Data protection in the US
June 9, 2013
DW: Do we have to worry about US authorities tapping data from Germany?
Thilo Weichert: The data that we generate online is indeed also stored with US service providers. Therefore, it is reasonable to assume that American security agencies are using our Internet communication data for their own purposes, fighting terrorism and similar things. In how far they are also falling back on German companies for this, we don't know. What we do know is that there is a legal basis for these actions in the US in the FISA intelligence law as well as in the Patriot Act.
US authorities can definitely access data from American companies. Can you give us a few examples of this?
They can retrieve anything that's been saved. First of all, this means who did what, when, and which services were used? But that also includes content, such as the account or profile information we have stored on Facebook or Google. This can also be accessed. Our Google search behavior, for example, is completely transparent for US security agencies. The federal police FBI, the intelligence services CIA and NSA and so on - they can all access and use what they please.
Does that mean that US authorities can retrieve German data without contacting German officials?
That is absolutely correct: US security agencies can access data stored on servers of American service providers, like Yahoo, Microsoft, Amazon, Facebook, or Google, and use it for intelligence purposes.
Are German authorities doing the same thing in Germany?
German authorities are definitely not allowed to do anything like that. Such behavior is neither anchored in German law, nor has it been judged acceptable by the Constitutional Court. Therefore, one has to assume that basic rights, especially the right to data protection, are worth less in the US than in Europe. You can also rely on German companies and authorities to be more law-abiding.
Which German businesses could be pressured to pass on data by American authorities?
All companies that operate in the US can be put under pressure. But I believe that would be an exception, and not a regular occurrence, as has become public with American companies recently.
You can't imagine that German companies will grant regular and direct access to their servers?
That is highly unlikely. I would currently eliminate that possibility.
What should the German government do now?
The German government should demand clarification, because German citizens are concerned here. I also hope that extensive media coverage will clear things up a little. But we need a transatlantic dialogue on data protection. Europe has to ask the US to respect European data protection standards when dealing with American service providers.
What can Europe do to enforce German data protection law?
It's very, very difficult to apply European data protection law to the actions of US authorities, because these authorities aren't subject to European law. In addition, the authorities don't inform the public about the companies from which the security agencies get their data. This is a secret process, so nobody can control it.
Is there evidence for German companies already passing on data?
We know of a few cases in which companies located in Europe were required to pass on data, but these were exceptions. We also know, not from the Internet realm, but from the financial transactions realm, that US authorities access this data extensively and use it in the war against terror, but also for different intelligence purposes.
Are you inferring that from the recently publicized cases, or have there been other signs of that before?
We have suspected such goings-on as we're now seeing for years. We are already acquainted with the same system from different areas of life. But that it's applied so extensively in the Internet and telecommunications realm was a shock for us. We feared that might be the case, but we didn't expect it.
US authorities are justifying the automatic data gathering with the war on terror. Is that not a good reason for you?
I don't think that 100 percent of the population under surveillance can contribute something to fighting terrorism. In Europe, we are approaching this issue in a smarter way, by investigating based on suspicions only. I think this is the sole way to overcome terrorism that is in accordance with basic human rights.
Thilo Weichert is a lawyer and political scientist, and has been data protection commissioner for the German state of Schleswig-Holstein since 2004.