The Federal Constitutional Court of Germany (Bundesverfassungsgericht - BVerfG
) has recently held that the so-called "dragnet tracing" conducted by police authorities and public prosecutors is unlawful and in violation of privacy rights, unless the public authorities are acting in response to a "specific endangerment" to public order and/or individual right holders.
"Dragnet Tracing" describes a method of automatic data processing where police authorities and public prosecutors combine certain sets of personal data of private individuals as available on general registers (such as name, address, date and place of birth) with additional qualifying (in particular: sensitive) data from other registers (such as University registers revealing religion, political attitude, university curriculum, etc.) in order to narrow the circle of persons to be observed in order to detect potential suspects of serious criminal offences.
German authorities developed this tool during the years of terrorist threats from the Left. Depending on the combination of search criteria and sets of data, this method can bring under observation and scrutiny a great number of private individuals who have raised no suspicion of any criminal activity at all.
In this particular case (in the aftermath of 9/11) German authorities developed a search method in order to detect so-called "sleepers" (i.e. allegedly trained terrorists waiting to be called for a specific assignment) and identified roughly 11,000 students of Arabic origin in the Federal State of North Rhine-Westphalia. Then, in a process carried through until December 2001, the public authorities added further selection criteria, such as information on who was the holder of a pilot license. As a result, the public authorities obtained a final search profile on about 70 private individuals, including a citizen from Morocco. This individual was registered as a student at the University of Duisburg and a Muslim. He objected to this processing as a violation of his privacy rights.
The BVerfG confirmed that public authorities had violated his right of privacy (which the BVerfG defines as the individual's "right of self-determination over personal information" and thus forms part of each individual's fundamental rights protected by the German constitution), due the fact that the public authorities were not able to give evidence of an "imminent and specific endangerment" ("konkrete Gefahr"
) as opposed to a vague and "abstract endangerment" such as the general threats of terrorism, which could not have justified such serious interference with a private individual's constitutional rights. It confirmed that this method – in the absence of a specific endangerment and given that sensitive data on religious belief were concerned – was disproportionate (among other things) to the potential risk of becoming subject to an unjustified investigation and of being stigmatised and discriminated against. To illustrate this risk, the BVerfG referred to a separate police action where the Hamburg police had "invited" 140 foreign male students to "interviews" where they were asked to present documents on travel activities, bank accounts, certificates of memberships and the like. Notably, the BVerfG also did not accept that it was sufficient for the public authorities to delete all sets of personal data after carrying out the "dragnet tracing" and having informed each individual that he had been subject to such investigation.
The court ruling represents an important further milestone in protecting the right of privacy, in the face of threats from information technology. While the BVerfG has upheld prior rulings that approved "dragnet tracing", it has increased the burden on public authorities to give a proper justification for such processing based on an "imminent and specific endangerment". Ultimately, this is appropriate in light of the accelerated and advanced technological ability to access and cross-combine sets of personal data kept on separate public registers.