The right of access to information also applies to police databases
We are supporting a young man who lost his job due to a secret entry in a police database.
The GFF supports the request for information of a 26-year-old man against the Federal Criminal Police Office (BKA). The plaintiff had applied for a job as a steward at a music festival, as he does every summer – a job with which he regularly earns his living. However, a security check by the employer resulted in hits, so his application was rejected. The plaintiff wanted to follow up on this.
After several fruitless requests for information from various state police authorities, the plaintiff finally found what he was looking for at INPOL, an information system in which various state and federal police authorities can enter data. This database is administered by the BKA as the central office. However, the BKA would not tell the plaintiff what exactly was stored there. The underlying reason is that the BKA law assigns responsibility for the entries in INPOL to the agencies that fed in the information. The BKA, on the other hand, only has the role of a "gatekeeper": it must refuse to provide information without the consent of the agency storing the information (Section 84 (1) BKAG). The BKA is moreover of the opinion that it may not even provide information on which police authority this storing agency is. If that were correct, the plaintiff - and other people in a similar situation - would not be able to seek legal protection against an entry in INPOL. The right to information would go nowhere.
Police authorities would then not only be able to collect and retrieve data about citizens in INPOL without the individuals concerned being aware of it. This case also shows what serious consequences this practice can have for the people concerned: If, as in this case, earning opportunities are lost, even individuals' economic existence may be threatened. In this case, legal protection is made impossible - this is not only unacceptable, but also unlawful.
Wiesbaden Administrative Court submits case to the European Court of Justice
The case of the 26-year-old plaintiff demonstrates how opaque and consequential the data processing by police agencies is. The plaintiff has never been convicted of a crime. He therefore brought an action against the BKA before the Wiesbaden Administrative Court.
The judge of the Wiesbaden Administrative Court referred the case to the ECJ in a decision dated July 30, 2021. The reason for that was that the Administrative Court was also unable to obtain any further information about the body that ultimately stored the data. Thus, it could not invite this body to the proceedings in order to investigate further and - in the event that the action is upheld - to immediately oblige this body to provide information. For this reason, the Wiesbaden Administrative Court is now asking the ECJ directly whether this legal situation or this application practice is compatible with European law. Specifically, this concerns the Data Protection Directive for Justice and Home Affairs (EU) 2016/680 and the Charter of Fundamental Rights of the European Union (CFR).
Hence, the denial of the right of access affects the fundamental right to protection of personal data under Article 8 CFR, but also the right to private life, the right to freedom of occupation and the right to a judicial remedy (Article 47 CFR).
The ECJ had asked the plaintiff's lawyer Katrin Niedenthal for an opinion in September 2021. Because of the special European law dimension of the questions, this opinion to the ECJ was written to a large extent by junior professor Sebastian Golla and research assistant Dr. Anna Michel. In their opinion, they argue that the refusal to provide information about the storing authority violates European law.
Authorities are obliged to provide information
The fact that security authorities collect personal information in databases is not in itself prohibited. However, they must in principle provide information on it to the individuals concerned. The Federal Data Protection Act (Section 57 (1) Sentence 1 BDSG) obliges authorities to provide information on request about what data is stored about a person, for what purposes, and where it comes from. This ensures that individuals can check the accuracy of the data, as well as that it is being processed lawfully. If this is not the case, the persons concerned can request that the data be corrected or deleted (Section 58 BDSG).
This right is denied to the 26-year-old plaintiff in our proceedings. This is because the special right to information for the storage of data in INPOL (Section 84 (1) sentence 1 BKAG) means that the powers and responsibilities of the various authorities cancel each other out and in the end no information is provided. It is true that the right to information under Article 15 (1) of the JHA Directive may be restricted in certain constellations if the restriction is proportionate and the fundamental rights of the individual concerned are taken into account. However, this cannot be the case if nothing remains of the right to information - as in the plaintiff's case. By supporting the case - the first of its kind - we want to contribute to a clarification of this legal situation and application practice in the sense of fundamental rights.