During last week’s 69th German Legal Colloquium the association’s members discussed – amongst other topics – the future of IT-law in Germany (you can find all the decisions here – in German). Their decisions on how to fight cyber crime, data protection and liability are supposed to initiate legal reforms. In some cases, you hope the legislator won’t feel inclined.The German Legal Colloquium is an association of judges, lawyers, prosecutors and in-house legal counsels. Its members meet biennially. Although the association does not have immediate influence on the law-making process, it has been able to stimulate essential legal reforms such as the abolition of the death penalty and women’s equality. The association does not represent a certain professional group, but rather tries to function as the speaker of all legal professions.
Here is a short summary of the decisions I found most striking:
Prosecuting cyber crime
According to the association, exhaustive monitoring, filtering, control and supervision were found to be desirable for any kind of communication. As proportional infringements of fundamental rights are possible, detailed legal provisions are to be brought into effect, especially in regard to the surreptitious intrusion of information technology systems in criminal proceedings. The so-called source telecommunication surveillance should be regulated, as traditional methods of telecommunications surveillance are technically impossible. Online-searches should be subject to high intervention limits as provided by the German constitution, but were nevertheless found to be necessary as data could be encrypted. Both measures of criminal prosecution should be conducted through certified systems, but the conductor should not be obliged to notify the data protection officer.
Obligations to surrender traffic and inventory data are to be enlarged.
The association found it desirable to regulate data retention for providers of telecommunication on the one and internet services in general on the other hand.
All internet services should generally retain the user’s real name and internet connection information. A constitutional right to freely use of the internet was found to be non-existent. Internet users are comprehensively protected by their freedom of speech, further protection is not necessary. Therefore, there is no right to anonymity. At least pseudonyms have to be used, so that individuals can be tracked and suits can be filed, if necessary.
Providers of telecommunication should be legally obligated to retain traffic data for at least six month in accordance with the EU-directive 2006/24/EG (Directive on the Retention of Data) and as far as permissible under constitutional law.
Reforms of data protection laws – the association proclaims – are necessary on EU- and national level.
The scope of the data protection laws should be (re-) defined: On the one hand, any service provider directing his services at the European market should be bound by European data protection law. On the other hand, data protection laws should be applicable whenever data might be related to a data subject, even if the connection can only be made in theory.
The legal basis of data processing (consent or legal permission) should be reformed. Minors should not be able to consent to the processing of their personal data alone. Apart from the consent of a minor, who is sufficiently able to reason regarding the consequences of the consent, the legal representatives consent is needed.
In general, the members decided, consent can only be given actively (Opt-in). Any opt-out-model was found to be insufficient.
Once consent has been given, however, the data subject should only be able to revoke it, if strict legal requirements are met. In other words: principally, revocation should not be possible.
And finally, the legal bases on which personal data can lawfully be processes with regard to internet communication should be enlarged so that more data can be processed on the grounds of legal permission. Communication should prevail over data privacy interests.
Right of access
A new right of access should be granted, the association said. Those violated against by publications should have a right to know the infringer.
Laws regulating liability should be renewed. According to the members, search engine operators should be indemnified from the liability for any infringements against the rights of the individual.
A procedure of “notice-and-take-down” should be set up, meaning that the comment would be taken down, if the author does not react to the information by the internet service that his comment infringes against a third parties rights, after the internet service has been informed about the infringement by the rights holder. If the author is unknown or wrote the comment anonymously, the comment will be taken down whenever the internet service is informed about the infringement by the rights holder.