As do many other countries, Germany struggles to find the right balance between privacy and cybersecurity. It is a balancing act on many fronts. The German government has suggested a mandatory (bulk) data retention law (Vorratsdatenspeicherung) that will require companies to store traffic data for certain time periods in case this information is needed for the prosecution of potential terrorist activity or other serious crime. These sensitive data sets must be stored in Germany. Many Germans believe that the bulk collection of their traffic data (calls, cell tower location data, and email connection data) infringes with their fundamental privacy rights. Even if this measure passes muster in Parliament this fall, it will almost certainly be challenged in the courts—with uncertain outcome. The government is put on notice because its predecessor law took noisy activists to the streets until it was stuck down by the German Federal Constitutional Court on 2 March 2010.  In this landmark ruling, the German justices didn’t entirely exclude mandatory data retention measures to fight serious crimes, but imposed high constitutional standards on the government so that the government is well advised to handle cybersecurity issues as a basket of raw eggs. The government argues that mandatory data retention is needed, the Court’s requirement are fully complied with, and points at neighboring France that recently adopted intrusive legislative measures going into the same direction.

But there is more to it: Without extensive media coverage, the German Bundesrat (the upper chamber representing the states) last week approved far-reaching amendments to the IT security law (or “BSI Act”) that the Bundestag, the lower chamber, had already approved.  The law now heads to the Federal President’s desk for his signature—usually a formality—and will soon enter into force after its publication in the Federal Law Gazette. The BSI Act’s goal is to force the German “operators of critical infrastructure” to provide better IT security and report risks, a goal that is shared by almost everyone in Germany, given the recent global cyberattacks. Germany recently had its brunt of cybersecurity issues. In June, the Bundestag was utterly unprepared for a massive cyberattack with several waves of Trojan horses and other malware affecting its members and their staffs. Even Chancellor Merkel’s account at the Bundestag was affected. The perpetrators were able to obtain administrator’s access rights by which they could successfully access the entire computer network of the Bundestag (Parlacom). It is still unclear who is behind the computer attack and how to fix the leaks.  The President of the Office for the Protection of the Constitution Hans-Georg Maassen had expressed concern that it could be a cyberattack by a foreign intelligence service. There has been a lot of finger-pointing toward Russia, but there is no clear evidence that the attack came from there.

Given the allegations that the German intelligence agencies were already unable to protect high-ranking politicians, including Chancellor Merkel and her predecessors, from NSA spying, the government is resolved to take a more aggressive stance against cyberattacks and spying. Without clear commitments from German industry to cooperate with the government or to agree to information sharing between each other there will be no success in fending off cyberattacks.  Mirroring the main issues of President Obama’s National Cybersecurity Initiative and the Protecting Cyber Networks Act (PCNA), passed by the House on 24 April, the German BSI Act seeks to bundle the relevant forces and calls the operators of critical infrastructure into action. The law beefs up the relatively obscure BSI, the Federal Office for the Security of Information Technology, and significantly expands its authority by upgrading it from a mere provider of cybersecurity for the federal government to an industry watchdog. It becomes a nationwide cybersecurity platform that must also shoulder the mission of observing the market for potential threats.

However, the reception from industry of the various amendments by the BSI Act has been lukewarm, if not hostile. Everyone realizes that the defense against cyberattacks is in the vital interest of German industry and Germany as a place to do business.  But will the BSI Act do more harm than good? One major issue is that under the BSI Act providers may store their connection data to avoid disruptions. This already existing possibility results in “voluntary data retention” between three days and six months—which opponents believe is an illegal bulk data collection that the Federal Constitutional Court has prohibited and shouldn’t be allowed under the guise of ensuring cybersecurity.

Moreover, industry is largely left in the dark by the government as to who is covered by the BSI Act, which targets “installations and facilities, or parts of it, in the sectors energy, information technology, telecommunications, transport, traffic, health, water, food, financial and insurance services …” Interpreted broadly, the BSI Act could affect almost everyone in Germany doing IT business. The Ordinance that is supposed to determine the details and who is covered is lacking.

To be in or out is a highly relevant issue. If the BSI Act applies, compliance costs for German industry as a whole could be in the billions. Even smaller companies will face bills for the certifications, re-certifications, and audits into the six figure range since Sec. 8a of the BSI Act calls for biannual certifications.  All compliance measures must reflect the “current state of the technology” to be determined by the BSI for each industry sector. Any security deficits must be disclosed to the BSI. If a company doesn’t comply with the requirements imposed by the BSI, it risks a hefty fine. Telecoms providers are especially put on the hot seat due to various new requirements in the Telecoms Act that the BSI Act introduces or reinforces.  They must disclose their security concept to the government, improve it if deemed necessary, and appoint a security office. They must report potential cybersecurity problems and breaches proactively to BNetzA, the telecoms regulator. Their security concept must also be approved by the BSI, so they will need to deal with requests from two different regulatory bodies. BNetzA (not the BSI) can decide to make reports on potential disruptions or attacks public which could severely harm their business reputation and invite third parties to file suit against them.

Whether the BSI Act provides the right armory to battle cyberattacks or even cyberwars in the near future and whether the BSI will bravely master the new heavy workload remains to be seen. The industry has two years from the date the mentioned Ordinance is rendered to comply with the new provisions—almost an eternity in the cyber world. It remains to be seen what will happen when the BSI Act will be fully implemented. It could happen that the BSI will be flooded with myriads of largely minor cybersecurity notifications.  A different scenario will be that at least some companies decide to keep their security breaches under wraps instead of alerting the BSI. They could hope that they won’t be caught or argue that the “functionality of their systems” has not been “negatively affected” as set forth as a reporting requirement in the BSI Act.

Generally companies may be reluctant to share problems in their IT security systems with the BSI or even their competitors.  How the BSI will cooperate with foreign agencies is far from clear.  An EU-wide approach against such attacks is still far from becoming a reality, in spite of all good intentions on the EU level. With lingering suspicions that each country spies on the other, there is little incentive to share sensitive information on cyber security threats of security flaws in the national IT systems across the borders, even within the EU.

Dr. Axel Spies, Morgan Lewis & Bockius, Washington, DC.  Dr. Spies is the author of AICGS Issue Brief 46: German/U.S. Data Transfers: Crucial for Both Economies, Difficult to Regain Trust