Recent developments in legislation on data protection and data security
1. Status Quo
The status quo of data protection legislation in Europe (and Germany) is inconsistent.
On the one hand the topic is more than prominently covered in all the media, political initiatives are launched more or less every day and even in the trains leading to the CeBit the German Federal Ministry of Food, Agriculture and Consumer Protection informs visitors of the fare about the importance of data protection.
On the other hand, Germany (together with some other European states) is not only shattered by all different kinds of scandals due to abuse of personal data, but also by diverse legal battles and initiatives in the area.
1. The German Constitutional Court, inventor of the fundamental right to data protection in Germany in 1983 ("Recht auf informationelle Selbstbestimmung") becomes more and more a key player in the game. The Court (decision from 27th of February 2008 - 1 BvR 370/07; 1 BvR 595/07) identified a new fundamental right on privacy and secutrity in IT (Grundrecht auf Schutz der Vertraulichkeit und Integrität von informationstechnischer Systeme") and therefore declared a local law on Online forensics as a violation of the Constitution early last year.
This year the court is again in the center of international attendance as it needs to decide on a claim run by more than 30.000 individuals against the German implementation of the Directive 2006/24/EC on the storage of traffic data. In two preliminary decisions the Court already quite clearly expressed its concern about the national provisions (1 BvR 256/08). It will be of more than just German relevance how the Constitutional Court will finally decide on the constitutionality of the national rules on data retention.
Short time ago the Constitutional Court set limits of the legislator's activities in a different IT-area as well. In a decision dated 3rd of March (2 BvC 3/07, 2 BvC 4/07) the Court announced that the usage of computers for election purposes requires checkability and transparency of voting process without any specific knowledge in IT. The Court therefore declared a regulation on electronic voting machines as unconstitutional.
2. Despite those caveats of the court the German Government became again very active with different initiatives in the area. Two draft laws were launched - both of them intending to change the Federal Law on Data Protection (BDSG). In a draft dated 10th of October 2008 (BT-DS 16/10529) the Government addresses the issue of Scoring and information on creditworthiness. The data transfer to institutions dealing with information on creditworthiness shall be limited. A data subject shall have the right to ask for extensive information about scores he received and the technical algorithms leading to these scores.
In a second initiative the Government started to limit the exchange of basic address data of German citizens. In future it shall be much more difficult for German companies to target advertisements and PR-activities to possible clients. Also a (very general) law on data security audits is in the preparatory phase.
3. The German Government didn't restrict its activities to a reform on the law on data protection in the strict sense. It also reformed the Federal Law on the Federal Agency on Criminal Investigations (Bundeskriminalamt). In December 2008 the use of all kinds of malware became legal: Art. 20k of the Law gives the Agency permission to use malware for forensic purposes ("Das Bundeskriminalamt darf ohne Wissen des Betroffenen mit technischen Mitteln in vom Betroffenen genutzte informationstechnische Systeme eingreifen und aus ihnen Daten erheben [...]"). The technical solutions necessary for the intrusions shall be provided by the Authority on Computer Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) of all possible institutions. A reform of the law regulating the activities of the Authority on Informations Security is therefore on the way as well. The draft, written by the Ministry of Interior Affairs (http://www.bmi.bund.de/...) will clearly have as an outcome that the BSI has to support the police when performing its duties. Malware not written by hackers or criminals but written by a State Authority is a clearly new development in IT-security weakening trust and security.
2. Short analysis
The German data protection policy is paradox. It is chic to discuss data protection and to be "pro-data protection" on the surface.
But priorities are neither properly discussed nor defined and some of the most fundamental principles in data security and data protection are therefore constantly ignored.
Just to point out four major platitudes:
- The best way to protect personal data is not to collect them - instead the legislation on the storage of traffic data leads to a vast amount of sensitive personal data of a German (and European citizen).
- An agency in charge for data security shall be independent and in charge for data security only - instead the BSI will have to participate in (legal) attacks against data security measures on a regular basis
- Data protection and data security is a matter of consciousness and awareness. This consciousness and awareness needs to be strengthened not only by political statements but by a legal framework supporting and strengthening data protection. The opposite is the case when (relatively) minor issues are addressed in the draft laws and major issues (like data protection of employees) are postponed.
- IT is a global phenomenon. The net interprets national regulations "as damage and routes around it." (John Gilmore). Therefore measures taken need to be adjusted in Europe (at least).
EICAR will continue in closely monitoring the legal developments in the area in Germany and Europe. More basic legal analysis is needed that also evaluates the economical implications of the measures taken.
A position paper on data protection ad data security will be published in the first half of 2009 trying to evaluate the whole picture.