Letter from Berlin: Personal Data, Down the Rabbit Hole
A new scandal in Germany over stolen and misused private information has raised a call by government ministers for stricter data-protection laws. But basic details about every German citizen -- and banking data for up to 20 million -- are already in general circulation.
A state privacy watchdog claims that bank details of up to 20 million German citizens are illegally available for sale.
Do they care? That's what Federal Justice Minister Brigitte Zypries asked in an interview with the Financial Times Deutschland, published Friday, after she announced a plan to crack down on the free circulation of contact information in Germany as well as the surprisingly vast black market in bank details.
"An awareness of data protection has unfortunately weakened over the last few years," she said. "Many people give out their most private information without much thought."
The controversy has roiled through German media and government bureaucracies since last week, when a state privacy watchdog named Thilo Weichert, from Schleswig-Holstein, told a newspaper that the phone numbers and addresses of all German citizens were freely available on the Internet. He also said the bank details of up to 20 million citizens -- a quarter of the German population -- were available, illegally, at cut-rate prices.
"Lawmakers can do more to protect consumers," he said. "The transfer of data for marketing purposes should be made universally conditional on the customer's approval."
Tiegel, 36, quit his job, burned the CD and managed to set loose "the largest data-protection scandal in recent (German) history," according to the Süddeutsche Zeitung. Now he's unemployed. But his job at a firm called Hanseservice involved phoning up ordinary Germans to sell subscriptions to a lottery scheme called "Eurochance." For 36 ($53) per month, "Eurochance" promised to invest in 200 contests and lotteries in the customer's name.
The lotteries are legal, so the offer was legitimate, in theory. But Tiegel said his boss also gave him lists of bank details to match the contact information. After each phone call -- whether the customer agreed or not -- Tiegel alleged that Hanseservice could just move money from this or that account. The phone calls, he said, gave the company plausible cover to claim the customers had granted permission.
Businesses should give back profits earned from misusing personal data, says German Justice Minister Brigitte Zypries. But the government plays fast and easy with private information, too.
Currently Germany's Federal Association of Consumer Protection Agencies says it is investigating hundreds of complaints from consumers who claim that amounts of 50 to 100 have been illegally taken from their accounts.
By way of advice to worried Germans, Tiegel said that when a strange company calls, "you should just hang up."
Long experience with totalitarian regimes -- first under the Nazis, then under communism in the former East Germany -- has made data protection a sensitive topic in Berlin. Brigitte Zypries, the Justice Minister, said Germany's existing data-protection laws may not be strong enough. "We will now look into whether the current laws are enough or whether they need readjusting," she said.
Current guidelines allow fines of up to 250,000 euros for abusing personal data. But they're almost never fully exploited. Zypries said the German government would consider confiscating profits from a business caught misusing data. "Companies would then have to give back every cent which they earn through illegal trade (in personal data)," she said. The justice minister also wants to make it easier for police and prosecutors to investigate cases of personal data abuse in the early stages of a complaint.
The other problem, of course, is misuse of data by the government itself. The German system has rules against swapping personal details between agencies. But a spokesman for Thilo Weichert's consumer-advocacy office in Schleswig-Holstein, Thomas Hagen, told the Süddeutsche Zeitung that breaking these rules was routine.
"We've been preaching for years that we need action not just on the side of lawmakers, but also on the side of (these) agencies," data protection expert Roland Stuhr told German public radio station NDR. "Data is easy to collect, easy to save, easy to copy and hard to control once it has been set in circulation."
Weichert himself said in a statement that the Internet age had brought the address of every German citizen into circulation for marketing purposes -- everyone in the country was potentially exposed to a phone scam or at least a targeted-marketing campaign. Even more worrisome, he said, was that bank details of "some 10 to 20 million people" were in illegal circulation. Since the current scandal broke, his phone has been ringing non-stop, he told the Süddeutsche Zeitung. "We're hearing stories from every corner of the republic," he said.
Basic personal data, from addresses and telephone numbers to tax status, is considered public information by many governments. But computers make it easier to organize and collect. Stray CD-ROMs, lost hard drives and unaccounted-for memory sticks with personal data have become major scandals in Britain, and in Italy earlier this year there was an uproar when the national government put the names, addresses, income and tax status of every citizen online.
The tax office in Rome said it wanted to "allow the free circulation of information in a framework of transparency" and "in line with privacy guidelines." But an Italian privacy watchdog cried foul, and the information was removed from the site within 24 hours.
"These days," Thomas Hagen, the spokesman from Weichert's office told the Süddeutsche, "anyone can open a call center with a cheap computer and manage the data of millions of people with an Excel spreadsheet." Businesses of all kinds are interested in these data banks, and to misuse them, he said, "you just need a little intelligence about information technology, and some criminal energy."
© SPIEGEL ONLINE 2008
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH