Legislation in Hesse and Hamburg regarding automated data analysis for the prevention of criminal acts is unconstitutional

Legislation in Hesse and Hamburg regarding automated data analysis for the prevention of criminal acts is unconstitutional

Press Release No. 18/2023 of 16 February 2023

Judgment of 16 February 2023 - 1 BvR 1547/19, 1 BvR 2634/20

Automated data analysis

In a judgment pronounced today, the First Senate of the Federal Constitutional Court held that § 25a(1) first alternative of the Security and Public Order Act for the Land Hesse (Hessisches Gesetz über die öffentliche Sicherheit und Ordnung - HSOG) and § 49(1) first alternative of the Act on Data Processing by the Police for the Land Hamburg (Hamburgisches Gesetz über die Datenverarbeitung der Polizei - HmbPolDVG) are unconstitutional. These provisions authorise the police to process stored personal data through automated data analysis (Hesse) or automated data interpretation (Hamburg).

The provisions violate the general right of personality (Art. 2(1) in conjunction with Art. 1(1) of the Basic Law, Grundgesetz - GG) in its manifestation as the right to informational self-determination, because they do not contain sufficient thresholds for interference. They allow the further processing of stored data by means of automated data analysis or interpretation in certain cases, subject to a case-by-case assessment, when necessary as a precautionary measure to prevent specific criminal acts. Given the particularly broad wording of the powers, in terms of both the data and the methods concerned, the grounds for interference fall far short of the constitutionally required threshold of an identifiable danger (konkretisierte Gefahr).

§ 25a(1) first alternative of the Hesse Security and Public Order Act will continue to apply, subject to the restrictions set out below, until new provisions have been enacted, and in any case no later than 30 September 2023. § 49(1) first alternative of the Hamburg Act on Data Processing by the Police is void.

Facts of the case:

§ 25a(1) of the Hesse Act and § 49(1) first alternative of the Hamburg Act, which have essentially the same wording, provide a specific statutory basis for linking previously unconnected automated databases and data sources in analysis platforms and permitting systematic access of data across sources through searches. The provisions authorise the police to process stored personal data through automated data analysis (Hesse) or automated data interpretation (Hamburg), subject to a case-by-case assessment, in order to prevent serious criminal acts within the meaning of § 100a(2) of the Code of Criminal Procedure (Strafprozessordnung - StPO) (first alternative) or to avert dangers to certain legal interests (second alternative). Section (2) of both provisions provides that relationships or connections between persons, groups of persons, institutions, organisations, objects or matters can thereby be established, insignificant information and intelligence can be filtered out, insights generated can be matched to known facts and stored data can be analysed.

In Hesse, the police have employed the powers granted by § 25a of the Security and Public Order Act thousands of times each year via the platform 'hessenDATA'. In Hamburg, § 49 of the Act on Data Processing by the Police has not yet been put to use.

Key considerations of the Senate:

A. The constitutional complaints are only admissible to the extent that they are directed against the threshold for interference laid down in § 25a(1)first alternative of the Hesse Act and in § 49(1) first alternative of the Hamburg Act (data analysis or interpretation for the prevention of criminal acts). For the rest, they are inadmissible.

B. To the extent that the constitutional complaints are admissible, they are well-founded.

I. When stored data is processed by means of automated data analysis or interpretation, this constitutes an interference with the informational self-determination of all persons whose personal data is used in such processing. It is not just the further use of previously unconnected data that amounts to an interference with fundamental rights - the new intelligence that can be obtained through automated data analysis or interpretation can also affect fundamental rights.

II. Automated data analysis or interpretation requires justification under constitutional law. In principle, it can be justified. Compatibility with the principle of proportionality is of particular importance, the specific requirements of which depend on the reach of the powers in question. The challenged provisions serve the legitimate purpose of increasing the effectiveness of the prevention of serious criminal acts, in view of the development of information technology, in that they enable the discovery of indications of imminent serious criminal acts that might otherwise remain undetected in the police data. In the present proceedings, the Land governments demonstrated that, due to the increasing use of digital media and means of communication, particularly in the areas of terrorist and extremist violence and organised and serious crime, the police authorities are faced with ever larger data streams that are increasingly heterogeneous in terms of their quality and format. According to the Land governments, automated data analysis is essential for successful police action, since information on these crimes is difficult to obtain through a conventional search of police data records, let alone under time constraints. The provisions are suitable under constitutional law for increasing the effectiveness of the prevention of crime. They are also necessary, given that automated data analysis or interpretation can generate relevant intelligence for the prevention of crime that could not be generated equally effectively by other, less intrusive means.

III. Special requirements for the justification of the interference with fundamental rights here arise from the principle of proportionality in the strict sense. How stringent these requirements are in each case depends on the severity of interference resulting from the measure in question.

1. The severity of interference resulting from automated data analysis or interpretation is first of all determined by the severity of the interferences that resulted from the previous data collection; in this respect, the principles of purpose limitation and change in purpose that have been previously fleshed out in the judgment on the Federal Criminal Police Office Act apply.

Accordingly, the legislator may permit the use of data beyond the specific investigation that initially prompted the data collection measure if the contemplated use is still in line with the purpose for which the data was originally collected (further use in line with original purpose). Further use of data that serves the purpose for which the data was originally collected is only permissible to the extent that the data is used by the same authority in relation to the same task and for the protection of the same legal interests as was the case with regard to the collection of the data. In principle, the data may then be used as leads for further investigation.

Moreover, the legislator may allow the further use of data for purposes other than those for which the data was originally collected (further use with change in purpose). In this case, the principle of a hypothetical recollection of the data is the applicable standard for the proportionality review. According to this principle, the legislator may in principle allow for a change in purpose if the data of the police authorities concerns information that results, in an individual case, in a specific basis for further investigations aimed at detecting comparably serious criminal acts or averting impending dangers that, at least in the medium term, threaten weighty legal interests that are comparable to the legal interests whose protection justified the collection of the data in question.

In both cases, stricter requirements apply to the further use of data obtained through the surveillance of private homes or remote searches of IT systems.

Pursuant to § 25a of the Hesse Act and § 49 of the Hamburg Act, personal data can be subjected to further processing that is in line with the original purpose as well as processing with a change in purpose. Both provisions allow for the processing of large amounts of data, essentially without differentiation as to the source of the data or the original purpose of its collection. Adherence to the constitutional requirements arising from the principle of purpose limitation would therefore require sufficiently clear provisions to ensure compliance with the principle of purpose limitation, both in legal terms and in practical application.

2. Moreover, automated data analysis and interpretation amounts to a separate interference, because the further processing of data that has been collected and stored can result in new detrimental effects, which might be more onerous than the severity of interference of the original data collection; in this respect, the principle of proportionality in the strict sense requires additional justification.

a) Automated data analysis or interpretation is directed at generating new intelligence. The authorities involved here can generate far-reaching intelligence from available data through the use of practically all of the existing IT methods and also deduce new connections by way of data analysis. It is not unusual in and of itself that the police will make further use of the intelligence they have obtained as leads or grounds for further lines of inquiry, either by themselves or in conjunction with other available information, as jumping-off points for additional investigation. Yet automated data analysis and interpretation goes even further because it allows for the processing of large amounts of complex information. Depending on the method of analysis used, integrating existing data can generate new information affecting the personality of those concerned that would not be accessible otherwise. The measures in question thus result in a more intensive generation of information from the data. This process does not just yield intelligence on the persons concerned that is present in the data, but as yet undiscovered due to lack of connections, it can also come close to developing a full profile. This is because the software can open up new possibilities of filling in the available information on a person by factoring in data and algorithmic assumptions about relationships and connections surrounding the person concerned. The principle of purpose limitation by itself could then be inadequate in relation to the severity of interference.

b) The constitutional requirements for the justification of automated data analysis or interpretation vary, given that its severity of interference may differ substantially depending on the design of the statutory framework.

aa) In general, the severity of interference with the right to informational self-determination primarily depends on the type, scope and possible uses of the data, as well as the risks of abuse. Moreover, the permitted method of data analysis or interpretation has an impact on the severity of interference. The use of complex forms of data cross-checking can be particularly intrusive. In general, the intrusion by methods of automated data analysis or interpretation becomes greater the broader and deeper the intelligence that can thereby be obtained , the higher the margin of error and likelihood of discrimination, and the more difficult it is to retrace the links generated by the software.

bb) The legislator can thus determine the severity of interference by providing for rules regarding the type and scope of the data to be used and by limiting the permissible methods of analysis. The constitutional requirements regarding the prerequisites for interference correspond to the respective severity of interference of the measure in question. The requirements arising from the principle of proportionality in the strict sense for a particular measure depend on both the legal interest to be protected and by the threshold for interference, that is, the grounds for carrying out the measure.

If automated methods give rise to serious interferences with the right to informational self-determination of affected persons, such interferences can only be justified subject to the strict requirements that apply to intrusive and covert surveillance measures generally. The use of such methods is only permissible to protect particularly weighty legal interests - such as life, limb or liberty of the person. The threshold for interference that is required here is that of a sufficiently identifiable danger (hinreichendkonkretisierte Gefahr).

By contrast, less severe interferences may be justified if they serve to protect legal interests of at least considerable weight, such as the prevention of criminal acts that are at least considerable - provided that an identifiable danger exists. In turn, if a measure serves to protect high-ranking, exceptionally significant or particularly weighty legal interests, a threshold that is less stringent than an identifiable danger may be sufficient.

If the type and scope of the data to be included are limited by the law and the possible methods of analysis or interpretation are restricted to such a degree that a measure carried out on the basis of the power in question will not lead to more extensive insights into the life of affected persons than what could realistically be obtained by the authority,albeit more slowly and laboriously, without automation, or if the power is from the outset only aimed at identifying dangerous or sensitive locations, without generating personal information, then adherence to the principle of purpose limitation alone may be sufficient for justifying automated data processing.

cc) The threshold of an at least identifiable danger to particularly weighty legal interests can only be constitutionally dispensed with if the statutory framework, in a clear and sufficiently specific manner, limits the permissible options of analysis and interpretation so narrowly that the severity of interference resulting from the measures is substantially lower. In principle, the legislator can divide the task of setting out such rules, laying down some elements itself while allowing other rules to be determined by administrative authorities. However, the legislator must ensure that the rules limiting the type and scope of data that may be used and restricting permissible methods of data processing are sufficient in all situations and adhere to the requirement that interferences must be based on statutory provisions. An authorising statute can be considered for the determination of aspects that do not have to be set out by the legislator. Moreover, the legislator can require administrative authorities to further specify the abstract and general determinations set out in the law or in ordinances. That said, specification by way of administrative rules in any case requires a statutory basis. In this statutory basis, the legislator must ensure that the authorities comprehensibly document and publish the specifying and standardising determinations that will ultimately govern the application of the provisions in the individual case.

c) Based on the general standards set out above, the specific severity of interference of the - broadly worded - powers to carry out data analysis or interpretation pursuant to § 25a(1) first alternative of the Hesse Act and § 49(1) first alternative of the Hamburg Act is potentially great; constitutional law therefore requires that these provisions satisfy strict prerequisites for interference. The powers in question allow the automated processing of unlimited amounts of data by means of methods that are not circumscribed by law. They thus allow the police, with just one click, to create comprehensive profiles of persons, groups and circles. They may also subject many persons who are legally innocent to further police measures, if their data was collected in some context and the automated evaluation of this data leads the police to wrongly identify them as suspects. Therefore, the threshold of an identifiable danger to particularly weighty legal interests applies.

aa) Both provisions have virtually no restrictions on the type and amount of the data that can be used for data analysis or interpretation. They do not set out what types of data and what data records may be used for automated analysis or interpretation. In particular, the provisions do not differentiate between persons for which there are reasonable grounds to assume that they could commit a criminal act or those that have a particular connection to such persons, and others as to which no such grounds exist. They allow the far-reaching inclusion of the data of third parties, who as a result may be subject to police investigations.

bb) Based on their wording, the provisions moreover permit the use of very far-reaching methods of automated data analysis and interpretation. The legislator did not limit the permissible methods of analysis and interpretation. The challenged provisions also provide the basis for data mining, including the use of self-learning systems (AI), and permit open searches. Data analysis or interpretation can be conducted with the aim of detecting mere statistical anomalies, from which further conclusions can then be drawn, potentially with the help of other automated applications. The provisions do not impose any limits on the search results that can be obtained. Based on their wording, the search results could consist of machine evaluations - including prognoses of the potential for danger from certain persons by means of 'predictive policing'.Thus, the data analysis or interpretation can generate new information affecting the personality of the persons concerned that would otherwise not be accessible to the police. These potentially broad new insights are not accompanied by rules regarding their use that could lower the severity of interference.

In Hamburg, the legislator tried to exclude such far-reaching applications by using the term 'data interpretation' instead of 'data analysis'. However, this failed to clarify, in a constitutionally sufficient manner, that the automated application would be limited to showing matches on the basis of specific search criteria as opposed to replacing analysis and evaluation of the data carried out by the police.

cc) The challenged powers are also not sufficiently circumscribed by the fact that the technology for unlimited data analysis is not currently available. Even if expanded features can only be used following future technological developments, the constitutional requirements must in principle be based on the interferences that are legally possible.

IV. Based on these standards, § 25a(1) first alternative of the Hesse Act and § 49(1) first alternative of the Hamburg Act do not satisfy the requirements arising from the principle of proportionality in the strict sense, given that they do not contain sufficient thresholds for interference.

1. Insofar as the challenged provisions authorise data analysis or interpretation in order to prevent the criminal offences listed in § 100a(2) of the Code of Criminal Procedure, the grounds for interference are disproportionately expansive in light of the severity of interference and the provisions are thus unconstitutional. The additional prerequisite of a case-by-case assessment contained in both provisions does not contain any more detailed specifications. In the oral hearing, a somewhat narrower concept of how the case-by-case assessment is understood and applied by the police in Hesse was described: data analysis is always linked to a criminal act that has already been committed or, at a minimum, to a suspicion that a criminal act has been committed. A prognosis for the future is then made on this basis. In order to carry out automated data analysis under this concept, the following two assumptions must be possible: first, that one of the criminal offences listed in § 100a(2) of the Code of Criminal Procedure was committed in the past and, second, that on this basis, similar criminal offences are to be expected in the future.

Despite the detailed design of this police practice in Hesse, the constitutional requirements are not met because this concept, from the outset, fails to target at least an identifiable danger and the data suitable for averting such a danger. This is necessary given the broad wording of the powers contained in § 25a(1) first alternative of the Hesse Act and § 49(1) first alternative of the Hamburg Act.

Moreover, the challenged provisions do not set out a sufficient threshold given that the catalogue of offences in § 100a(2) of the Code of Criminal Procedure also contains mere threats in the form of preparatory criminal acts. Under constitutional law, the legislator is not precluded from tying the prerequisites for interference to a danger that preparatory acts will be committed. However, the legislator must then ensure that, in each individual situation, the requisite specific danger or identifiable danger to the legal interests protected by the referenced offences actually exists. Such safeguards are lacking in this case.

2. According to the statutory definitions, the prevention of criminal acts within the meaning of § 25a(1) first alternative of the Hesse Act and § 49(1) first alternative of the Hamburg Act does not just encompass the deterrence of crime, but also preliminary measures for the prosecution of future crimes. Under these provisions, police data is to be used by means of automated data analysis in order to gain insights for future intelligence work and police investigations. From this, it cannot be inferred that a specific danger or an identifiable danger would be required for such automated analysis to be permissible. Thus, in this regard too, the grounds for interference are not restricted in any way.

C. § 25a(1) first alternative of the Hesse Security and Public Order Act continues to apply until new provisions have been enacted, but in any event no longer than 30 September 2023. Given the significance that the legislator may accord to the powers in question for the exercise of state functions and for police work in Hesse, a temporary application of the provision is preferable to a declaration of voidness.

However, in ordering the continued applicability of the provision, it is necessary to impose certain restrictions to protect the affected fundamental rights. These, however, do not predetermine the new provisions to be enacted by the legislator. Based on the concept used by the police in Hesse, police officers in Hesse may only make use of the power contained in § 25a(1) first alternative of the Hesse Act subject to the following conditions: sufficiently specific facts must give rise to the suspicion that a particularly serious criminal offence within the meaning of § 100b(2) of the Code of Criminal Procedure has been committed and it is expected, given the particular circumstances of the suspicion in the individual case, that similar criminal offences will be committed that will jeopardise the life and limb of the person or the existence or security of the Federation or a Land. Furthermore, the existence of these requirements and the specific suitability of the data used to prevent the expected criminal offence must be confirmed in a written explanation in each individual case; it must also be ensured that no information is used that was obtained through the surveillance of private homes, remote searches, telecommunications surveillance, traffic data retrieval, longer-term observations, the use of undercover investigators or confidential informants or through similarly serious interferences with the right to informational self-determination.

§ 49(1) first alternative of the Hamburg Act on Data Processing by the Police is void. There are no ascertainable circumstances that would make a temporary order of continued application necessary and could justify such an order.

Public link

Please use the above public link if you want to share this noodl on another website.