The federal Constitutional Court in Karlsruhe said on Friday that current laws give security services “disproportionate” access to citizens’ personal information and are unconstitutional.
German intelligence services and police agencies may currently ask telecommunications and internet companies for user information including names, birth dates, passwords and IP addresses while investigating areas such as counter-terrorism and cyber-crime.
But lawsuits brought by activists argued that such information was being handed over to police even in the course of relatively minor investigations.
Complainants had argued that current laws allow investigators to access such data without a judge’s approval, and not only from telecoms companies but also organisations such as hospitals and hotels.
“It cannot be permissible to indiscriminately request information on data,” judges said in the ruling.
Data should be accessed only in cases where there was “a specific danger” or “an initial suspicion of criminal conduct” in the context of a particular investigation, and not to facilitate investigatory work “in general”.
The ruling gives the government until the end of 2021 to revise the laws to set “thresholds for the use of these powers”.
German privacy laws are informed by the invasive tactics of East Germany’s Stasi or Nazi Germany’s Gestapo security services.
One of the two lawsuits that prompted the Constitutional Court’s ruling was filed in 2013 by Patrick Breyer and Katharina Nocun, politicians with the European Pirate Party, which campaigns for internet freedoms.
Their complaint had the backing of 6,000 people.
Europe tax setback? EU's General Court rules the European Commission failed to prove Amazon enjoyed…