COVID-19 and Data Protection in Germany by Christian L. Geminn and Johannes Müller

This paper is part of the e-conference on « Data protection Issues and Covid-19: Comparative Perspectives » which consist in a daily publication at 12 p.m. (GMT+1) except on Sundays until the Summer break. A new session will start again at the beginning of the academic year 2020-21. Please subscribe to blogdroiteuropeen, so you don’t miss a publication. This e-conference was organised by Dr. Yseult Marique, Senior Lecturer at the University of Essex and FÖV Speyer and Dr. Olivia Tambou, Associate Professor at the University of Paris-Dauphine, External Scientific Fellow at the Max Planck Institute of Luxembourg, and Founder- Editor of Blogdroiteuropeen. If you are interested to contribute for our September session feel free to contact us at blogdroiteuropeen@gmail.com

Data collection by the state is a sensitive issue in Germany given its history. The landmark census decision (Volkszählungsurteil) of the German Federal Constitutional Court from 1983 has shaped the data protection landscape in Germany and beyond and continues to do so to this day. The specification of the court that the registration or cataloguing of full or partial personality profiles is a violation of human dignity has led to a strict separation of databases and a strict handling of data access. This has also guided how Germany has handled the corona crisis.

The Spread of the Virus and the Legal Response

The Coronavirus disease 2019 reached Germany on 27 January 2020 with the first officially diagnosed case in Starnberg, Bavaria. Cases in other states – Baden-Württemberg and North Rhine-Westphalia – were confirmed on 26 February; tracing of contacts began. On 27 February, a crisis management group on the federal level was created and passed its first resolutions. On 10 March, the group recommended suspending all events with more than 1,000 expected participants. Legislative measures soon followed suit: the “COVID19 Hospital Relief Act” and the “Act on the Protection of the Population During an Epidemic of National Scope” passed the Bundestag on 25 March; a thereby reformed Infection Protection Act (Infektionsschutzgesetz, IfSG) took effect on 28 March and made it possible to immediately suspend air travel from Iran to Germany.

The reformed IfSG now grants substantial emergency powers to the Federal Ministry of Health (“solely for the purpose of detecting and preventing the introduction of a threatening transmissible disease”) in order to prevent the destabilisation of the entire health care system (notwithstanding the authority of the Länder). These powers of the Federal Ministry of Health hinge on a determination of the Bundestag that “an epidemic situation of national importance” is occurring. Subsequent to such a determination, the Federal Ministry of Health is authorized to weave a net of information in order to combat the epidemic by interrupting the chains of infection. § 5(2)(1, 2) IfSG is a crucial provision in this task. The provision enables the Ministry to oblige persons (by way of an order) who wish to enter or have entered Germany and who have probably been exposed to an increased risk of infection to disclose the following information: identity, itinerary and contact details; as well as to present a certificate of vaccination or prophylaxis against the contagious disease in question, to inform the competent authority about their health status, to present a medical certificate stating that they have no evidence of the presence of the communicable disease in question, and to undergo a medical check-up.

Businesses that transport passengers across borders, operators of airports, ports, passenger train stations and bus terminals as well as tour operators may be required by order to cease the transport of passengers from certain countries to Germany (while still enabling German nationals to return). Other obligations include the processing of data necessary for the identification of a person or for the early detection of sick persons, to transmit passenger lists and seating plans to the authorities, and to enable the transport of (possibly) infected persons.

All measures serve to enable the competent authorities to take safety precautions, such as monitoring (§ 29 IfSG), quarantine/isolation (§ 30 IfSG) or disqualification from professional activities (§ 31 IfSG).

The “Second Act on the Protection of the Population During an Epidemic of National Scope” passed the Bundestag on 14 May and (predominantly) came into force on 23 May. Among other things, the Act amends the information that must be provided in case of a disease that is subject to reporting. In particular, following the change, “the likely route of infection, including the environment in which transmission is likely to have occurred, with the name, address and other contact details of the source of infection and the probable risk of infection” must be reported (new § 9(1)(1)(k) IfSG). While this change relates to all diseases covered by the IfSG, the reporting of “information on the outcome of treatment and serostatus in relation to this disease” is limited to Covid-19. The “nonnominal” (pseudonymous; § 10 IfSG) reporting also must include this information. Covid-19 was added to the list of diseases subject to report in § 6 IfSG via the Coronavirus-Meldepflichtverordnung (CoronaVMeldeV; coronavirus reporting obligation regulation of 30 January 2020).

Easing of Restrictions Following a Decline in Infections

Easing of restrictions brought significant challenges on data protection as a result of preventive measures to enable tracing. Germany’s federal structure means that legislation is distributed between the Bund and the Länder, which means that differentiation across the country arises. Similar requirements exist across many Länder, although their specific modalities differ from Land to Land. For instance, the Land of Rhineland-Palatinate for instance required reopened restaurants and similar establishments to record the names, addresses and telephone numbers of all patrons (§ 2(2)(2)(2) of the Sixth Anti-Corona-Regulation of Rhineland-Palatinate, Sechste Corona-Bekämpfungsverordnung Rheinland-Pfalz, 6. CoBeLVO of 8 May 2020); continued in the Seventh Anti-Corona-Regulation of 15 May 2020; § 8(2) in the Eight Anti-Corona-Regulation of 25 May and § 7(2) in the Ninth Anti-Corona-Regulation of 4 June). Visits to restaurants and similar establishments were at first only permissible upon reservation or notification (removed in the Ninth Anti-Corona-Regulation of 4 June). The required contact data must be kept by the operator for one month and must be irreversibly deleted afterwards. The responsible public health authorities may request access to the contact data. Processing is limited to purposes that relate to the Infection Protection Act. All patrons must be informed about these facts when making a reservation. This type of regulation is adopted by the competent minister of the Land, in this case the Minister for Social Affairs, Labour, Health and Demography of Rhineland-Palatinate. It is based on the Federal Infection Protection Act and the State Regulation of Rhineland-Palatinate on the Execution of the Infection Protection Act. Art 74(1)(19) of the German constitution (Grundgesetz) establishes that “measures to combat human and animal diseases which pose a danger to the public or are communicable” are a matter under concurrent legislative power (konkurrierende Gesetzgebung). This means that the Länder may only regulate in this area so far as no federal provisions exist.

Another example of measures adopted by Länder can be taken from Schleswig-Holstein: This Land requires the operators of restaurants, bars and event-management to collect the contact details of patrons which also includes email-addresses (§ 7(1)(2) Ersatzverkündung der Landesverordnung zur Neufassung der Corona-Bekämpfungsverordnung, 16 May 2020; currently applicable: version of 8 June). In Schleswig-Holstein, the data must be kept for six weeks, and thus two additional weeks, until destruction is required. Furthermore, the purpose of processing is narrower than in Rhineland-Palatinate: the data may only be sent to the competent health authority if this is necessary to trace possible infection routes.

Other sectors have been regulated in a similar way. One example can be found in § 6(3) Corona Protection Regulation of 21 May 2020 (Coronaschutzverordnung, CoronaSchVO) of North Rhine-Westphalia. This provision states that “libraries, including university libraries and archives, have to limit access to their services and only allow these under strict conditions of protection (in particular visitor registration with contact details, regulation of the number of visitors, minimum distances of 1.5 metres between reading stations and workplaces, hygiene measures, notices with information on correct hygiene measures)”.

The German data protection authorities (18 in total; 1 on the Federal level and 17 in the Länder with Bavaria having two) clarified early on that data protection law (GDPR in conjunction with the German Infection Protection Act) does not prohibit measures to reduce the risk of infection if technical and organisational measures are taken to prevent abuse of personal data. The data protection authorities of the Länder have published instructions (particularly for restaurants) on how to process personal data as required by the regulations set forth by the governments of the Länder (for instance the Hessian Commissioner for Data Protection and Freedom of Information) and provide examples for data collection forms (for instance Mecklenburg-Vorpommern and Schleswig-Holstein).

Dr. jur. Christian L. Geminn, Mag. iur., Senior researcher and lecturer at Kassel University and Managing Director of the Project Group Constitutionally Compatible Technology Design (provet) at the Research Centre for Information System Design (ITeG)

Ass. iur. Johannes Müller, MLE., Assistant researcher at Kassel University and member of the Project Group Constitutionally Compatible Technology Design (provet) at the Research Centre for Information System Design (ITeG)