Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

The German Federal Data Protection Act has separate provisions for data processing in the public and private sectors. In addition, Germany has special privacy provisions for electronic information and communication services (telemedia) and yet another set of privacy rules for the providers of services that transmit electronic signals. All these laws apply to some extent to the providers of online services. Through these laws Germany transposed European Union (EU) Directives 95/46 and 2002/58, albeit in a very complex and differentiated manner. Some German experts find that this complexity interferes with the requirement of transparency in that it keeps consumers from being aware of their rights and from exercising them.

In keeping with the Directives, Germany generally prohibits the collection and use of personal data unless the law specifically permits this or the data subject has given his or her informed consent. German law also follows the Directives on issues relating to rights and remedies of data subjects, security requirements, restrictions on location data, minimization of data, and safeguards against transmitting personal data to third countries with lesser standards of protection. The German provisions, however, often call for the balancing of competing interests and the application of the principle of proportionality. These provisions have resulted in an extensive and varied case law.

In Germany, data protection has constitutional dimensions that flow from the guarantees of human dignity and personhood. From these, the Federal Constitutional Court (FCC) crafted the right of informational self-determination that permits the processing of personal data only if authorized by statue or by consent of the data subject. In 2008, the FCC expanded these principles by articulating a constitutional guarantee of the confidentiality and integrity of IT systems. In 2010, the FCC struck down a German law transposition of the EU Data Retention Directive, for violating the principle of proportionality and the individual’s rights of personhood.

Germany has a Federal Data Protection Agency and sixteen state data protection agencies. These often act in concert when making recommendations on how the consumer may navigate safely through the Internet. In addition, German experts often discuss the data protection problems that arise from the widespread collection of data by search engines and social media, and the use of these data to profile the data subject for commercial purposes. Although German law prohibits these practices unless informed consent has been given and although German law applies to any collection of data on German soil, Germany cannot enforce these laws against global players.

I. Legal Framework

Privacy in online services is in part governed by the data protection provisions of the German Telemedia Act (TMA) (§§ 11–16).[1] This Act regulates electronic information and communication services (hereafter telemedia service providers) irrespective of whether their services are gratuitous or fee-based,[2] thus applying to search engines, news groups, chat rooms, and social media.[3] The Federal Data Protection Act (FDPA)[4] also applies to these online services, except where the TMA more specific provisions.[5] In addition, the privacy provisions of the Telecommunications Act (TCA) (§§ 87–116)[6] apply to various technical aspects of telemedia activities.

Germany transposed the European Union (EU) Data Privacy Directive (Directive 95/46)[7] through the TMA as well as the FDPA, making use of the Directive’s permission to enact sector- specific legislation.[8] German also made use of the Directive’s permissible “margin for maneuvering”[9] by crafting some detailed legal concepts that are not contained in the Directive but adhere to its spirit.[10]

The German legislation also deviates from the wording of the Directive but not its meaning by adhering to pre-existing German terminology and concepts. In particular, the German  legislation  distinguishes  between  data  collection,  processing  and  use  instead  of employing the term “data processing” for all these activities, as is done in the Directive.[11] In addition, the German FDPA retained its pre-Directive structure of having separate rules for the public and private sectors, as well as general provisions that apply to both sectors. Of these, only the private sector rules (FDAP §§ 27–38a) and the general provisions (§§ 1–11) apply to telemedia service providers.

Germany transposed the e-privacy Directive (Directive 2002/58)[12] primarily through the Telecommunications Act.[13] Germany had transposed the EU Data Retention Directive[14] in sections 113a and 113b of the Telecommunications Act,[15] but the Federal Constitutional Court voided these provisions as unconstitutional,[16] and German politicians have since then been unable to agree on how to reword these provisions, while the EU Commission initiated proceedings against Germany’s tardiness.[17] Germany transposed Directive 2009/136[18] only in part through amendments to the Telecommunications Act.[19] In particular, Parliament could not reach an agreement on the transposition of the all-important “cookie provision”[20] (see below, section VI).

Germany has a long history of data protection. Like the United States, Germany became aware in the late 1960’s of the need to protect the privacy of individuals against the data collection capabilities of electronic data processing.[21] In 1970, the German State of Hesse enacted the  first  Data  Protection  Act[22] and  several  German  states  shortly  followed  this example.[23] In 1977, Germany enacted the first Data Protection Act at the federal level.[24]

German data protection developed a new dimension in 1983, with the Census Decision of the German Federal Constitutional Court (FCC).[25] In this decision, the Court held that the individual has a constitutional right to “informational self-determination.” The decision prohibits the handling of personal data unless specific statutory authorization is given or the data subject consents (see below, section IV). In 1990, a new Federal Data Protection Act incorporated these constitutional requirements.

The Act of 1990 is still in effect today, albeit after numerous amendments.[26] Now, as at the time of enactment, the FDPA has aimed at protecting against the abuse of data processing by requiring that governmental data processing be based on specific statutory enabling legislation, while the consent of an individual is generally necessary to permit data processing in the private sector. There is, however, a strong feeling that the complexity of the German legislation is detrimental to its effectiveness.[27]

In addition to the Federal Data Protection Act, the German states (Länder) have dataprotection acts.[28] These, however, are not very relevant to online privacy, because they regulate the public sector of the states, whereas the regulation of private sector activity is governed primarily by federal law.[29] Some of the states have explicit data protection guarantees in their constitutions, yet these also are of little consequence for online data protection.[30]

Back to Top

II.  Current Law

A.  General Principles

The privacy provisions of the FDPA address data controllers, that is entities that process (in German parlance, collect, process, and use) personal data.[31] The controllers are required to register with the pertinent state authority, [32] and this also applies to telemedia service providers.[33] Registration is required in particular for controllers who transfer data to others or conduct market research.[34] They must always register even though other controllers can avoid registration if they appoint an internal data protection official.[35]

Telemedia service providers may collect and use personal data only to the extent that the law specifically permits or the data subject has given his consent.[36] Moreover, to the extent that the law permits the collection of data for specified purposes, these data may not be used for other purposes, unless the data subject has consented to other uses.[37] The law recognizes two types of special purpose data: contract data (Bestandsdaten) and utilization data (Nutzungsdaten) (see below, Personal Data).[38] For all other types of personal data, particularly content data, consent is required in accordance with sections 28 through 30 of the FDPA, a set of stringent provision, particularly with respect to advertisements (see below, Personal Data).

B. Consent

According to section 13 of the TMA, the controller must inform the user of the extent and purpose of the processing of personal data, for any consent to be valid. Consent may be given electronically, provided the data controller ensures that the user of the service declares his consent knowingly and unambiguously, the consent is being recorded, the user may view his consent declaration at any time, and the user may revoke consent at any time with effect for the future.[39] These principles live up to section 4a of the FDPA, which requires consent to be based on the voluntary decision of the data subject. Consent, however, is not always required. Many statutory exceptions allow for the use of data without consent, for various business-related purposes (see below, Personal Data).

C. Transparency

According to TMA section 13(1), the telemedia service provider must inform the user at the beginning of the contractual relationship of the extent and purpose of data collection and use, also on whether the data will be processed outside of the European Union. If the provider intends to use an automated process that will allow the identification of the user, then this information has to be provided when data collection commences, and the user must at any time have access to this instruction.

This provision of the TMA has been interpreted as applying only to contract and utilization data,[40] thus leaving content data under the governance of Section 4(3) of the FDPA. The latter provides that the controller must inform the data subject of the identity of the data controller, the purpose of the collection, processing, and use of the data, and the categories of intended recipients if this is not foreseeable for the data subject. This information must be provided when the data are first collected.[41]

D. Personal Data

The FDAP defines personal data as “individual pieces of information about personal or factual circumstances about an identified or identifiable human being.”[42] This definition applies to all the data handled by telemedia service providers irrespective of whether the data are governed by the FDPA or the TMA.[43] Different rules on consent requirements, however, apply to different categories of data.

Contract data (Bestandsdaten), as defined in the TMA, are the data that are required to establish, develop, or change a contractual relationship with a telemedia service provider. Contract data are to be collected sparingly,[44] in order to live up to the principle of data minimization.[45] They may be used only for the intended contractual purpose and must be deleted once they are no longer needed. This use is statutorily permitted. The user’s consent, however, is required if the service provider wants to use these for other purposes, such as advertising or market research; a specific agreement from the data subject is required for these uses.[46] The provisions on contract data apply whenever a relationship is established by an online registration. They apply therefore, to Facebook and other social media.[47]

Utilization data are the personal data that a telemedia service provider may collect and use to facilitate use of the service and for accounting purposes. The service provider may use these data to create user profiles for market research and advertising, unless the user objects after having been duly informed. The thus-created profiles must be identified by a pseudonym, and the identity of the user may not be revealed.[48]

Other data, particularly content data, fall under the consent requirements of sections 28 through 30 of the FDPA, if they are collected by online service providers. In their current form, these provisions were introduced through the 2009 reform of the FDPA, and their complexity is legendary.[49] Generally, they allow certain commercial uses of data, including “list-making” and “scoring,” albeit under numerous safeguards. Section 29 deals with data collection and storage for a controller’s own business purpose and for the purpose of disclosure of the data to third parties, including for the purpose of direct marketing. Such activities are permitted to some extent without the data subject’s consent, yet the competing interests must be balanced, and the data subject must be notified of the purpose of the processing.[50]

It has been stated that section 29 of the FDPA is not well-suited to online activities as facilitated by current internet technology that allows the collection of information from websites and the downloading of large quantities of data.[51] Section 29 requires a scrutiny of the permissibility of data processing in each individual case to ascertain circumstances, such as a protection-worthy interest in preventing the data processing, and the public availability of the data. In addition, the law requires random checks of the continued suitability of ongoing operations.

There has been much discussion of whether IP addresses are personal data, and the majority opinion considers them to be always personal data when they are fixed IP addresses that identify a specific computer. If they are movable IP addresses that are assigned by the access provider every time the user logs in, then they are personal data only if the service provider has enough information to actually identify the user, which will usually be the case.[52]

E.  Sensitive Data

The FDPA defines sensitive data according to Directive 95/46 as those relating to race, ethnicity, political opinions, religious or philosophical beliefs, or health or sex life.[53] Consent must be expressed specifically in order to permit the collection and use of such data.  Moreover, controllers of such data must undergo an examination of their operations as required by Directive 95/46.[54]

F.  Profiling

Germany has been averse to the profiling of personally identifiable data subjects since the Micro Census Decision of the Federal Constitutional Court in 1969,[55] and the data protection laws guard against profiling in various ways, among them the insistence that data only be used for the purpose for which they have been collected.[56] The TMA, however, allows the creation of profiles with data that have been rendered anonymous (see below, Anonymity). The FDPA also allows the use of some data for market-related purposes. To the extent that they involve profiling, various safeguards, including the informed consent of the data subject, would be necessary.[57] Profiling without the consent of the data subject is at the heart of the German dislike for the “Like” button of Facebook (see below, Data Protection Authorities).

The specter of large-scale profiling through web-crawling and the use of Facebook was raised in June 2012, when it became known that Schufa, a German credit rating agency, was exploring the possibility of enhancing its profiles on the creditworthiness of individuals with these means. German official reaction was largely negative, finding the project offensive if not illegal; even the German IT industry association, Bitkom,[58] suggested that not everything that was doable should be done and worried about consumer confidence in the Internet.[59]

G. Smartphones and Geo Data

Germany transposed article 6 of Directive 2002/58 concerning traffic data in section 96 of the TCA and the Directive’s article 9 on other location data in article 98 of the TCA.[60] Both types of data are highly sensitive, and unless there is consent for further processing, these data may be collected and used only to the extent that they are required. They must be deleted or made anonymous as soon as they are no longer needed.  If they are to be used for marketing purposes or for connection to smartphone applications, special forms of consent and notifications are required.[61]

German scholars are of the opinion that programs such as “Facebook Places” violate German law if the mobile phone user logs in.   In that case, the location of the user is to be construed as personal data that may be collected and used only if there is consent.[62] There also is established case law that the creation of movement profiles of a person is illegal.[63] Scholars also are of the opinion that the use of radio-frequency identification technology is of questionable legality in view of the potential to create moving profiles and that the current statutory provisions may not provide enough privacy protection.[64]

Google Street View has come under considerable attack in Germany, resulting in the intervention of the data protection agencies and in much litigation. The outcome of this struggle is that Google may take pictures of the street view of houses, but it must blot out identifiable house numbers upon request.[65] In Berlin, the Consumer Protection Ministry decreed that Google could start its picture taking only after the residents had an opportunity to voice their objections. The dwellings and gardens  of  these  citizens  had  to  be  rendered  totally  unrecognizable by Google.[66]

In August 2010, the Federal Council (the Chamber representing the states in the bi- cameral federal legislature) proposed legislation that would have further restricted the collection of data through photographs by introducing a legally binding right of objection.[67] In December 2010, the Federal Minister for the Interior, together with Bitkom the German industry association for information technology,[68] responded with a counterproposal that recommended self- regulation, as long as certain well-established principles were not violated.[69]

H.   Protection of Minors

Germany has no age-specific privacy provisions. Many of the states, however, provide educational programs to make young people aware of the online attacks on privacy. In Hamburg, for instance, the Data Protection Commissioner published a brochure entitled “You Won’t Get My Data,” that has suggestions on how to include online privacy education in the school curricula.[70] German organizations also participate in the EU-wide  initiative “klicksafe.”[71] The media authorities of the states also provide and coordinate programs to protect young people from the dangers of the Internet, particularly illegal content.[72]

I.  Technical Security

Section 9 of the FDPA requires extensive technical organizational measures to ensure the overall integrity of IT systems that are being used for the processing of personal data,[73] and these requirements live up to article 17 of Directive 95/46. The German provisions, as well as the Directive, call for a proportional interpretation of security requirements, by tailoring the need for security to the risk inherent in specific operations.[74] Additional provisions on technical security are contained in sections 107 and 109 of the Telecommunications Act.

Section 13 of the Telemedia Act requires controllers to install the necessary technical and organizational measures to ensure that:

  • the user may terminate the relationship at any time;
  • data will be automatically erased or blocked if required by law;
  • the use of the service will not become known to third parties;
  • data on the use of several telemedia by one user can be accessed separately, except that they can be combined for accounting purposes; and
  • data collected under a pseudonym cannot be combined with data personally identifying the user.

In August 2009, Germany introduced a security breach notification requirement that obliges controllers to notify the data subject if data were unlawfully transmitted or otherwise became known to third parties.[75] This requirement was modeled after U.S. law and is intended to increase consumer confidence in automated systems.[76]

According to the German provisions, notification is required only if the security breach threatens to cause serious impairment of the rights or the protection-worthy interests of the data subject.[77] In November 2009, the EU promulgated Directive 2009/136, which requires notification of any type of security breach that led to the destruction, loss, or alteration of data, irrespective of  the  impairment  caused  thereby.[78] Germany  has  not  as  yet  transposed this provision.[79]

J.  Anonymity

Rendering data anonymous is a general principle of German data protection law, to be employed whenever feasible so as to minimize the proliferation of data. Data may also be placed under a pseudonym so as to preserve anonymity.[80] These devices allow the data subject to retain control over his data while giving the controller greater possibilities for use and transmittal of the data. When data have become anonymous, they are no longer personal data and can therefore be freely used for market research.[81] They become personal data again if the controller has the possibility of identifying the data subject. It appears that services are available in Germany that facilitate anonymity by allowing the user to communicate over an IP address that differs from his or her own.[82]

Telemedia service providers are required to use pseudonyms for the collection of certain data. For utilization data, the controller must use “pseudonymization” in order to be allowed to create profiles for market research (see above, Personal Data). With regard to contract data, the telemedia service provider must make it possible for the data subject to use the service and pay for it under a pseudonym, and he must also inform the data subject of this option.[83] The law provides, however, that the provider must make “pseudonymization” possible only to the extent that it is technically feasible and can be reasonably expected.[84] This is one of the many “balancing and weighing” clauses that exist in German data protection law.

K.   Rights and Remedies of Data Subjects

The privacy rights and remedies of telemedia users are governed to a large extent by the FDPA. The Act imposes duties of notification on the data controller (§§ 4(3) and 33). He must notify the data subject on the types of data that are being collected, the source of the data, the purposes for which data are collected, and to whom they are disclosed.

For the data subject, the Act grants rights of access (§ 34) and rights to effect correction, erasure, and blockage (§ 35). The right to demand erasure[85] often becomes an issue when a user leaves a social medium. Users often waive the right of erasure in standardized terms of contract. It appears that this is currently permissible according to German law.[86] Even if erasure were to be carried out, data are being transmitted to third parties in many different ways in social media, so that erasure often does not fulfill its purpose.[87]

Data subjects may enforce their rights through the judicial remedies provided in civil and commercial law. Injunctive relief as well as damages can be claimed.[88] It appears, however, that damages for pain and suffering are not available for data protection  violations  in  the private sector.[89]

In Germany, the data protection authorities are not necessarily involved in enforcing the rights of individual data subjects. Instead, complaints against domestic controllers must first be lodged with the company’s in-house data protection official.[90] Germans believe in self- regulation of the private data processing sector, yet it has been suggested that this German solution is not compatible with EU requirements. [91]

L.  Sanctions

Contraventions of the various duties of the TMA are administrative offenses that are punishable with a fine of up to €50,000.[92] This applies to transgressions such as the failure to erase data or to keep them anonymous.[93] Most violations of the FDPA are also administrative offenses. Some are punishable with a fine of up to €50,000, whereas the more serious ones, such as the processing of data without having obtained consent, are punishable with a fine of up to

€300,000.[94] Criminal sanctions are available for conduct involving intent to harm others or to make a profit.[95]

M.   Cross-Border Application

In keeping with article 4 of Directive 95/46, the law of the seat of the controller applies to data processing occurring in Germany if the controller resides in another Member State of the European Union.[96] German law applies, however, if such an EU-resident controller carries out data processing in Germany through a German subsidiary or establishment. German law also applies for any data processing occurring in Germany that is carried out by a controller who resides outside the European Union.[97]

According to these principles, German law applies to an online search engine or social medium if it places a cookie on a German personal computer.[98] Enforcement of German law, however, can rarely be achieved against foreign controllers.[99]

On the transmittal of data to other countries, Germany also differentiates between recipient countries that are EU or EEA members and third countries.[100] Transfers to the latter generally require assurances that the third country has an EU-compatible standard of data privacy.[101] Transfers to EU/EEA countries are often, but not always, governed by the same provisions of German law that apply domestically.[102]

The issue of applying German law to the collection of German data by controllers in third (non-EU) countries is addressed in the ongoing controversy over whether Facebook qualifies as a EU-domiciled controller because of its corporate address in Ireland.[103] Many German experts are of the opinion that Facebook use in Germany, in particular the use of the “Like” button, is subject to German law and therefore prohibited on the grounds that the data are ultimately transmitted to the United States,  which  does  not  have  an  EU-compatible  data protection standard.[104]

N. Data Retention

As mentioned above, Germany has not as yet transposed EU Directive 2006/24, on data retention. If Germany eventually were to comply with this mandate, the German practices and rules on rendering data anonymous might have to be changed (see above, section II(J).[105]

Back to Top

III. Role of Data Protection Agencies

Germany has a Federal Data Protection Commissioner and sixteen state data protection authorities, one for each German state. The Federal Commissioner’s primary function is the supervision of data processing by the federal government,[106] whereas the state authorities are in charge of overseeing data protection in the public sector of their state on the basis of state law, [107] and data protection in the private sector of their state on the basis of federal law.[108] In a decision of 2010, the European Court of Justice held that the date protection agencies of some of the German states agencies are not independent enough from the state governments;[109] this judgment will lead to institutional reforms in some of the German states.[110]

The state authorities oversee the activities of private data controllers and require them to register with the authority or to appoint an internal data protection official in accordance with federal law.[111] The state authorities also offer assistance to the public,[112] yet complaints against controllers who reside in Germany should at first be brought to the in-house data protection officials (see above, Rights and Remedies). The sate authorities publish biannual reports on their activities.[113] In addition, the state authorities cooperate in the Düsseldorfer Kreis, a periodic conference that publishes resolutions on important data protection issues for the private sector.[114]

In 2009, the Düsseldorfer Kreis recommended standards for the tracking of internet users by search engines, such as through Google Analytics.[115]    As a result of these efforts, Google changed its program code through “IP masking,” thus collecting the data in an anonymous manner.[116] Nevertheless, Google is still viewed as being in violation of German law for its tracking practices.[117]

In 2011, the Düsseldorfer Kreis published a resolution on data protection in social media. It admonished social media, stating that German law applies to their activities even if they have a subsidiary in another EU member state, and it emphasized that transparency and informed consent are required to make the use of social plug-ins on German personal computers permissible. The resolution, however, adopted a somewhat conciliatory tone by approving of self-regulatory efforts by social media companies.[118]

On the same issue, however, the data protection agency of Schleswig Holstein has taken a more pronounced view, particularly on the “Like” button of Facebook. The agency advised public and private providers of websites that the “Like Buttons” and other social plug-ins violated German law and that German private and public entities should not have a presence on Facebook. In addition, the agency has taken three German enterprises to court for their presence on Facebook. The cases are still pending.[119]

Back to Top

IV. Court Decisions

The Federal Constitutional Court [FCC] shaped German data processing law by subjecting it to the constitutional guarantees of human dignity and free development of one’s personality.[120] In 1969, the Court held in the Micro Census Decision that it is contrary to human dignity to catalog and register an individual and that there has to be a sphere into which no one can intrude and where the individual can enjoy solitude.[121]

In 1983, the FCC issued its famous Census Decision [Volkszählungsurteil].[122] According to the Court, the right of informational self-determination derives from the guarantees of personhood and human dignity of the Constitution, and it generally grants the individual the power to decide about the disclosure of his personal data and their use. The Court allows exceptions from this principle only if there is an overriding public interest and if this is explicitly stated in specific statutory provisions.  In addition, the constitutional protection requires that data processing activities live up to the principle of proportionality and give the individual procedural remedies and protections. Moreover, data may not be stored indefinitely for undefined future purposes.

In 2008, the FCC issued a decision on online searches by public authorities.[123] The Court created a new constitutional right that guarantees the integrity and confidentiality of IT systems. Consequently, the Court held that online searches by the public authorities require a search warrant. Although the decision addresses the public sector, it may also create duties for the private sector, because the German Constitution is interpreted to the effect that fundamental rights must be observed by the private sector.[124]

In 2010, the FCC referred to the data retention prohibition of the Census Decision when it issued a decision on data retention which struck down the German transposition of Directive 2006/24.[125] In addition, the decision of 2010 found that the statutory provisions had violated the secrecy of telecommunications.[126]

The courts of ordinary jurisdiction also have contributed much to the interpretation of data protection law. They are called upon on a daily basis to apply the principle of proportionality and to balance competing interests, such as privacy versus technical feasibility or freedom of expression. There is a flood of cases that limit the right to informational self- determination.

A decision of the Federal Court of Justice (Bundesgerichtshof) of 2009 explains that informational self-determination has to be balanced with other rights, in that case with freedom of speech.[127] A teacher had requested an injunction against an Internet portal that published student evaluations of her performance. The portal had a registration requirement that included naming the school, along with a user name and password.   The Court held that providing information on the teacher was permissible, because it was provided to a circle of persons with an interest in the information. The Court also mentioned that individuals have fewer privacy protections in their professional sphere.

In May 2012, the Federal Court of Justice balanced the right to be forgotten with the public’s right to know, by rejecting a request from two murderers to enjoin an Austrian Internet portal  from  retaining  an  article  on  them  in  its  online  archive.[128]     The  plaintiffs  had  been convicted of murder in 1990. The Court first obtained an advisory opinion from the European Court of Justice that confirmed German jurisdiction over the case due to the plaintiff’s close connection to Germany. On the merits, the German Court held that under the circumstances of the case, the public’s right to know outweighed the interests of the complainants to be shielded from publicity.

Back to Top

V. Public and Scholarly Opinion

Germans are avid users of the Internet and of social networks. Some 75% of the German population uses the Internet; close to one half of them use it on mobile telephones or tablet computers. The use of search engines has become indispensable to many Germans, and Google has an 85% market share in Germany.[129] Some 55% of Germans are active users of social media,[130] with Facebook usership reaching 28% of the population.[131]

Opinions on the need for online privacy protection range from asserting that privacy has become an out-of-date concept[132] to viewing the assault on privacy in online services as a serious problem. Many scholars are of the opinion that developments in technology and user patterns have created a new reality that is not adequately addressed by German law.[133] This is perceived as being particularly true for the numerous applications that are used on  smartphones  and through which enormous amount of data are processed, often for the purpose of profiling.[134] A recurring theme in this discussion is the compensatory nature of search engine and social media use, the fact that these services are not “free,” that there is a consideration to be paid in the form of released information of monetary value.[135]

The German discussion of online privacy is multifaceted; it addresses the constitutional tension between privacy and freedom of information,[136] makes practical suggestions for users and for future technological development, emphasizes education, and recommends law reform. Most writers take a balanced view by recognizing that online services, be they search engines or social  media,  contribute  to  the  proliferation  of  knowledge  and  empower  people  to  express themselves.[137] Moreover, some writers advise against overly strict German regulation of its domestic providers on the grounds that enforcing high standards in Germany will hurt German firms when they are competing with providers in other countries.[138]

On technical developments, Dirk Heckmann, the author and editor of a renowned commentary on Internet law, favors the development of privacy settings by default that would minimize the disclosure of personal data while also offering transparency and assistance.[139] On user behavior, Frank Koch, a practicing attorney, makes several recommendations, including the frequent deletion of cookies while surfing, the frequent change of pseudonyms when using social media, the de-activation of the geo-localization function of smartphones when not needed, frequent reputation management, using of information posted by German data protection authorities on how to better protect privacy, and the use of search engines such as Ixquick[140] that do not collect user data. He believes that these measures would not only protect the user, but also would favor the growth of innovative, small service providers who would be given a better chance if the data collections of the large, oligopolistic providers were less complete.[141]

Phillip Gröschel, a youth protection official for a for social media service provider, emphasizes the need for education, to empower the individual to discern the complexities of the issue.[142] Indra Spieker, a law professor, shares his view that users are not aware of the threats to their privacy; she would favor clearer statutory rules instead of the current practice of balancing and weighing of competing interests.[143] Ultimately, she recognizes the inevitable tension between the right to information and the right to privacy. Legally speaking, she decries the imbalance in power between the network and the user.

A somewhat unconventional idea for law reform comes from Jochem Schneider, an attorney, who would not require informed consent for the processing of all data. He would limit stringent privacy protections to data relating to the home and the intimate sphere of life. He argues that the categorical insistence on a consent requirement for all personal data is responsible for the complexity of German data protection law, which has to create many statutory exceptions. Moreover, he finds that German data protection law, as written, violates the constitutional guarantee of freedom of expression, which therefore has to be inserted into the statutory law through judicial interpretations.[144]

Back to Top

VI. Pending Reform

In June 2011, the German states had introduced draft legislation to transpose the cookie provision of Directive 2009/136, restating article 5(1) of that Directive almost verbatim.[145] However, this draft did not become law, because the federal government is of the opinion that a transposition of the Directive that follows its wording would not be technically feasible without subjecting the user to constant pop-ups.[146] The federal government intends to await a European solution and also favors self-regulation by the telemedia service providers.[147]

Many German experts view the proposed EU Data Protection Regulation148 favorably. Among them is the German Federal Data Protection Commissioner, who finds that the reform proposal has a chance of improving the current legal situation, in particular vis-à-vis service providers from non-EU member countries. He also hopes that industry interests will not succeed in watering down the proposed standards.[149]

Thilo Weichert, the Data Protection Commissioner of Schleswig-Holstein formulated these expectations as to what the proposed EU Regulation may accomplish as follows:

Perhaps data transmission to the United States is no longer possible; traffic data can be analyzed only to a limited extent. The user must be better informed, particularly as to his options on the release of data. The collection of data of third persons, as for instance, through address books, must be restricted, if not completely prohibited. Proper consent procedures must be provided for facial recognition. On the granting of information on existing data and their erasure, clear European guidelines exist that Facebook has not observed as yet. Overall, Facebook must considerably improve their standardized terms of contract and consumer protection. You see: there is a multiplicity of demands – technical, organizational, and legal. Facebook must make major efforts.[150]

Some Germans, however, oppose the proposed EU Regulation for violating the EU subsidiarity principle and for potentially lowering German data protection standards, as well as for giving up constitutional sovereignty over the issue.[151]

Back to Top

VII.  Concluding Remarks

Germany has invented the right of informational self-determination, and German law appears to be effective in restricting the processing of personal data by the private sector, at least by domestic providers.[152] Germany, however, shows some understanding of commercial interests. This is demonstrated by the allowance of the use of personal data in some situations, for instance when it is possible to render that data anonymous for market research purposes, instead of requiring their deletion. German law also takes a pragmatic approach to imposing data protection requirements by balancing protective requirements with their feasibility. Balancing is also required to reconcile competing fundamental rights, such as freedom of expression, with privacy interests. The courts are frequently called upon to weight these competing interests, and they do not always decide in favor of privacy.

German law, however, suffers from its complexity and from many broad concepts that stand in the way of certainty and predictability. There is also much concern that the existing laws are not adequate to deal with the technical and societal changes that have been brought through globalization, the increased use of search engines, smartphone applications, and social media and the resulting proliferation of personal data that are disclosed by the data subjects themselves. For these reasons, many German lawyers welcome the development of a European Regulation on data protection.

Back to Top

Prepared by Edith Palmer, Chief,
Foreign, Comparative and International Law Division II
June 2012

[1]Telemediengesetz [TMG] [Telemedia Act], Feb. 26, 2007, BUNDESGESETZBLATT [BGBL.] I at 179, as last amended by Gesetz, May 31, 2010, BGBL. I at 692, §§ 11–16,

[2]TMG § 1.

[3]DIRK HECKMANN, INTERNETRECHT Ch. 1.1 ¶¶ 60–65 (3rd ed. 2011, updated through June 15, 2012), available at (by subscription).

[4] Bundesdatenschutzgesetz [BDSG] [Federal Data Protection Act], repromulgated Jan. 14, 2003, BGBL. I at 66, as last amended by Gesetz, Aug. 14, 2009, BGBL. I at 2814, href="">.

[5] TMG § 12(2).

[6] Telekommunikationsgesetz [TKG] [Telecommunications Act], June 22, 2004, BGBL. I at. 1190, as last amended by Gesetz, May 3, 2012, BGBL. I at 958, §§ 91–107,

[7] Directive 95/46/EC, of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,

[8] Id., recital 68.

[9] Id., recital 9.

[10] For instance by differentiating between contract data and utilization data. TMG §§ 14 & 15. See also Kerstin Tscherpe in KOMMENTAR ZUM BDSG 1103 (Jürgen Taeger & Detlev Gabel, eds. 2010).

[11] Directive 95/46 art. 3 (1).

[12] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37,

[13] 13 TKG §§ 87–116.

[14] Directive 2006/24/EC on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks, 2006 O.J. (L 105) 54,

[15] TKG, as amended by Gesetz, Dec. 21, 2007, BGBL. I at 3198.

[16] Bundesverfassungsgericht [BVerfG], Mar. 2, 2010, 125 ENTSCHEIDUNGEN DES BUNDESVERFASSUNGSGERICHTS [BVERFGE] 260.

[17] Brüssel verklagt Deutschland auf 300,000 Euro täglich, FRANKFURTER ALLGEMEINE ZEITUNG [FAZ], June 1, 2012, at 1.

[18] Directive 2009/136/EC on Universal Service and User’s Rights Relating to Electronic Communications Networks and Services, 2009 O.J. (L 377) 11,

[19] TKG-Änderungsgesetz, May 3, 2012, BGBL I at 958; see also Bernd Holznagel, Das neue TKG: Im Mittelpunkt steht der Verbraucher, NEUE JURISTISCHE WOCHENSCHRIFT [NJW] 1622 (2012).

[20] Directive 2009/136 art. 5(1).

[21] For the U.S., see ARTHUR MILLER, THE ASSAULT ON PRIVACY 225 (1971); for Germany, see Jürgen Taeger & Berndt Schmidt, in KOMMENTAR, supra note 10, at 3.

[22] Datenschutzgesetz [Data Protection Act], Oct. 7, 1970, HESSISCHES GESETZ-UND VERORDNUNGSBLATT I

[23] Taeger & Schmidt, in KOMMENTAR, supra note 10, at 4.

[24] Gesetz zum Missbrauch personenbezogener Daten bei der Datenverarbeitung [Act Concerning the Abuse of Data in Data Processing], Jan. 27, 1977, BGBL I at 201.

[25] Bundesverfassungsgericht [BVerfG], Dec. 15, 1983, 65 Entscheidungen des Bundesverfassungsgerichts [BVerfGE] 1. For a summary in English, see DONALD P. KOMMERS, THE CONSTITUTIONAL JURISPRUDENCE OF THE FEDERAL REPUBLIC OF GERMANY 299 (1997).

[26] In 2001, the BDSG was amended to transpose Directive 95/46; in 2009, a major amendment introduced provisions on “scoring” and “rating.” See Taeger & Schmidt in KOMMENTAR, supra note 10, at 6.

[27] Thomas Hoeren, Ein Lob für Frau Reding, – der neue Entwurf zur allgemeinen Europäischen Datenschutzverordnung [Praise for Ms. Reding – the New Draft on the General European Data Protection Regulation], BETRIEBS-BERATER [BB] Die erste Seite 2012, no. 8.

[28] Douwe Korff, Germany, in European Commission, Directorate General Justice, Freedom and Security [DG JFS], Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments: Country Studies A.4 (May 2010),

[29] BDSG § 29.

[30] HECKMANN, supra note 3, at ch. 9 ¶ 31.

[31] BDSG § 1.

[32] BDSG § 38.

[33] HECKMANN, supra note 3, at ch. 9, ¶ 85.

[34] BDSG § 4d.

[35] BDSG § 38.

[36] TMG § 12(1).

[37] TMG § 12(2).

[38] TMG § 14.

[39] TMG § 13(2).

[40] HECKMANN, supra note 3, ch. 9, ¶ 194.

[41] BDSG § 4(3).

[42] BDSG § 3(1).

[43] HECKMANN, supra note 3, ch. 9, ¶ 118.


[45] BDSG § 3a.

[46] HECKMANN, supra note 3, ch. 9, ¶ 316.

[47] Id. ¶¶ 303–05.

[48] TMG § 15.

[49] Jochen Schneider, Hemmnis für einen modernen Datenschutz: Das Verbotsprinzip [Impediment for Modern Data Protection: The Prohibition Principle], ANWALTSBLATT [ANWBL] 233 n.2 (2011).

[50] See Korff, supra note 28, at 20.

[51] Wolfgang Däubler et al., Bundesdatenschutzgesetz 497 (2010).

[52] Benedikt Buchner, in KOMMENTAR, supra note 10, at 74.

[53] BDSG § 3(9); Directive 95/46 art. 8.

[54] Directive 965/46, art. 20; BDSG § 4d(5).

[55] BVerfG, July 16, 1969, 27 BverfGE 19.

[56] Taeger & Schmidt, in KOMMENTAR, supra note 10, at 14.

[57] BDSG §§ 28–30.

[58] Federal Association for Information Technology, Telecommunications, and New Media, BITKOM (2012),

[59] Schufa will Internet für Personenprofile auswerten [Schufa Wants to Exploit the Internet for Personal Profiling], FAZ 9 (June 8, 2012).

[60] BERLINER KOMMENTAR ZUM TELEKOMMUNIKATIONSGESETZ 2325 (Franz, Säcker ed., 2nd ed. 2009).

[61] TKG §§ 96 & 98.

[62] HECKMANN, supra note 3, ch. 9, ¶ 492.

[63] Thilo Weichert, Datenschutz und Meinungsfreiheit [Data Protection and Freedom of Opinion], ANWBL. 252, 254 (2011).

[64] Til Pörksen, Der Einsatz von RFID Chips für Location Based Services [The Use of Radio Frequency Identification Technology for Location-Based Services], ANWZERT ITR 4/2009, (by subscription).

[65] Kammergericht Berlin [Berlin Appellate Court] Mar. 15, 2011, Docket No. 10 W 127/10, (by subscription).

[66] Ole Reissman, W-Lan-Mitschnitte - Google gesteht Datenpanne bei Street View [Wi-Fi Data Collection, Google Admits Street View Data Mistake], SPIEGELONLINE (May 15, 2010),

[67] Weichert, supra note 63.

[68] Bitkom, supra note 58.

[69] Bundesministerium des Inneren, Bundesinnenminister stellt Gesetzentwurf zur “roten Linie” vor und nimmt Datenschutz-Kodex in Emfpang [Federal Minister of the Interior Presents Draft Law on “Red Line” and Accepts Data Protection Codex], BUNDESMINISTERIUM DES INNERN (Dec. 1, 2010), DE/2010/11/Daten schutzkodex_RoteLinie.html.


[71] Die EU-Initiative Klicksafe, KLICKSAFE.DE, (last visited June 25, 2012).

[72] Jugendschutzgesetz, July 23, 2002, BGBL., I at 2739, as amended.

[73] These requirements are further specified in BDSG, Anlage 1 zu § 9 [App. 1 to § 9].

[74] Jyn Schultze-Melling, in KOMMENTAR, supra note 10, at 390–94.

[75] TMG § 15a & BDSG § 42a.

[76] HECKMANN, supra note 3, ch. 9, ¶ 420.

[77] Legislative intent required notification for tangible detriments such as disclosure of banking information as well as social detriments such as identity fraud. See HECKMANN, supra note 3, ch. 9, ¶ 426.

[78] Directive 2009/136 arts. 2(1), 2(4).

[79] Flemming Moos, in KOMMENTAR supra note 10, at 1139.

[80] BDSG § 3a.

[76] For the telemedia sector, see SPINDLER & SCHUSTER, supra note 44, at 1551.

[82] Id.

[83] TMG § 13(6).

[84] Id.

[85] BDSG § 35(2).

[86] HECKMANN, supra note 3, ch. 9, ¶¶ 504–506.

[87] Id.

[88] Korff, supra note 28, at 46. Tort liability arises in particular from a failure to notify of security breaches. See supra notes 75–77 and accompanying text. See also HECKMANN, supra note 3, ch. 9, ¶ 433.


[89] Schneider, supra note 49, at 237. Damages for pain and suffering are available for public sector violations. See BDSG, § 8.

[90] Korff, supra note 28, at 47.

[91] Id.

[92] TMG § 16.

[93] Moos, supra note 79, at 1137.

[94] BDSG § 43.

[95] Id.§ 44.

[96] Id. § 1(5). Germany also applies this principle to controllers residing in one of the European Economic Area Countries (Iceland, Liechtenstein, and Norway); see also Korff, supra note 28, at 9.

[97] BDSG § 1(5). These rules also apply to data that are governed by the privacy provisions of the TMG. See Moos, supra note 79, at 1059.

[98] Alexander Dix, Datenschutzkontrolle im Internet – unmöglich? [Data Protection Control on the Internet– Impossible?], Lecture at a 2008 Summer Academy on Internet Privacy (Sept. 1, 2008), http://www.datenschutz-

[99] Philippe Gröschel, Bedrohen soziale Netzwerke den Datenschutz? [Do Social Media Threaten Data Protection?], ANWBL. 276 (2011).

[100] BDSG § 4b(1).

[101] There are, however, many exceptions. See Detlev Gabel, in KOMMENTAR, supra note 10, at 165.

[102] Id.

[103] Press Release, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, ULD zum Facebook- Audit des irischen Datenschutzbeauftragten: Erkenntnisse stützen weiteres Vorgehen des ULD [Independent Data Protection Office for Schleswig-Holstein [ULD] on the Facebook Audit of the Irish Data Protection Commissioner: Findings Support Further ULD Action] (Dec. 22, 2011),

[104] HECKMANN, supra note 3, ch. 9, ¶ 539.

[105] Id., ch. 9, ¶¶ 270–274.

[106] BDSG §§ 22–26.


[108] BDSG § 38–38a.

[109] Judgment of the ECJ, Grand Chamber, Mar. 9, 2010, European Commission v. Federal Republic of Germany, Case C-518/07,


[111] BDSG § 4d–4e.

[112] Landesbeauftragter für Datenschutz, supranote 107.

[113] BDSG § 38(1).

[114] These Resolutions are available on the webpages of the state data protection authorities, as, for instance, that of the state of Hesse, (click on Beschlüsse des Düsseldorfer Kreises) (last visited July 13, 2012).

[115] As described in HECKMANN, supra note 3, ch. 9, ¶ 547. The resolution appears to be no longer available online.

[116] Id.

[117] Id. ¶ 548.

[118] Beschluss des Düsseldorfer Kreises vom 8. Dezember 2011, Datenschutz in sozialen Netzwerken, [Data Protection in Social Media],

[119] Interview by Michael Hahnfeld with Thilo Weichert, Datenschutzbeauftragter des Landes Schleswig Holstein, Facebook hat ein Problem [Facebook has a Problem], FAZ 33 (May 18, 2012).

[120] Grundgesetz für die Bundesrepublik Deutschland [GG] [Basic Law] May 23, 1949, BGBL. 1, arts. 1(1), 2(1).

[121] BVerfG, July 16, 1969, BVerfGE 27, 1; for a summary, see EVELIEN BROUWER, DIGITAL BORDERS AND REAL RIGHTS 417 (2008).

[122] BVerfG, Dec. 15, 1983, supra note 25.

[123] BVerfG, Feb. 27, 2008, 120 BVERFGE 274.


[125] BVerfG, supra note 16.

[126] Grundgesetz für die Bundesrepublik Deutschland, [Basic Law], May 23, 1949, BGBL. 1, art. 10,

[129] Suchmaschinen-Optimierung leicht gemacht[Search Engine Optimization Made Easy], (last visited July 13, 2012).

[130] Marion Müller, Mediennutzung in Deutschland, DIE AKTIENGESELLSCHAFT R 161 (2012).

[131] Planet der Freundschaft [Planet of Friendship], DER SPIEGEL 133 (May 7, 2012).

[132] Post Privacy Debatte: Ist Privatsphäre noch zeitgemäss?, STERN.DE (Mar. 24, 2011),

[133] Gröschel, supra note 99; Indra Spiecker, Kommunikation als Herausforderung: Neue Wege für Datenschutz [Communication as a Challenge: New Paths for Data Protection], ANWBL 256 (2011); Schneider, supra note 49.

[134] HECKMANN, supra note 3, ch. 9, ¶ 68–72.

[135] Reinhard Müller, Verschwimmende Grenzen – Altes Recht und neue Medien: Brauchen wir eine neue Ordnung? [Blurred Borders – Old Law and New Media: Do We Need a New Order?], FAZ 10 (June 11, 2012).

[136] Thorsten Feldmann, Datenschutz und Meinungsfreiheit: Regulierung ohne BDSG [Data Protection and Freedom of Opinion: Regulation Without FDPA], ANWBL 250 (2011); Thilo Weichert, Datenschutz und Meinungsfreiheit: Regulierung im BDSG [Data Protection and Freedom of Opinion: Regulation in FDPA], ANWBL 253 (2011); Spiecker, supra note 133.

[137] Gröschel, supra note 99; Spiecker, supra note 133.

[138] Dix, supra note 98.

[139] HECKMANN supra note 3, ch. 9, ¶ 73.

[140] Ixquick,, known in the U.S. as Startpage, (both last visited July 13, 2012).

[141] Frank Koch, Schutz der Persönlichkeit im Internet: spezifische Gefährdungen [Protection of Personhood in the Internet:Specific Dangers], DER IT RECHTSBERATER 158 (2011).

[142] Gröschel, supra note 99.

[143] Spiecker, supra note 133.

[144] Schneider, supra note 49.

[145] Bundesrat Drucksache 156/11, June 17, 2011.

[146] Christopher Brosch, Die Umsetzung der Cookie-Richtlinie [The Transposition of the Cookie Directive], AnwZert ITR 16/2011, Anm. 2, subscription).

[147] Id.

[148] Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 15, 2012),

[149] Bundsebeauftragter für den Datenschutz und die Informationsfreiheit, Europäischer Startschuss für die Datenschutzreform [European Starting Shot for Data Protection Reform], (May 7, 2012),

[150] Interview with Thilo Weichert, supra note 119 (translation by author).

[151] Verfassungs- und Europa Ausschuss, Widerstand gegen die geplante EU Datenschutzverordnung [Bavarian Parliament, Opposition to the Planned EU Data Protection Regulation], BAYERISCHER LANDTAG (Mar. 1, 2012),

Back to Top



Last Updated: 12/30/2020