The Schleswig-Holstein Question
Facebook has agreed to work with the German government to develop a code of conduct governing privacy on social networking sites. But why is this one country so reluctant to share online?
Facebook and Google want to improve the way we discover information and interact with one another, while selling us things along the way.
Many people see nothing wrong with the way these and other online companies monitor use of their systems to work out who might want to buy what, but the situation is different in Germany.
However, German citizens and their regulators are becoming well-known for giving these giants of the web a hard time.
In August, the Independent Centre for Privacy Protection (ULD) in Schleswig-Holstein banned all organisations in the state from having Facebook fan pages and embedding 'Like' buttons on their websites. The ULD said citizens were being monitored without realising it.
Earlier that month, privacy officials in Hamburg said Facebook could be fined for keeping biometric data collected through the site's facial recognition system.
And in 2010, federal and state data protection authorities forced Google to let Germans have their homes blurred out on the street-level images collected by the company's Street View vehicles.
Hundreds of thousands of citizens opted to have their properties obscured and Google gave up updating its German Street View images in April this year.Dark past
One reason for this strict attitude towards personal privacy is Germany's history, according to ULD head Dr Thilo Weichert.
"In Germany we had the experience with the Nazi regime, we had the experience with the German Democratic Republic, and we have a big reluctance concerning the gathering of data for discrimination or suppression or persecution," said Dr Weichert.
Carsten Casper, a privacy analyst with technology research firm Gartner, agrees that the shadow of the Stasi is a factor.
"For almost 40 years people were under surveillance and it's obvious that this makes people very nervous when it comes to privacy," he said.
"This doesn't differentiate between physical and data privacy. All these topics are mingled in the public mind."
As a result, Germany is something of a trailblazer when it comes to data privacy. The world's first data protection law was passed in the German state of Hessen in 1970 and the country's federal data protection act, the Bundesdatenschutzgesetz, is among the strictest in the world.
Dr Weichert says he simply wants companies that operate in Schleswig-Holstein to comply with German laws and the European Data Protection Directive, which forms the template for those rules.
End Quote Dr Thilo Weichert Independent Centre for Privacy Protection
For almost 40 years people were under surveillance and it's obvious that this makes people very nervous when it comes to privacy”
He believes there is "a deficit of compliance" in some other European countries, but the Directive should be properly enforced everywhere in the EU.
"There is a totally different legal culture in Europe and the US and I accept this, but it's not possible for the American culture to impose itself on the European culture," said Dr Weichert.
"They have to respect our different understanding of privacy and when American companies want to make money in Europe, they have to respect European law and European privacy culture."
Dr Weichert, who met with Facebook this week for talks, thinks such companies are capable of adapting their systems if necessary.
"Google and Facebook offer special nationalised services, for example, concerning analytics," he said.
Gartner's Carsten Casper sees it as fair for local regulators to use their powers even if they affect global companies, but he said some Germans think Dr Weichert and his Hamburg counterpart Johannes Caspar are excessively strict.
"I am German, and I would think it's too much," he explained, noting that German companies are forced to pay more than others when building web services, in order to add privacy safeguards that comply with the law.Radical difference
Like the Bundesdatenschutzgesetz, the UK's Data Protection Act copies the European privacy directive into national law. However, the Information Commissioner's Office (ICO), which enforces the act, does not follow the German approach.
"There is certainly a perception that they have quite a strict law, stricter than the directive would necessarily require," said David Smith, director of data protection at the ICO.
"Ours is pretty close to the minimum that the directive would require. In applying that law, they tend to apply it fairly literally. Here, we would say we are more pragmatic."
Mr Smith said the ICO follows "what is a recognised approach to good regulation across the board in the UK" by concentrating its efforts on tangible risks to privacy, rather than trying to uphold a principle even where negative effects are not yet proven.
Simon Davies, director of UK-based group Privacy International, said there was a "radical difference" between the German and British approaches. He believes that Dr Weichert takes more of an activist role.
Indeed, Schleswig-Holstein's privacy commissioner is a former Green Party politician, who has been campaigning on privacy issues for 25 years and describes himself as driven by "a human rights motivation".
"[Dr Weichert] sees the law as a changing beast that evolves constantly and he sees privacy law as something that needs constant nurturing and prodding," said Mr Davies.European harmony
All of this is a headache for companies such as Facebook and Google, which have to deal with varying levels of privacy-related strictness across 27 EU member states.
Viviane Reding, Europe's Justice Commissioner and Vice President of the European Commission, said in March that privacy law must be modernised but regulators will also have to develop a common approach to enforcement.
According to Mrs Reding, companies have "a specific responsibility when personal data is their main economic asset" and social network users "must know what data is collected and further processed, for what purposes, and where and how it is stored".
"National data protection authorities play an essential role in ensuring that companies follow EU rules when personal data is collected and processed."
European Commission Vice-President, Viviane Reding set out her privacy vision ahead of planned reforms to the law.
In her March 2011 speech, she described the "four pillars" of the new EU Data Protection Framework
- Right to be forgotten: "People shall have the right - and not only the 'possibility' - to withdraw their consent to data processing."
- Transparency: "Individuals must be informed about which data is collected and for what purposes."
- Privacy by default: "Privacy settings often require considerable operational effort in order to be put in place. Such settings are not a reliable indication of consumers' consent. This needs to be changed."
- Protection regardless of data location: European citizens should receive the same protection "whatever the geographical location of the service provider."
"At the same time, it's important that they have a consistent approach in handling privacy issues," said Mrs Reding.
The European Commission will, in the coming months, propose how to make this consistent approach a reality. The question is what kind of approach it will be.
The UK's ICO is hoping for stronger privacy protection.
"We would like some strengthening and updating of the law, so that the rights that individuals have over their data are easier to exercise and more effective," said David Smith.
"The idea that you have to apply in writing to Google to get your data doesn't tie up with the global framework we operate in."
Dr Weichert hopes that the common standard of privacy protection in Europe will follow Schleswig-Holstein's example.
"You can harmonise on a low level or on a higher level, and I hope there will be a high-level, an adequate level of enforcement of privacy law," he said.
Facebook, which on Thursday signed up to a German code of conduct for e-commerce firms with young customers, believes that Dr Weichert and the ULD have made "incorrect assumptions" about its Like button.
The company said it looks forward to "continuing the dialogue and to helping them better understand our actual processes and how they respect the privacy of German internet users".
"We firmly reject any assertion that Facebook is not compliant with EU data protection standards," said a Facebook statement.
Google declined to comment on its dealings with Germany's privacy regulators.