Privacy & Information Security Law Blog

On September 5, 2013, the 16 German state data protection authorities and the Federal Commissioner for Data Protection and Freedom of Information (the “DPAs”) passed a resolution concerning recent revelations about the PRISM, Tempora and XKeyscore surveillance programs.

The DPAs were critical of the programs, indicating that more should be done to understand their scope, especially since the programs raise serious constitutional concerns in Germany. In particular, it remains unclear whether German federal authorities illegally shared personal data with other countries or used illegally obtained personal data for their own purposes.

In the resolution, the DPAs advocate the following actions:

• Develop and implement national, European and international laws to ensure that privacy is fully protected, and to guarantee telecommunications secrecy and the fundamental rights to informational self-determination, confidentiality and integrity of IT systems.
• Immediately cease any unconstitutional cooperation between intelligence services and prevent such activities going forward.
• Intensify the supervision of intelligence services by increasing the authority of parliamentary control committees, and review whether the DPAs should be involved in this process.
• Make more efforts to safeguard the fundamental rights to informational self-determination, confidentiality and integrity of IT systems, including by:
  • reviewing whether telecommunication connections should only be routed via networks within the EU;
  • building and supporting safe and anonymous ways of using telecommunications services (which encompasses ensuring that those who use encryption or anonymization are not at a disadvantage); and
  • creating a framework for the objective analysis and independent certification of hardware and software.
• Only enter into international treaties such as the EU-U.S. data protection agreement and the EU-U.S. free trade agreement if fundamental European data protection rights are sufficiently protected. This would involve allowing anyone whose data are misused to bring proceedings.
• Review the EU-U.S. agreement on passenger name records and the Terrorist Finance Tracking Program.
• Within the EU, ensure that any surveillance conducted by an EU Member State meets the minimum requirements of Article 8 of the European Convention on Human Rights (i.e., the right to respect for private and family life).