Telecommunications is a core industry

Data protection officer: The core area of ​​privacy must also be taken into account when monitoring telecommunications

While security politicians such as the British Interior Minister Charles Clarke are putting all civil rights to the test in view of the increased Islamist terrorist attacks in the current situation, data protectionists and politicians in this country are speaking with the tailwind from Karlsruhe after the ruling on preventive telecommunications surveillance by the Federal Constitutional Court for a rule of law examination of numerous in The powers of the security authorities have continuously expanded over the past few years. Even in sensitive issues such as the retention of all connection and location data in the telecommunications sector pursued in Brussels for months and years or in the planned equipping of the Federal Criminal Police Office with preventive powers, rowing back is the order of the day.

On their black list are not only police and constitutional protection laws of the federal states, but also the general regulations on telephone tapping in the so far only poorly patched law on preventive surveillance by the customs criminal investigation office or in the code of criminal procedure. While the Federal Ministry of Justice wants to examine the judgment in detail first, members of the Bundestag are more quickly at hand with demands. "We are committed to ensuring that Germany does not remain the world tapping champion," plead the green parliamentary group spokesmen Silke Stokar and Jerzy Montag for restrictions on the use of the wiretapping club. The FDP domestic politician Max Stadler also believes that it is important to "cut back wild growth." His party colleague and ex-Justice Minister Sabine Leutheusser-Schnarrenberger calls for a "rethink" in politics and the police. Telephone surveillance "assumed insane proportions" with over 30,000 measures in this country in 2004. The Lower Saxony FDP initially supported the police law in question.

According to the Frankfurt lawyer Patrick Breyer, the constitutional court fell short of expectations in parts. He criticizes, for example, the announcement that "citizens are not dependent on telecommunications for highly personal communication in the same way as they are on an apartment". It is misunderstood here that one can often no longer do without telecommunications for confidential discussions these days. What is to be welcomed, however, is the statement that "measures to avert danger that interfere with the civil liberties require a specific risk situation." A purely precautionary surveillance in the dark "in a time of political security hysteria" is a "milestone for safeguarding our freedom". In view of the heated debate, Stefan Krempl asked the Federal Data Protection Commissioner Peter Schaar for c't currently about his assessments of the judgment.

c't: What exactly did the Federal Constitutional Court decide on preventive telecommunications surveillance and how far do the consequences go?

Peter Schaar: The Federal Constitutional Court declared the law to be incompatible with the constitution in almost every respect. It says that it is not definite enough, that it is not standardized enough and that it is also disproportionate. The options for intervention were formulated in such a general way that it remained largely unclear whether a person falls into this area of ​​application or not. On the one hand, the law contains unclear definitions with regard to the respective criminal offenses that could be monitored. In addition to offenses of major importance, reference is also made to offenses that correspond to them. And in addition, not only the suspects, but also contacts and escorts were included. The Federal Constitutional Court has conceded this broad field of application.

c't: What does that mean for the police and constitutional protection laws of other federal states, which are very similar?

Crowd: First of all, this means that countries that already have comparable laws, in particular Thuringia, must change them immediately. In addition, of course, those legislators who - as in Bavaria - deal with new regulations in the police and constitutional protection area must adhere to the constitutional requirements. In this context I would like to refer once again to a decision by the Saxon Constitutional Court last week on the Saxon Constitutional Protection Act, in which a judgment was made on acoustic living space surveillance for preventive purposes. This was also collected. Both courts have emphasized the absolutely protected core area of ​​privacy in their decisions. The Saxon constitutional judges have also once again expressly pointed out that the powers of the police and intelligence services must not be inadmissibly mixed up. The separation requirement between the two security areas has thus been strengthened.

c't: On the subject of the intimate core area: This protective regulation from the judgment of the Federal Constitutional Court on the large eavesdropping attack has now been partially transferred to telecommunications surveillance.

Crowd: The Federal Constitutional Court says that this core area can also be affected in telecommunications surveillance and must be protected. We privacy advocates have taken this point of view differently than some representatives of the security authorities - since the ruling on the great eavesdropping attack. However, the Federal Constitutional Court has also admitted that telephone surveillance is a different type of intervention than the great eavesdropping attack, so that the measures required there, especially for the collection ban, cannot be transferred one-to-one. But here, too, the principle applies that monitoring of intimate content should be avoided. In any case, a very strict regulation regarding the destruction and non-utilization of the records relating to the core area is also required for telephone monitoring. In this respect, I also see a need for improvement in the area of ​​telephone monitoring.

c't: Are regulations at the federal level also affected, in which primarily the rules for telecommunications surveillance are specified?

Crowd: Of course, I also see the need to subject the powers to monitor telecommunications in accordance with the Code of Criminal Procedure to a critical review in the light of the case law of the constitutional court. That means, of course, that one has to ask whether the very extensive catalog of criminal offenses that currently justifies telecommunications surveillance is really proportionate. And secondly, the regulations on backups, in particular on the destruction and non-utilization of the relevant documents and the notification of those affected, must also be scrutinized.

c't: The preventive surveillance is not completely excluded by Karlsruhe. What are the current requirements for this in the Code of Criminal Procedure?

Crowd: Especially in the area of ​​organized crime and in cases where terrorist organizations at home or abroad are the subject of criminal investigations, planning itself is a criminal offense. In this respect, the provisions of the Code of Criminal Procedure for telecommunications surveillance apply here. Against this background, I cannot understand at all that the Lower Saxony Minister of the Interior is saying that the decision of the Federal Constitutional Court would make the fight against terrorism more difficult. This seems to be a key argument that fits in any lock right now.

c't: With similar prevention reasons, the Brussels plans of the EU Council and Commission to introduce an obligation to store connection and location data (http://www.heise.de/ct/aktuell/meldung/62048) justified in the telecommunications sector.

Crowd: The status of the Commission's paper is not yet entirely clear to me. So I don't want to comment on it yet. The final draft directive must first be on the table, on which we, as the Article 29 group of European data protection officers, will comment. However, the discussion about data retention in connection with the possible framework decision of the Council of Ministers has been going on for some time. Here I have great doubts about the proportionality of such a project. Especially with regard to the fact that the majority of the completely innocent would be affected. We are talking about 99.9 percent of those affected. I strongly advocate the alternative model that is practiced in the USA: "Quick Freeze", ie the storage of connection data in the event of a specific suspicion.

c't: If there is a decision in Brussels on data retention, could Germany even implement such a decision in view of the current ruling?

Crowd: I interpret the fact that the Commission is now taking action in this area to mean that it assumes that the European Parliament has a say and that a Council framework decision is not enough. I welcome that because, according to my understanding of democracy, such encroachments on fundamental rights always require parliamentary legitimation. I have heard from the European Parliament that they strongly support the position of the data protection officers with regard to the conformity of such a measure with fundamental rights. If an effective directive were to be found, the question would indeed arise of where the national parliaments would then be able to make decisions. If necessary, this question would have to be decided by a constitutional court. Other decisions of the Federal Constitutional Court would then have to be used, such as the European arrest warrant. The Federal Constitutional Court said that the regulations are not in accordance with the German constitution, not least because there is no corresponding protection of fundamental rights at European level. The binding catalog of fundamental rights will only come into force with the European Constitution, which is currently on hold. A comparable constellation could also arise in the case of data retention.

c't: According to the published draft for the corresponding directive of the commission on data retention, retention periods of six months for the Internet area and 12 months for the telephone sector are provided. Would that be a compromise line?

Crowd: In terms of content, I can currently only comment on proposals that generally go in this direction. Any compulsory data storage for purposes beyond billing or the operation of services means misuse of data that was originally collected for completely different purposes. The longer the deadline, the stronger the constitutional doubts. I already see a minimum of six months of storage as problematic. With a one-year storage period, however, there are even greater constitutional problems than with half a year, where one could perhaps say that this is within the scope of what is required for the regular processing of telecommunications bills. But with the Internet and especially when it comes to flat rates, this six-month storage would also be a considerable encroachment on fundamental rights.