Germany has, in contrast to many other countries, a mandatory citizen registration. One side effect is the national ID card (now an eID). Another is that there are registration offices at every local authority. And there is a law called “Melderechtsrahmengesetz” (MRRG) which rules everything about this registration. A few days ago the German Bundestag passed a revision of this law, and did it during the semi-final of the European Football Championship (Real football, played by feet and with a ball; not American football, played by hand and with an egg) between Germany and Italy. That explains why it took a little while for the outcry of the masses to develop.
The MRGG revision at first glance appears to be a success for the lobbyists of the marketing industry and the ones dealing in addresses. In a draft of November 2011 the law required explicit consent of the citizen for the registration offices to pass the data to someone else. In the revision which recently passed the Bundestag, the citizen has to explicitly withhold consent – and the “opt-out” is only accepted if the party requesting the data didn’t already possess it (which for example would be the case if someone participated in a contest and gave away his address data) and simply wants to validate or change data. In addition, the range of attributes which can be requested by 3rd parties is now much larger than before.
However, the MRGG had these provisions quite some time ago. The ability to request data of others without consent had been introduced in 1938 by the former minister of the interior Frick (who was sentenced to death in the “Nürnberger Prozesse”) by order, bypassing the parliament. Its purpose was, amongst others, to push denunciation. The current MRGG still allows basic requests of anyone about everyone at the registration offices without unveiling a purpose. There is neither an opt-in nor an opt-out in the current version of the law. This is in contrast to the basic right of self-determination regarding personal data which has been defined by the German Federal Constitutional Law. The revision of the law isn’t intended to remove data protection from the MRGG but, for the first time, adds data protection to that law.
Today organizations like the Schufa (providing financial “health” information about individuals to banks and others), the Federal Office of the Protection of the Constitution (“Bundesamt für Verfassungsschutz”) and private investigators are the main “customers” of the registration offices. This is, by the way, not for free – a single query costs in the range for 5 € to 10 € per registration office – and it might require to ask a number of registration offices to find someone. So it is somewhat unlikely that address dealers and the marketing industry in general will use the new options on a broad scale. There is just no valid business model behind this.
Obviously, there is a need to find a balance between privacy and the interests of marketing and others to access some data. Besides, there has been a strong need to update the law which dated back to 1980 in its current version, but which still was based on the 1938 law. So the current, very emotional discussion appears a little extreme to me – and it isn’t based on facts. There are things which need to be changed: There is a need for consent. This is introduced for the first time with this revision of the MRGG. The amount of data should be carefully evaluated, thinking of “minimal disclosure” instead of providing masses of data. That is an area for improvement of the law. Access shouldn’t be for free – it isn’t for free today and it won’t be for free in future. But on the other hand, no one should complain if he gave his data to a company when participating in a contest – there was a price paid for that data in some way.
Given that this law has not only to pass the Bundestag but also the Bundesrat (the upper house of the German parliament), it is very likely that some parts will be changed before it becomes effective. That is the positive thing with privacy being back in public discussion. The critical aspect is that the discussions are emotional and sometimes even hysterical, not fact-based. And, in the case of the MRGG, that there is no real need to make changes to version which passed the Bundestag.
The lesson we could learn from this is to work based on facts and not on emotions – even when it comes to privacy discussion. Not every access to personal data is bad per se.