — as long as they are temporary.

“If people say that at the moment they don’t care what happens to their fundamental rights to data protection as long as they don’t fall ill, then that’s something I can certainly comprehend,” he said.

“But we need to go beyond this individual point of view. We need to ask how our society will look like after corona. And if we end up in an authoritarian surveillance state, this would be a very bad result.”

Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email pro@politico.eu to request a complimentary trial.