The federal law creates an independent Data Protection Commissioner (DPC), who, by advising the federal government and individual ministers, ensures that the Data Protection Act is implemented. If the commissioner discovers infringements of the law in the processing of personal data, he or she can submit a complaint to the competent authority.

The federal Data Protection Commissioner’s office has counterparts in each of the eleven states, which, under the federal constitution, implement both the federal law and their complementary state laws. While this case study concentrates on the federal system of data protection, it will also examine the experiences of the state systems of Hesse and North Rhine-Westphalia (NRW). The actions of the state Data Protection Offices are especially important, because as much as 80 to 90 percent of personal information from the public sector is held at the state level. States have primary responsibility for education, police, and health, whereas the federal government dominates security, defense, insurance, and social security.

Since 1969 Germans have produced a mature and well-developed system of data protection, which can serve as a very important model elsewhere. The impressive advances made by the Germans are especially relevant to the North American experience; Canada and the United States operate under similar federal systems, and West Germany’s large population of 61 million makes it a more useful example than the smaller Scandinavian countries.

This case study permits an introductory discussion of a number of the major themes of this volume. It provides the opportunity for an initial assessment of the relative success of the federal and state offices in controlling governmental surveillance of the public. Implementation of data protection in Germany benefits from a complementary system of data protection and from a very legalistic system that reflects the country’s political culture. Data protection in the Federal Republic also has a stronger constitutional base than in any other country. Perhaps most importantly, the experience of German data protection agencies during the last decade shows a fully functioning, advisory model of data protection that has won considerable victories in protecting individual rights, because of strong leadership, talented staff, an emphasis on mediation and auditing, and a capacity to learn from experience. Finally, the West German example allows discussion of the problem of independent exercise of power by data protectors—an issue in every country committed to effective implementation.

Several troublesome issues explain the long gestation period. The first problem was the regulation of data transfers within the federal government. The computer industry then won an extension of the law to manual files on individuals that are readily accessible for repeated uses. A third reason for delay was the contention from a variety of sectors that provisions in various special laws already offered a great deal of data protection and that no further external regulation or supervision was required. Finally, the need for an independent supervisory agent was at issue.

Although the law enacted in Hesse provided for a Data Protection Commissioner, there were no plans for a comparable post in the draft federal legislation. Officials of the Ministry of the Interior anticipated that individual ministers would be responsible for the implementation of data protection, on the assumption that leading politicians and civil servants were in the best position to know what to do in their respective spheres and to determine what particular exemptions were needed in the special laws regulating ministerial activities. Because of a strong societal commitment to the rule of law, West Germans do not share North American cynicism about the behavior of civil servants under such circumstances.

The West German media did become increasingly involved in discussions of the proposed law. The leading weekly, Der Spiegel, published an article on the eve of the passage of the BDSG under the title: “Data Protection: 1984 is no longer far away.”² It paid particular attention to the views of certain experts that the proposed law was inadequate in light of articles 1 and 2 of the West German federal constitution or the Basic Law of 1949, which provide the constitutional underpinnings for the right to privacy. Article 1(1) provides that “the dignity of man shall be inviolable. To respect and protect it shall be the duty of all state authorities.” Article 2 states: “Everyone shall have the right to the free development of his personality in so far as it does not infringe the rights of others or offend against the constitutional order or the moral code.”³ Such public discussion was especially inspired by a fear that the government’s proposals on data protection, personal identification numbers, and population registration were being inappropriately linked together as a package. In fact, these constitutional articles have provided essential underpinning for the effort to control governmental surveillance. The BDSG can be strengthened or reinforced by recourse to the principle of the right to a private personality founded in the constitution.

Another characteristic of West Germany, going beyond the general specificity of European Civil Law—compared to the common-law heritage of English-speaking countries—is the tradition, especially since the end of the Nazi era, of very detailed laws controlling governmental activity. In a fashion comparable to contemporary France, but differing from North America or Britain, West Germany is overtly preoccupied with issues of power, which results in considerable emphasis on the rule of law in what is essentially a law-driven society. Its constitution requires a legal rationale for every administrative act of the government. Public administration involves the continuing development and revision of specialized laws and regulations to govern all public services, in contrast to the North American practice of enacting very general legislation and leaving decisions on implementation to the civil service. Surprisingly, this preoccupation with the rule of law extends as well to the security agencies and the police. In a very significant way, this legalism, by ensuring the specific and elaborate enumeration of individual rights, protects personal freedom by seeking to limit governmental surveillance.⁵

Exacting legalism is complemented by a traditional belief in the trustworthiness of the civil service, which helps to explain the type of data protection system adopted. The assumption is that civil servants will obey the law and are worthy of trust by one another and by the public they serve. A 1976 survey showed that the general public was much more afraid of the abuse of personal data by the private rather than the public sector. Sixty-two percent of those then surveyed believed that the state should know as much as possible about the individual citizen. A 1983 survey revealed that, while the public still fears abuse by the private more than the public sector, 60 percent felt that computers have given the state too many opportunities for control, and 65 percent felt that as little information as possible should be given to the state, marking a growing lack of confidence in the government since the enactment of data protection.⁶

The experiences of other countries have also influenced the development of West German data protection. The rejection of administrative licensing in favor of an advisory system was a conscious decision. As Bull explains, while every government minister is responsible to the Bundestag for his or her own department, including data protection, the constitution provides that no one in government has the ultimate power to order a ministry to do anything, except the minister who implements a law in his or her own agency.⁷ Such ministerial autonomy is consistent with the traditions of legalism and trust in the civil service, while giving direct powers of intervention to the DPC would have required constitutional changes.

In supporting a federal Data Protection Commissioner rather than a commission, West Germany also rejected the more decentralized decisionmaking model implemented in Sweden and France. There is no commission with the final power to make decisions, nor does the federal DPC have an advisory board. It is an open question if such a board (whether executive or advisory) promotes data protection, especially in the public sector, or whether it simply facilitates political compromises over surveillance within a miniparliament, thus weakening the consistent defense of privacy interests that data protectors must undertake. It has been suggested that the creation of such a board would be contrary to West German tradition, wherein such boards are mainly used for self-governing administrations, but apparently the precedents are not determinative. Civil servants in particular do not regard themselves as needing an additional reference group beyond the directions they receive from a minister and the Bundestag, which again reflects the legalistic character of society.

Experimentation with the commission model has occurred at the state level; however, most data protection specialists continue to favor the more centralized scheme. An eleven-person committee exists in Bavaria as an advisory body to the commissioner. As an academic expert, Bull initially advocated such a device, but by the end of his term in office he was not as certain of its merits. The Bavarian committee, which has broad representation, can help the state DPC in difficult decisions, but there is also a predictable tendency to encourage internal compromises at the expense of data protection interests before releasing advice and to tie the hands of the commissioner.

Rhineland-Palatinate has a commission made up of members of the state parliament and representatives of the Landtag and the Ministry of the Interior. It has the same advisory powers as a single Data Protection Commissioner. Bull has observed that although the system does function, progressive decisions are difficult under such a regime. Professor Spiros Simitis of the University of Frankfurt, who has been the Hesse Data Protection Commissioner since 1975, is similarly skeptical of the utility of collecting the varied interests in society together in such an advisory commission, whether in West Germany or elsewhere. Other observers describe data protection in Rhineland-Palatinate as ineffective and superficial, largely due to the burden of developing the appropriate expertise. One positive side effect may be that the commission system he...