Terror attacks prompt government to call for new balance between security and anonymity

BY ZEKE TURNER

BERLIN—When a bomb threat targeted the Thier Galerie shopping mall in Dortmund last month, police rushed to the scene and asked to scour closed-circuit camera recordings.

There wasn’t much footage to go through. An attempt by the mall operator to ramp up video surveillance last fall had been vetoed by local authorities who feared an assault on patrons’ privacy. “You can’t just say you want to have more cameras,” said Heike Marzen, the mall’s manager. “There are certain laws we have to follow.”

Branded by its dictatorial past, when surveillance was both dreaded and commonplace, Germany has some of the world’s toughest privacy laws. But after two attacks claimed by Islamic State and a mass shooting this summer, the government is pushing to recalibrate the balance between security and anonymity.

This month, German Interior Minister Thomas de Maizière introduced a raft of security proposals. Seizing on the case of the Dortmund mall, he made it clear many of these would require a change of mentality.

The threat there, he said, “could have been cleared up with video recordings if they hadn’t been forbidden by privacy champions.” Authorities could have quickly scanned feeds from the whole building to see if anything was planted. Instead police had to search the mall with dogs. They didn’t find a bomb and determined the threat to be a hoax.

Mr. de Maizière is proposing to add cutting-edge video surveillance in some 20 rail stations across the country and intensify monitoring of the internet. Many regional govern- ments and large cities, meanwhile, are discussing video surveillance of highly frequented areas, an almost nonexistent practice in much of the country.

Opponents of the plans say they run afoul of Germany’s constitution and decades of legal precedents that have enshrined privacy among Germans’ most heavily guarded rights. Many fear such surveil- lance will curtail rights without stopping crime, while giving the state too much power.

German authorities and businesses don’t have broad leeway to use cameras, and specific plans must be approved by a special commissioner in each state.

“I don’t want a state that has a complete surveillance system,” said Christopher Lauer, a Berlin state lawmaker with the libertarian Pirate Party who is fighting plans to add cameras in Alexanderplatz, a transport hub and crime hot spot in the center of the capital. “If there are ever darker times in Germany, then the state could just use this against the people.”

In France, a state of emergency in place since November’s Paris terror attacks gives security forces carte blanche to hunt terrorists, and in the U.S. intelligence gathering engenders relatively little controversy. Germany, however, has resisted anything seen as remotely reminiscent of the surveillance that took place under its Nazi and Communist dictatorships.

But the price of privacy has become obvious as terror and crime threats have grown.

When a disgruntled teenager went on a shooting rampage in Munich last month, police had to ask residents to upload smartphone videos of the attack to their servers.

In Cologne, authorities have struggled to prosecute a wave of sexual assaults on New Year’s Eve partly because of the limited video footage from the city’s main square, where most of the attacks took place.

Investigators say video cameras often enable arrests that otherwise wouldn’t happen. In the U.K., with its long history of terror attacks and almost five million security cameras, security footage helped in identifying and arresting terrorists involved in the 2005 bombings on the public transport system.

“If there are cameras, then all of a sudden, we have the beginnings of an investigation,” said Martin Steltner, a senior prosecutor in Berlin.

Speaking outside Berlin on Wednesday, Chancellor Angela Merkel hailed the importance of video surveillance and data collection.

“Until now in Germany the idea of ‘as little data as possible’ has dominated,” Ms. Merkel said. “That absolutely doesn’t fit anymore with the digital age.”

People leaving the Olympia mall in Munich in July after gunfire erupted. A lone gunman killed nine people before killing himself.

SEBASTIAN WIDMANN/ASSOCIATED PRESS

 

U.S. Companies Slow to Adopt European Data Transfer Agreement
Uncertainty remains that the terms will survive legal tests in the EU

Microsoft said it applied for Privacy Shield certification. Other U.S. companies have been slow to sign on to the new international data-transfer agreement.
By DANA HEIDE
Aug. 14, 2016 1:44 p.m. ET

U.S. companies have been slow to sign on to a new international data-transfer agreement with the European Union for reasons that include uncertainty that the terms will survive legal tests in the EU, experts said.
The agreement, called Privacy Shield, allows businesses to transfer personal data on European citizens to the U.S. About 40 companies have been certified under the new rules since Aug. 1, when the U.S. Department of Commerce began accepting applications, the agency said on Friday.
“Many American companies are waiting to see if the Privacy Shield survives an expected challenge by privacy advocates in the European courts,” said Jay Cline, who heads cybersecurity and privacy at PwC, an international consultancy. “So we don’t expect a stampede to join it in the next few days, but rather a steadily growing wave over the long run, especially if European companies begin to favor Privacy Shield membership in competitive bids.”
Some companies still need to implement new measures to comply with the new system, such as updating privacy policies with information about where customers can address complaints. Many firms waited until the EU formally published the new mechanism’s documents in mid-July before beginning to implement the new requirements, company representatives said.
Other companies are evaluating whether the new agreement offers advantages over alternative approaches to complying with European data protection laws, experts say. Alternatives include so-called model clauses—standardized data-protection language preapproved for addition to contracts with customers—and binding corporate policies approved by the EU.
More than 4,000 U.S. companies had been certified under the previous, less robust agreement, known as Safe Harbor, before it was invalidated by the European Court of Justice last year in the wake of Edward Snowden’s revelation of U.S. surveillance programs.
Microsoft applied for Privacy Shield certification on the first day applications were accepted, the company said. The Redmond, Wash., software giant said it implemented both Privacy Shield principles and model clauses. The combination strengthened Microsoft’s competitive position, said John Frank, Microsoft’s vice president for EU Government Affairs.
“European privacy protections are important to European citizens and organizations. We offer EU-approved Model Clauses and we have signed onto the Privacy Shield rules so that we can offer our customers strong data protection standards,” Mr. Frank said.
Amazon.com Inc. competes directly with Microsoft in cloud infrastructure services—the reason for much of Microsoft’s data transfer activity—yet it hasn’t yet applied for Privacy Shield certification.
“The new EU-US Privacy Shield does not impact AWS customers” because the company maintains data centers in several countries where its customers can store their data, and that it also uses model clauses, wrote Stephen Schmidt, vice president of security engineering and chief information security officer of Amazon Web Services, in a recent blog post. Amazon nonetheless planned to apply for Privacy Shield certification, he added.
Experts say Privacy Shield certification is likely to help companies compete with rivals.
“When Safe Harbor was still in place, we saw that companies who were part of it had a competitive advantage in competitive bids over companies who used model clauses. I think we will see the same with Privacy Shield,” Mr. Cline said.
BSA, a software industry organization dedicated to international trade, expects Privacy Shield eventually to be adopted as widely as its predecessor.
“We expect that at least the 4,000 companies who applied for Safe Harbor will apply for the new mechanism as well,” said Thomas Boué, an expert on privacy issues at BSA.
A study by the Future of Privacy Forum, a think-tank based in Washington, D.C., said the Safe Harbor agreement got off to a slow start when it launched in 2000. Some commentators blamed the delay on companies wanting to gauge the consequences of abstaining, the report said. Others blamed bureaucracy.
Despite the new agreement, the rules that govern handling of data on European citizens remain unsettled. Both Privacy Shield and model clauses are likely to be examined by the European Court of Justice, and Christian Schefold, an expert in data protection and compliance at the international law firm Dentons, expects model clauses to fail the test.
As for Privacy Shield, the European Commission has said it was confident it would withstand legal challenges.
The annual fee for Privacy Shield certification depends on the size of the company and can cost up to $3,250. The application process usually takes from several weeks to six months, experts said.
—Natalia Drozdiak contributed to this article.
Write to Dana Heide at dana.heide@wsj.com