Database

The use of Cloud Computing services may – depending on the information stored and the purpose of storing these information – constitute a disclosure of confidential information in violence of professional secrecy in the meaning of Sec. 203 StGB (German Criminal Code).

The professional secrecy includes personal data as well as all facts, which are been obtained for professional reasons. Professionals who are subject to professional secrecy are especially, but not exclusively, lawyers and legal professionals, medical professions, social care, clerical professionals and civil servants.

In general, the storage and processing of public registers / records with sensitive data of citizens (such as records of the tax authority or criminal records or registers of births, marriages and deaths or weapon registers or registers of data of social security institutions) may not be outsourced. Moreover, restrictions on cloud computing may arise from the exclusive access of civil servants to the exercise of sovereign powers, which is granted by the German Costitution (Art. 33(4)).

The requirements vary between different States in Germany. For example, in Brandenburg the authorities which store a register of the residency of Brandenburg’s citizens are only allowed to use private Cloud Computing services which are located in Brandenburg (Sec. 35 BbgMeldeG).

In August 2015, Germany issued nationwide guidelines that prohibit government agencies from using clouds to store sensitive data if the cloud company processes data outside the Germany. Cloud providers could qualify for the "German cloud" certification if their servers and company headquarters are located in Germany. However, the proposal was later withdrawn.

Freedom House has noted that most German mobile providers contractually prohibit services such as Voice over Internet Protocol (VoIP) or even instant messaging.

The European Court of Justice has interpreted in 2014 that Internet Service Providers (ISPs) may be ordered by national courts to block customer access to a copyright-infringing website. This ruling aims to limit online piracy.

Under the circumstances of the ongoing dispute between YouTube and GEMA (German Society for Musical Performance and Mechanical Reproduction), copyright infrigement material has been blocked from the website.

The Federal Court of Justice (Bundesgerichtshof), the highest court in the system of ordinary jurisdiction in Germany, established a case of intermediary liability for anonymous reviews published in review portals. Intermediaries are under the obligation to verify the accuracy of reviews upon request. In effect, these entities are therefore obligated to monitor reviews if the anonymity of their portal makes it difficult for the person affected (the reviewed) to directly address the reviewer.

An Hamburg Court ruled that YouTube could not benefit from a liability exemption for hosting providers because it presents the uploaded by third parties content as its own content. On the other hand, the Bundesgerichtshof ruled that an image search service could benefit from the liability exemption for hosting as per Article 14 of e-Commerce Directive without specifying why a search engine should be classed as a hosting provider.

The German Regional Court of Munich considered Usenet (a system in which users post messages to a newsgroup) as a caching provider because information was mirrored and stored on its service for about 30 days.

In June 2017, the German government passed a law which requires companies including Facebook, Twitter and Google to remove any content that is illegal in Germany — such as Nazi symbols or Holocaust denial — within 24 hours of it being brought to their attention. The law allows for up to seven days for the companies to decide on content that has been flagged as offensive, but that may not be clearly defamatory or inciting violence. Companies that persistently fail to address complaints by taking too long to delete illegal content face fines that start at EUR 5 million and could rise to as much as EUR 50 million. The law took effect in October 2017.

The Directive 2000/31/EC (E-Commerce Directive) is the legal basis governing the liability of Internet Services Providers (ISPs) in the EU Member States and includes a conditional safe harbor. The Directive covers any type of infringement of third-party rights, including intellectual and industrial property rights and personality rights.

The limitations on liability in the Directive apply to clearly delimited activities (mere conduit, caching and hosting) carried out by internet intermediaries, rather than to categories of service providers or types of information. While it was not considered necessary to cover hyperlinks and search engines in the Directive, the Commission has encouraged Member States to further develop legal security for Internet intermediaries.

Since not all Member States have transposed the relevant articles consistently, the national case law is divergent and leads to legal insecurity on an EU level.

The Telemedia Act is based on the E-Commerce Directive. However, Germany does not use the term "actual knowledge" in its transposition of Article 14, but refers merely to "knowledge."

In certain states, public and private hospitals can use IT services external to the hospital only if they obtain prior consent of the subject or if there is prior anonymisation of the patient data.

In general, the collection, use and processing of social data shall be entrusted to public servants who owe their services and loyalty to the state. The use of cloud computing by private entities is subject to certain restrictions. It must ensure the absence of disturbances during the operations, lead to significant cost savings and the major part of the database has to remain with the respective public authority.

The use of Cloud Computing services may – depending on the information stored and the purpose of storing these information – constitute a disclosure of confidential information in violence of professional secrecy in the meaning of Sec. 203 StGB (German Criminal Code).

The professional secrecy includes personal data as well as all facts, which are been obtained for professional reasons. Professionals who are subject to professional secrecy are especially, but not exclusively, lawyers and legal professionals, medical professions, social care, clerical professionals and civil servants.

In general, the storage and processing of public registers / records with sensitive data of citizens (such as records of the tax authority or criminal records or registers of births, marriages and deaths or weapon registers or registers of data of social security institutions) may not be outsourced. Moreover, restrictions on cloud computing may arise from the exclusive access of civil servants to the exercise of sovereign powers, which is granted by the German Costitution (Art. 33(4)).

The requirements vary between different States in Germany. For example, in Brandenburg the authorities which store a register of the residency of Brandenburg’s citizens are only allowed to use private Cloud Computing services which are located in Brandenburg (Sec. 35 BbgMeldeG).

In August 2015, Germany issued nationwide guidelines that prohibit government agencies from using clouds to store sensitive data if the cloud company processes data outside the Germany. Cloud providers could qualify for the "German cloud" certification if their servers and company headquarters are located in Germany. However, the proposal was later withdrawn.

Under Germany’s Telecommunications Act, the government has a right to request data stored by telecommunications companies to advance certain prosecutorial and protective functions.

In June 2017, the German government passed a law to hand police the power to hack into devices belonging to all people suspected of criminal activity and not just those expected of terror offenses. Germany's security forces are able to hack into WhatsApp, Telegram and other encrypted messaging services as of the end of 2017, using a new version of Germany's state spyware, Remote Communication Interception Software (RCIS).

Under the Directive on Data Retention, operators were required to retain certain categories of traffic and location data (excluding the content of those communications) for a period between six months and two years and to make them available, on request, to law enforcement authorities for the purposes of investigating, detecting and prosecuting serious crime and terrorism. On 8 April 2014, the Court of Justice of the European Union declared the Directive invalid. However, not all national laws which implemented the Directive have been overturned.

In 2010, the German Constitutional court found the implementation of the Directive on Data retention was unconstitutional. Yet, in October 2015, a new data retention law has passed, which will enter into force in 2017. The law provides that telecommunication providers must retain data such as phone numbers, the time and place of communication (except for emails), and the IP addresses for either four or 10 weeks. The data is to be stored in servers located within Germany (§113b).