EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >Federal Republic of Germany|
Article 10 of the Basic Law (or Grundgesetz, the German Constitution) states: "(1) Privacy of letters, posts, and telecommunications shall be inviolable. (2) Restrictions may only be ordered pursuant to a statute. Where a restriction serves to protect the free democratic basic order or the existence or security of the Federation, the statute may stipulate that the person affected shall not be informed of such restriction and that recourse to the courts shall be replaced by a review of the case by bodies and auxiliary bodies appointed by Parliament."
In a 1983 case against a government census law, the Federal Constitutional Court formally acknowledged an individual's "right of informational self-determination," which is only limited by the "predominant public interest." The central part of the verdict stated, "Who can not certainly overlook which information related to him or her is known to certain segments of his social environment, and who is not able to assess to a certain degree the knowledge of his potential communication partners, can be essentially hindered in his capability to plan and to decide. The right of informational self-determination stands against a societal order and its underlying legal order in which citizens could not know any longer who what and when in what situations knows about them." This landmark court decision derived the "right of informational self-determination" directly from Articles 1(1) and 2(1) of the Basic Law, which declare personal rights (Persönlichkeitsrecht) to freedom are inviolable. Attempts to amend the Basic Law to include a right to data protection were discussed after reunification, when the Constitution was revised, and were successfully opposed by the then-conservative political majority.
Germany has one of the strictest data protection laws in the European Union. The world's first data protection law was passed in the German Land of Hessen in 1970. In 1977, a Federal Data Protection Act (Bundesdatenschutzgesetz or BDSG) followed, which was reviewed in 1990, amended in 1994 and 1997. The final major revision took place in 2002 to be in line with the EU Data Protection Directive. The general purpose of this Act is to protect the individual against his right to privacy being impaired through the handling of his personal data. The Act covers collection, processing and use of personal data by public federal authorities and state administrations (as long as there is no state regulation and insofar as they apply federal laws), and by private bodies, if they rely on data-processing systems or non-automated filing systems for commercial or professional use. The majority of federal statutes that have an impact on personal information and privacy contain references to the Federal Data Protection Act if they do not carry special sections on the handling of personal data themselves.
The 2001 revisions to the BDSG include regulations on personal data transfers abroad, video surveillance, anonymization and pseudonymization, smart cards, and sensitive data collection (relating to race or ethnic origin, political opinions, religious or philosophical convictions, union membership, health, and sexual orientation). It grants data subjects greater rights of objection. It also states that, apart from public bodies, private companies are now also required to appoint a data protection officer if they collect, process, or use personal information. Without this responsible person, each introduction of automated data processing must be registered with the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The BDSG also provides that consent from the individual whose data is collected is required after full disclosure of data collection and its consequences. The German Parliament renewed its request for secondary legislation on auditing requirements.
A general revision of the BDSG has been considered for 2005, but the Legislative process is still ongoing. Albeit an expert report on the modernization of the data protection law was published in 2001, there has been no visible legislative progress. This reputable report recommends reducing the number of laws governing specific details of privacy protections and creating one general statute, which would only refer to more detailed regulations where necessary. An ideal statute would provide general rules about the use of privacy-friendly techniques, data security, privacy standards, control of data processing, and self-regulation tools. On February 17, 2005, the German Parliament (Bundestag) called upon the government to swiftly submit a draft for a Federal Data Protection Act incorporating these recommendations.
All of the sixteen Länder have their own specific data protection regulations that cover the public sector of the Länder administrations. All Länder have adopted new data protection laws pursuant to the EU Data Protection Directive. Each Land also has a data protection commissioner to enforce the Länder data protection acts. Moreover, it falls within the competence of the Länder DPAs to supervise the compliance of the private sector with the Federal Data Protection Act. The federal and Länder data protection officers hold conferences on a regular basis to exchange information and issue common statements.
Another important federal law in Germany is the G-10 Law, which imposes limitations on the secrecy of certain communications as provided in Article 10 of the Basic Law (Grundgesetz). Under the G-10 Law, parliamentary control commissions, established on federal and Länder's level, supervise the surveillance powers of intelligence agencies. As amended in 1994 by the Crime Fighting Law (Verbrechensbekämpfungsgesetz), the G-10 Law allows warrantless automated wiretaps of international communications by the Intelligence Service (BND) for purposes of preventing terrorism and illegal trade in drugs and weapons. In July 1999, the Federal Constitutional Court upheld the screening method authorized under the G-10 Law. The Law was amended in 2001 to require that electronic communications service providers give intelligence agencies the means to monitor data as well as voice lines. DPAs complain that after a G-10 measure any notification of the person concerned is dispensable if the data is ready for deletion.
Direct marketing issues are addressed by Section 7 of the German Unfair Competition Act. According to its general clause, it is unfair to annoy market players, e.g., consumers, inappropriately. By default this applies to clearly unwanted advertisements, unsolicited commercial phone calls, marketing methods making use of automated calling machines, fax machines or e-mail (spam) without prior consent, and any direct marketing that cannot be linked back to the senders' identity. Direct marketing via e-mail is not prohibited as spam under the conditions that (1) an organization has received the e-mail address in the context of selling goods or services to the customer; (2) the organization uses the e-mail contact for marketing of very similar products and services; (3) the customer has not opposed the use of his e-mail for further direct marketing; and (4) at the time of the collection and each usage of the e-mail address clearly sets out the right to opt-out from direct marketing via e-mail. Cold calling of consumers is a violation of Unfair Competition Law.
Germany has no workplace privacy law because the Federal Government has not come up yet with a draft legislation on the subject, although the German Parliament has requested it several times. The Federal Data Protection Officer, Peter Schaar, also cites a need for a data protection statute regarding the use of employees' personal data in the context of the monitoring of web surfing and the protection of the employers' computer systems against viruses and spam.
The Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz, or BfDI) is an independent federal agency that supervises the Federal Data Protection Act (BDSG) as well as the Federal Freedom of Information Act. Its chief duties include monitoring the compliance with the provisions of the BDSG by public bodies of the Federation, receiving and investigating complaints, as well as submitting recommendations to parliament and other governmental bodies. The BfDI publishes a biannual activity report. However, the number of controllers is steadily decreasing as federal agencies, in compliance with the 2001 changes to the Act, appoint in-house data protection officers, as an alternative to registration under the Act. The BfDI, which has 70 people on staff, handles about 5,516 written and oral complaints (an increase of 28%) and carries out approximately 75 investigations each year. In 2006 an amendment to the BDSG raised the threshold number of employees that make a company data protection officer mandatory from four to nine. This change has significant impact, because many small companies who were previously obligated to have a privacy officer are no longer required by statute to have one.
Service providers are legally compelled to request the name and address of new customers to which they allocate a telephone number, even though they only use prepaid services. Telecommunications operators providing publicly available services are also mandated to provide – at their own expense – the technical facilities required to implement telecommunications interception for law enforcement purposes. The Telecommunications Interception Ordinance of January 22, 2002, which lays out specific technical requirements, remains in force until its successor will be issued under the Telecommunications Act of 2004 (TKG) by the German government. A few proposals for this law have already been circulated. However, there is still much discussion about how to include Voice over IP. Also, telephone monitoring has been on the increase since 1995, when there were 4,674 instances of monitoring, up to 35,329 in 2006. The previous figures only include those warrants that were newly issued; the total number of instances of monitoring in 2005 was 42,508. Four out of five wiretappings monitor cell phones. This renewed rise of interventions in secret communications gives the federal commissioners great concern for data security. For years, the commissioners have appealed to prosecution authorities to use this means sparingly.
As prescribed by EC Directive on Privacy and Electronic Communications, the TKG 2004 sets out the requirements of the processing of location data, either anonymously or with the subscriber's consent, for the provision of location based services. It is upon the subscriber to inform any co-users of all such consent given. In the case of "Track your Kid" services parents consent to give up their child's data protection because they are the subscribers, whereas the child is the user of the mobile phone. Apart from content, all positive and negative (e.g. the unsuccessful attempt to call) circumstances of telecommunications are protected as telecommunications privacy. Service providers are required to protect their users' personal data and telecommunications privacy. The collection and use of traffic data is strictly limited to: (1) the purposes of charging and billing, (2) remedy malfunctions in telecommunications systems, and (3) detect telecommunications service fraud and, with the consent of the data subject, (4) to market and customize services to service providers' subscribers, as well as to provide value-added services. The TKG was last amended on February 18, 2007.
The Telemedia Act (TMG) was passed in March 2007, and applies to “webshops, mobile commerce, newsgroups, music download platforms, video on demand (VOD), internet search engines, emails and even simple company websites, but not to live-streaming of video, web-casting, IPTV (Internet Protocol TV) or VoIP (Voice Over Internet Protocol - internet telephony).” Telemedia service providers must inform users about the "character, extent and reason" of the collection and processing of user-related data. Service providers are required under the TMG to produce user data, such as user names or addresses, upon request of the German secret services. Further, user data may be demanded if necessary for the enforcement of intellectual property rights.
In March 2006, the EU adopted the Data Retention Directive that mandates the retention of telecommunications data for a period of 6 months to 24 months. The implementation of the European Data Retention Directive is currently at the status of a governmental draft (Kabinettsentwurf). The draft legislation would require data retention for 6 months. Access to retained data is given only with a warrant issued by a judge, and only if the authorities investigate a crime in the list enumerated in the proposal. However the list also covers offences not covered by the directive, such as those committed via telecommunication. This effectively will include the possibility to access the retained data also in cases of copyright violations via peer-to-peer networks. At the same time a direct access of the data by the copyright holders is discussed under the implementation of the EC law enforcement directive. The draft also aims at complying with the Cybercrime Convention. The current proposal aims at entering into force on January 1st, 2008, thus not making use of the extended implementation period for the area of internet related data the EU Directive offers.
A significant public movement against data retention has been formed, with some thousand people attending demonstrations, and about 10,000 people declaring that they will be filing a case before the Constitutional Court, which is quite extraordinary, since the procedures do not allow for class action suits. The Arbeitskreis Vorratsdatenspeicherung (German Working Group on Data Retention) is an association of civil rights campaigners, data protection activists and Internet users. The Arbeitskreis is coordinating the campaign against the introduction of data retention in Germany. Strong concerns on the compliance with constitutional provisions have been raised even by the scientific service of the parliament. Prior decisions suggest that the German Constitutional Court could declare itself incompetent due to the fact that the law is necessary to comply with a European Directive.
The so-called "Grosser Lauschangriff" ("Big Eavesdropping Attack") formed part of the Law for the Enhancement of the Fight against Organized Crime, which became effective in 1999, and was intended to provide the legal basis for police to survey potential criminals. In April 1998, Article 13 of the Constitution (Grundgesetz) that provides for the inviolability of private homes was amended in order to allow police authorities to place bugging devices in private homes (provided there is a court order).
In March 2004, the German Federal Constitutional Court ruled that significant portions of the eavesdropping Law infringed the Constitution, or Basic Law, especially Article 1 on human dignity and Article 13 on the inviolability of private homes. The court held that certain communications are protected by an absolute area of intimacy wherein citizens can communicate privately without fear of government surveillance. This includes conversations with close family members, priests, doctors and defense attorneys, but excludes conversations about crimes that have already been committed or the planning of future crimes. However, to justify surveillance between the target and such persons of trust, the government must show that "there is strong reason to believe that the content of conversation does not fall in the area of intimacy," and that the crime is "particularly serious." Once a specially protected conversation begins, the eavesdropping must stop immediately and any recordings of that portion of the conversation must be erased. The German legislature was granted a transitional period until June 2005 to comply with the court's decision, and in May 2005 the German Bundestag passed legislation to comply with the court.
In 2001, the Bundestag (the German Parliament) passed a law that added to the Criminal Procedural Code (StPO) further means of investigation into electronic communications. It serves as the legal basis for police and law enforcement to access "telecommunications connection data" for the investigation of serious crimes. The law took effect in January 2002 and requires telecommunications service providers to disclose data, such as time and duration of use, place of use and identifying numbers. The report is not yet available. In October 2004, the Parliament extended its application until January 1, 2008, together with a request to the Federal Government (Bundesregierung) for a detailed report until June 30, 2007, containing causes, results and the exact number of measures taken under this law. According to a survey, 75 percent of conducted telephone wiretapping actions violated the law. In most instances of wiretapping, law enforcement agencies did not inform the subjects after the eavesdropping took place, contrary to what is stipulated by the law.
In 2004, a new regulation of the German Criminal Code (§201a StGB) took effect. This regulation protects private life against the invasion of privacy by the taking of pictures of persons in their apartments or other protected areas, e.g., changing cabins. Furthermore, publishing and distribution of such photographs on the Internet is punishable as a criminal offense.
In April 1998, a law was passed that allows the Bundeskriminalamt (Federal Police) to run a nationwide database of genetic profiles related to criminal investigations and convicted offenders. One month later, the Bundespolizei (Border Protection Forces), originally a paramilitary border police force but now responsible for securing and controlling borders, as well as working in foreign embassies, received permission to check persons' identities and baggage without any concrete suspicion.
Germany also implemented in the StPO the possibility of using a so-called IMSI-Catcher system to track individuals trough the location of their cell phones. The law, which entered into force on August 14, 2002, provides law enforcement with the ability to obtain, upon court request and from the time it is granted, the data of individuals' movements and their cell phone device number (IMEI number - International Mobile Equipment Identity) for a period of up to six months. The location of a mobile phone can further be conducted with silent SMS that is covered by general investigation powers in criminal cases. Silent SMS means that an empty message is sent to a mobile phone, which allows for some approximation of its whereabouts, but it does not report itself to the respective user.
The Federal Constitutional Court (Bundesverfassungsgericht) has ruled that the police may use GPS technology to track suspects driving motor vehicles in cases of serious crimes even without a judicial warrant. The Court approved §100c StPO to be consistent with the Constitutional principle of clarity and definiteness and when allowing police to use "all technical observational means" to investigate suspicious behaviour that might be considered a crime of substantial significance. However, the Court stressed that Parliament had to monitor the fast technological developments in this field and may have to correct laws if the risks for fundamental rights caused by technical surveillance increase. Parliament also has to ensure by procedural rules that law enforcement agencies (e.g. from different Länder or the Federal level) do not subject citizens to uncoordinated surveillance measures. The "additive effect" on fundamental rights has to be kept in mind.
In 2005, a new system to electronically collect tolls for trucks using the national highways was launched. The system tracks vehicles through GPS (Global Positioning System) and cellular phone networks. According to a common standpoint of the DPAs in 2001, the Federal government implemented special data protection measures in the laws governing toll systems: data collection and processing is limited only for the purpose of billing; all data must be deleted after the payment; and all data collected from vehicles that are not subject to a toll must be immediately deleted. After a series of murders allegedly committed by the same offender, there are now plans by the government to abolish these restrictions. If law enforcement could have access to the data, the movement of almost all cars and trucks on German highways could be monitored.
German authorities have also recently proposed implementation of a video surveillance system at toll collection points, to ensure that trucks from other countries are paying the proper tolls on the autobahn. Video footage would be compared against a central database. Privacy and data security groups have protested this proposal, citing the possibility for using the data for purposes other than toll-collection. Indeed, although this surveillance data is only supposed to be used for toll-collection and enforcement purposes, the German police recently gained access to the data when trying to locate a stolen garbage truck. The Federal Government (Bundesregierung) recently stated that it is not aware of any access by law enforcement to information of the toll system. Independently from the toll system, in the State of Hessen the new Police Law of December 2004 permits the electronic scanning of vehicles' number plates that are then automatically matched with a database of searched vehicles.
There are several other video surveillance projects in Germany that have generated a response from privacy and data protection advocacy groups. For example, a private group called Der Grosse Bruder (Big Brother) has created a map of Munich, highlighting all the video surveillance cameras installed there. In 2003, the Humanistische Union (Humanistic Union) sued a Berlin shopping center employing a video surveillance system with a range of vision that included a public street. In Weimar, Germany, a local newspaper protested the installation of video surveillance cameras that watched the entrance of a newspaper building (along with medical and political offices), and the local government eventually uninstalled the cameras. Public debate on camera observation was heightened by the revelation that a museum’s security camera could see into chancellor Angela Merkel's private flat in Berlin. Upon discovery, the mechanism of the camera was changed to reduce the angle of observation.
In May 2003, the German retail giant Metro started a trial project to introduce a new cashing and customer convenience program with small chips, called Radio Frequency Identification (RFID) chips, at their Metro Future Store. The chips will be attached to all products. When queried by a radio device, RFID chips respond by transmitting a unique ID code. It therefore allows customers to pay and checkout automatically by pushing a loaded trolley past a sensor. Combined with an automatically readable customer client card, the system would allow the tracking of all purchases and the linking to the customer's identity. Metro claimed that the RFID chips could easily be deactivated, thus erasing any privacy invasions, but their process for deactivation leaves intact the unique identifying number on the RFID chip, so even "deactivated" cards can be traced back to their origin. In March, 2004, Metro halted the trial program in response to protests from digital rights groups regarding possible privacy violations. Outcry was particularly forceful upon discovery that Metro had placed RFID devices in their "Extra Future Card" (personal customer shopping card) without notifying consumers. This use of RFID was uncovered by a German NGO called FoeBuD by taking X-ray photos of the card. FoeBuD also staged two protests, one in front of the Metro Future Store and one at a "pro-RFID" conference, and has recently been granted money by the Bewegungsstiftung (a German group which supports and promotes social movements and reform projects) to develop the "privatizer," a small device which consumers could use to find hidden and embedded RFID chips in consumer products. In a recent speech, the Federal Data Protection Commissioner pointed out the privacy implications of RFID, and called on the legislature to make provisions on RFID tags.
RFID-chipped tickets for the 2006 Football World Cup in Germany enabled authorities to track the movements of the individualized spectator during the event. The application forms for tickets required a large number of personal information, i.e. passport number, nationality, and day of birth. This was subsequently upheld by the courts.
Germany was among the first states in the EU to introduce the new biometric passports, following the EU Council Regulation on standards for security features and biometrics in passports and travel documents issued by the Member States. Since November 1, 2005, the German passports contain RFID chips with facial images, and beginning November 1, 2007, the chips will also include fingerprints. After much debate between the ruling coalition parties (Social Democrats and Christian Democrats), it was decided to store the fingerprint data neither in a central nor in local databases. Subsequent to the production of the passport, the manufacturer and local authorities are obliged to delete the data. Furthermore, this also applies after every verification process. Apart from the short-term processing of the data in specific control situations, the fingerprints are thus only to be stored in the German passport itself and not in any databases of public authorities.
The Federal Labour Court (Bundesarbeitsgericht) ruled that the use of biometrics at entrance controls of workplaces is subject to compulsory employee participation (Mitbestimmung) and thus only legal after approval of the respective workers’ council or arbitration board. Importantly, this also applies if the biometric system is placed at the premises of a third party (e.g. the customer of a service company), when the employer instructs his/her employees to use the system.
On January 1, 2006, the Federal Freedom of Information (FOI) Act entered into force, thereby closing the gap in transparency between Germany and all other Member States of the European Union (except Cyprus, Luxembourg, and Malta). FOI legislation had been proposed for five years but the administration had been reluctant to agree on a draft statute. Eventually, Members of Parliament from the ruling coalition parties grew impatient for a draft and presented their own. The draft was followed by an intense debate in the German Parliament (Bundestag) and among legal scholars that particularly focused on the exceptions included in the Act. Much criticism focused on the fact that information can be rather easily excluded from disclosure on grounds of public security and fiscal interests of the government. Personal data will only be disclosed if the information interest outweighs the interest of the data subject. Importantly, information containing intellectual property or business secrets is completely excluded from the ambit of the Act. The Federal Commissioner for Data Protection and Freedom of Information enforces the FOIA Act.
Eight of the Länder already have their own FOI laws in effect. The Land of Brandenburg has the right of access to governmental records in its constitution and adopted a FOI law in 1998. Later, Berlin, Schleswig-Holstein, and Nordrhein-Westfalen, Hamburg, Bremen, Mecklenburg-Vorpommern, and Saarland also adopted FOI laws.
Germany is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108) and later signed an Additional Protocol to this convention. It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms (Convention No. 005). In November 2002, Germany signed the Convention on Cybercrime but has not yet ratified it. It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
 Available at <http://www.datenschutz-berlin.de/recht/de/gg/> (in German).
 Federal Constitutional Court (Bundesverfassungsgericht) decision of December 15, 1983, reference number: 1 BvR 209, 269, 362, 420, 440, 484/83.
 Federal Act
on Data Protection ("BDSG"), January 14, 2003, last amended on November 15, 2006
(Bundesgesetzblatt, Part I, No 3, January 16, 2003, last amended on November 15,
2006), available at
 German Parliament (Bundestag) decision of February 17, 2005, available at <http://dip.bundestag.de/btd/15/045/1504597.pdf>; Response of the Federal Government from January 26, 2005 to the questionnaire of the Parliament, available at <http://dip.bundestag.de/btd/15/047/1504725.pdf> (in German).
See Modernisierung des Datenschutzes: Öffentliche Anhörung des
Innenausschusses (Modernization of the data security:
Public hearing of the interior committee), March 6, 2007, available at <http://www.bundestag.de/aktuell/archiv/2007/innen_kw10/index.html> (in German).
 English summary available at <http://www.datenschutz-berlin.de/recht/de/bdsg/summary-gutachten.pdf>; Full version available at <http://www.bmi.bund.de/Internet/Content/Common/Anlagen/Nachrichten/Pressemitteilungen/2001/11/Gutachten__zur__Modernisierung__des__Id__11695__de,templateId=raw,property=publicationFile.pdf/Gutachten_zur_Modernisierung_des_Id_11695_de.pdf> (in German).
 German Parliament (Bundestag) decision of February 17, 2005, available at <http://dip.bundestag.de/btd/15/045/1504597.pdf>.
text in German available
 Landesbeauftragte für den Datenschutz (the Representatives of the Länder's data protection authorities), available at <http://www.datenschutz-berlin.de/sonstige/behoerde/ldbauf.htm>.
 See for a complete list of documents <http://www.bfdi.bund.de/cln_029/nn_531946/DE/Oeffentlichkeitsarbeit/Entschliessungssammlung/Functions/DSK__table.html> (in German).
 Federal Constitutional Court (Bundesverfassungsgericht), decision of July 14, 1999, reference numbers: 1 BvR 2226/94, 1 BvR 2420/95, 1 BvR 2437/95.
 "Germany: New Law Allows More Extensive Government Monitoring of Phone Calls and Email," World Socialist Web Site, February 20, 2001.
 61. Konferenz der Datenschutzbeauftragten des Bundes und der Länder, Düsseldorf, 8.-9.05.2001." available at <http://www.bfdi.bund.de/cln_029/nn_531946/DE/Oeffentlichkeitsarbeit/Entschliessungssammlung/DSBund-Laender/61DSK-NovellierungDesG__10-Gesetzes.html> in German.
Unfair Competition Act, available at
 Response of
the Federal Government from January 26, 2005 to the questionnaire of the
Parliament, available at <http://dip.bundestag.de/btd/15/047/1504725.pdf>
 Peter Schaar also questions proposals to reform the Electronic Signature Statute, which the Parliament wants to change to require all certification centers to disclose the identity of all signature key owners to law enforcement, intelligence, or tax agencies upon request. The law as it stands merely stipulates the disclosure in cases where the signature owner is using a pseudonym. Peter Schaar, supra.
Parliament Decision of September 5, 2005, available at
description of the duties of the Federal Data Protection Commissioner available
 "20. Taetigkeitsbericht 2003/ 2004," available at <http://www.bfd.bund.de/information/20tb_broschuere.pdf>.
 E-mail from Ulrich Dammann, Bundesbeauftragte für den Datenschutz, to Christian Schröder, Law Clerk, Electronic Privacy Information Center, April 4, 2003 (on file with EPIC).
 BfDI, Tätigkeitsbericht (Bi-Annual Report) 2005-2006, April 24, 2007 at 160, available at <http://www.bfdi.bund.de/cln_030/nn_531940/SharedDocs/Publikationen/Taetigkeitsberichte/21-Taetigkeitsbericht-2005-2006,templateId=raw,property=publicationFile.pdf/21-Taetigkeitsbericht-2005-2006.pdf>.
 German Parliament Decision of August 22nd, 2006, available at <http://www.bgblportal.de/BGBL/bgbl1f/bgbl106s1970.pdf>.
"Telefonüberwachung: Keine Steigerung in 2006", Bundesnetzagentur, Press
Release of Februar 26th, 2007, available at
 "Überwachung der Telekommunikation hat erneut zugenommen", heise online, October 19th, 2006, available at <http://www.heise.de/newsticker/meldung/79738>.
 Press information 12/05 of the Federal Data Protection Commissioner (Bundesdatenschutzbeauftragter) of March 31, 2005, "Telefonüberwachungen auch 2004 wieder stark gestiegen".
Telecommunications Act 2004, available at
 Response of the German government (Bundesregierung) of January 26, 2005, to parliamentary question, reference number (Drucksache) 15/4725.
Kreig, “German Telemedia Act introduces new rules for New Media,”
Bird & Bird Articles, March 5, 2007, available at
 EDRi-Gram, Number 5.8, April 2007, available at <http://www.edri.org/edrigram/number5.8/germany-data-retention>.
 "Stellungnahme zum Regierungsentwurf für eine Gesetz zur Neuregelung der Telekommunikationsüberwachung und anderer verdeckter Ermittlungsmaßnahmen sowie zur Umsetzung der Richtlinie 2006/24/EG" of June 20th, 2007, available at <http://wiki.vorratsdatenspeicherung.de/images/StN-E_19-06-2007.pdf>.
 "Zulässigkeit der Vorratsdatenspeicherung nach europäischem und deutschem Recht", Scientific Services of the German Parliament of August 8th, 2006, available at <http://www.bundestag.de/bic/analysen/2006/zulaessigkeit_der_vorratsdatenspeicherung_nach_europaeischem_und_deutschem_recht.pdf>.
Constitutional Court (Bundesverfassungsgericht) decision of March 3, 2004,
reference number: 1 BvR 2378/98, available at
 Basic Law for the Federal Republic of Germany, I. Basic Rights, Articles 1, 13, available at <http://www.bundesregierung.de/en/Federal-Government/Function-and-constitutional-ba-,10222/I.-Basic-rights.htm>.
 C. Schröder, "Wiretap in Germany," German American Law Journal: American Edition (March 11, 2004), available at <http://www.recht.us/amlaw/2004/03/11>.
 University College of London, Faculty of Laws, Institute of Global Law, "German Legal News - Constitutional Law," available at <http://www.ucl.ac.uk/laws/global_law/legal-news/german/index.shtml?constitution>.
 "Änderungen beim großen Lauschangriff", Das Parlament, Nr. 20 of May 17th, 2005, available at <http://www.bundestag.de/dasparlament/2005/20/plenumundausschuesse/021.html>.
Bulletin, BGBL I 2001, 3879, available at
 Email from Jan Schallaböck, Unabhängiges Landeszentrum für Datenschutz, Germany, to Allison Knight, Research Director, Electronic Privacy Information Center, June 21, 2007 (on file with EPIC).
 Decision of the Parliament (Bundestag) of October 21, 2004, reference number 15/3349, 3971, available at <http://www3.bundesrat.de/coremedia/generator/Inhalt/Drucksachen/2004/0845_2D04_28zu_29,property=Dokument.pdf> (in German).
 "Dreiviertel aller Lauschangriffe rechtswidrig," Der Spiegel Online, January 9, 2003, available at <http://www.spiegel.de/politik/deutschland/0,1518,229958,00.html> (in German).
 "New Powers for the Border Police: Checks Anywhere at Any Time," Fortress Europe, FECL 56 (December 1998).
Tätigkeitsbericht – 2001/2002 at 54-55, available at
 Response of the Federal Government from January 26, 2005 to the questionnaire of the Parliament, available at <http://dip.bundestag.de/btd/15/047/1504725.pdf> (in German).
 Federal Constitutional Court (BVerfG), decision of April 12, 2005, reference number 2 BvR 581/01, available at <http://www.bverfg.de/entscheidungen/rs20050412_2bvr058101.html> (in German).
 Gesetz zur
Änderung des Fernstrassenbauprivatisierungsgesetzes, BGBl. I 2002 Nr. 63,
3442, available at <http://18.104.22.168/BGBL/bgbl1f/bgbl102s3442.pdf>;
Response of the Federal Government from January 26, 2005 to the questionnaire of
the Parliament, available at
 E-mail from
Bettina Winsemann, Staff Member, STOP1984, to the Electronic Privacy Information
Center, July 9, 2004 (on file with
 Christiane Schulzki-Haddouti, "Fahnder wollen Daten aus LKW-Mautsystem" (Investigators Want Data from Truck Mautsystem"), Heise online, October 31, 2003, available at <http://www.heise.de/newsticker/meldung/41560> (in German).
 Response of the Federal Government from January 26, 2005 to the questionnaire of the Parliament, available at <http://dip.bundestag.de/btd/15/047/1504725.pdf> (in German), at 30 (in German).
 Heise News of December 15, 2004, "Hessen dehnt Polizeibefugnisse deutlich aus," available at <http://www.heise.de/newsticker/meldung/54298> (in German).
 Homepage at
 Munich Atlas at <http://dergrossebruder.org/main.php?id=74000>.
 Homepage at <http://www.humanistiche-union.de>.
 Stefan Krempl, "Urteil schränkt Videoüberwachung ein" ("Judgement Limits Video Monitoring"), Heise online, December 12, 2003, available at <http://www.heise.de/newsticker/meldung/43130> (in German).
 Peter Nowak, "Weimarer Provinzposse mit Kamera," Telepolis, October 27, 2003, available at <http://www.heise.de/tp/deutsch/inhalt/te/15950/1.html> (in German).
 "Wachleute filmten heimlich Merkels Wohnzimmer", Spiegel online of Mach 26th, 2006, available at <http://www.spiegel.de/politik/deutschland/0,1518,408015,00.html> (in German).
Future: Painless Checkout, Knowing Scanners," Reuters, May 14, 2003
 E-mail from Bettina Winsemann, Staff Member, STOP1984, to EPIC, July 12, 2004.
 "German Revolt Against RFID", The Register, March 1, 2004, available at <http://www.theregister.co.uk/2004/03/01/german_revolt_against_rfid/>.
 See FoeBuD, RFID web page at <http://www.foebud.org/rfid/>; Under § 6(c) of the BDSG, notice must be provided to data subjects of communications with "intelligent" RFID (devices with integrated processors), thus prohibiting secret reading or writing of personal information. However, Germany does not yet have any regulations specifically addressing "non-intelligent" RFID, which still create a privacy risk, as they can be linked to personal information held elsewhere without violating § 6(c). (E-mail from Christian Schröder, former Law Clerk with EPIC, June 18, 2004 (on file with EPIC).)
 FoeBuD, RFID web page available at <http://www.foebud.org/rfid/>.
 Bewegungsstiftung <http://www.bewegungsstiftung.de/>.
 E-mail from Bettina Winsemann, Staff Member, STOP1984, to EPIC, July 12, 2004 (on file with EPIC); See also "Funkchip-Kontrolle für Konsumenten" (Radio Chip Control for Consumers) <http://www.google.com/search?q=foebud+privatizer&ie=UTF-8&oe=UTF-8>.
 Peter Schaar (Federal Data Protection Commissioner), "Datenschutz als Verbraucherschutz: Neue Herausforderungen am Beispiel von Smart Chips und Kundenkarten," April 5, 2004, available at <http://www.bfd.bund.de/aktuelles/akt20040513.pdf>.
Ermert, "World Cup 2006 'Abused for Mega-surveillance Project', The Register of
February 8, 2005, available at
 Decision of September 1, 2006, 2-01 S 111/06.
 Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, Official Journal 2004 L 385, p.1.
 1 ABR 7/03, January 24, 2004, available at <http://juris.bundesarbeitsgericht.de/cgi-bin/rechtsprechung/document.py?Gericht=bag&Art=en&Datum=2004-1&nr=9713&pos=7&anz=40> (in German).
at <http://www.gesetze-im-internet.de/ifg/BJNR272200005.html> (in
 Draft of a federal Freedom of Information Law, available at <http://dip.bundestag.de/btd/15/044/1504493.pdf> (in German) and <http://www.freedominfo.org/news/germany/FOI_Ger_1204.pdf> (in English).
 German Parliament Decision of September 5, 2005 <http://www.bgblportal.de/BGBL/bgbl1f/bgbl105s2722.pdf>.
See for an overview
 FOI Brandenburg (Akteneinsichts- und Informationszugangsgesetz ("AIG"), 1998), available at <http://www.lda.brandenburg.de/sixcms/detail.php?id=68313&template=allgemein_lda> (in German).
 Council of
Europe, Legal Affairs, Treaty Office at
 Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data, Regarding Supervisory Authorities and Transborder Data Flows, available at <http://conventions.coe.int/Treaty/EN/searchsig.asp?NT=181&CM=8&DF=>.
Council of Europe, Legal Affairs, Treaty Office at <http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm>.
 Council of Europe, Convention on Cybercrime, available at <http://conventions.coe.int/treaty/EN/searchsig.asp?NT=185&CM=7&DF=09/01/02>.