Western Europe

Balancing Privacy and Security in Germany

By Russell A. Miller
Tuesday, March 14, 2017, 10:32 AM

German Chancellor Angela Merkel and U.S. President Donald Trump might yet manage to meet in Washington this week despite winter storm Stella, which hobbled the capital and postponed Tuesday’s scheduled summit.  Many see this as an historic encounter between contending visions for the world’s future: “The great disrupter confronts the last defender of the liberal world order.”   

For all their differences, Merkel and Trump might commiserate over the difficulty their respective intelligence communities pose for them. Trump’s roiling relations with the CIA and FBI have been extensively and insightfully covered by Lawfare, but Merkel’s intelligence woes may be less well known. Last month, for example, she testified before the German parliamentary committee investigating what the Germans refer to as the “NSA Affair.” Merkel was that long-running committee’s final witness. It was a typical, elusive performance.

On one hand, Merkel nodded to the still-simmering anger in Germany over America’s voracious surveillance and data-collection practices, exposed in painful detail by Edward Snowden’s leaks. In front of the committee, she doubled down on her naïve statement from 2013: “Spying among friends—that simply isn’t done." I say “naïve” because one of the investigative committee’s major achievements has been to expose and document the fact that, for years, the Germans have been spying on their friends and neighbors. New facets of that inconvenient truth continue to surface.

On the other hand, Merkel did not throw her concern for Germany’s security, which favors cooperation with NSA, out with the privacy bath-water.  In the midst of a surprisingly tight re-election campaign and under the shadow of a rash of recent terrorist attacks in the country, she serenely insisted on the continuing importance of U.S.-German intelligence cooperation.

This was classic Chancellor Merkel—Germany’s moderate, deliberate, measured, noncommittal “Mutti.”

It is also Germany’s “Sonderweg” (distinct path) on matters of liberty and security.  Germany wants it both ways—to be seen as a beacon for privacy and data protection in our anxious, big-data era while benefitting from a blood-and-iron security regime that runs the spectrum from an emboldened domestic counter-terrorism machinery to mostly unchecked foreign intelligence operations. Cooperation with the Americans is central to this have-it-all agenda. The Germans are clearly dependent on American intelligence capacities and competences. But they also need America as a useful villain to divert attention from German complicity in the general erosion of privacy.   

This is not just a cynical game played by Berlin’s political class. It is a part of the country’s constitutional DNA. As I establish in a new paper recently posted at SSRN (“Pantomime of Privacy:  Terrorism and Investigative Powers in German Constitutional Law”), the German Federal Constitutional Court has cut the same line in a series of cases decided in the years since the September 11, 2001 terrorist attacks.  The Court is constitutionally mandated to approach the classic tension between liberty and security through the lens of a proportionality analysis. It is literally a matter of weighing legitimate constitutional interests against one another. On one side of the scale, the Court unequivocally validates the constitutionally protected interest in security (not the least because of the state’s duty to promote the constitutionally enshrined “right to life” [Article 2 of the Basic Law]). On the other side of the scale, the Court enforces a slate of constitutional privacy interests, in the home (Article 13 of the Basic Law), with respect to telecommunications (Article 10 of the Basic Law), in an inviolable “core-area of privacy” (Articles 1 and 2 of the Basic Law), with respect to informational self-determination (Articles 1 and 2 of the Basic Law), and concerning a right to security and integrity of one’s information technology systems (Articles 1 and 2 of the Basic Law).

My paper closely details the Court’s deployment of this balancing act in its recent, seminal BKA-Act Case (20 April 2016). The case merits close scrutiny for a number of reasons. First, it is the culmination and codification of the Court’s wide-ranging jurisprudence from the last decade on the questions of privacy and security. Second, the Court took the opportunity of its review of the new investigative powers granted to the Federal Criminal Police Office to extend its balancing jurisprudence to new questions. It will be of significant interest to the American intelligence community, for example, to understand the limits the Court imposed on the international transfer of intelligence. Third, the epic character of the decision invites critical reflection on the German Court’s privacy jurisprudence specifically—and Germany’s general, widespread reputation for privacy exceptionalism.

The law and doctrine implicated by the Court’s 80-page opinion are exceedingly complex. But in the paper, I also I take up the critical, normative summons. The BKA-Act Case was received with adulation by privacy advocates.  Human Rights Watch called it a “rare victory for privacy.” Even if the Court never mentions Snowden or the NSA Affair, others viewed the decision as a repudiation of American intelligence policy, concluding that the Court “attends to the protection of the core of basic rights and has even demanded independent oversight.” But all the hype overlooks the startling fact that nearly all of the new, deeply intrusive investigative powers survived constitutional scrutiny. Instead, as part of its proportionality analysis, the Court tinkered at the margins of the BKA-Act. It reinforced the inviolable “core-area of privacy” by demanding external oversight and approval (while stopping short of insisting that the judiciary perform this role). It sought to promote individual’s opportunities to challenge privacy violations by demanding a regime of careful documentation for investigative activities, requiring marginally longer retention of these protocols, and insisting on the deletion of all private information as soon as possible. And the Court confined all foreign transfers of information to circumstances in which its use conforms to the equivalent of Germany’s privacy protections. But the Court also concluded that the BKA can reach that conclusion on generalized terms for certain foreign partners. It all adds up to privacy writ small, where deletion deadlines count for more than “being let alone.”

Even as the BKA-Act Case—and Merkel’s performance before the parliamentary committee—fall short of Germany’s reputation for privacy exceptionalism, they perfectly embody the more balanced reality in German privacy and security policy.

Whatever else the world’s progressives, moderates, and cosmopolitans might hope Merkel can “teach” Trump in their meeting this week, here’s one lesson she has to offer: at least in security matters, there can be benefits in proportionate action.