I.
Introduction ^
More and more freelancers are using external IT services. They make use of external cloud providers and data centres to simplify their work and involve external IT technicians via outsourcing and remote maintenance. This is very practical, but legally dubious – especially when it comes to so-called professional secrecy carriers. Lawyers, doctors, life and health insurers are not permitted to outsource technical services under criminal law in accordance with section 203 (1) and (3) of the German Penal Code (StGB). Violations of this rule will be punished with imprisonment of up to one year or a fine.
Until now, only disclosure to internal personnel, so-called «Gehilfen» (assistants), was permitted.
Pursuant to section 203 StGB, anyone who discloses an unauthorized foreign secret, namely a secret belonging to his or her personal sphere of life or a company or business secret that has become known to him or her in a special function, is liable to prosecution.1 Secrets include all data from which a person protected by a secret can be reconstructed.2 This strict provision covers:
- lawyers and doctors, in particular with regard to remote maintenance;3
- insurance companies in the medical sector (health/life insurance).
The persons subject to secrecy in section 203 (1) no. 6 StGB include not only the employees of an insurance company, but also independent insurance brokers commissioned by it. A person entrusted by a personal insurer with the acquisition and servicing of customers will receive all personal data of the (future) policyholder that is necessary for the conclusion or execution of a contract or is usually requested. Therefore, he must be subject to the same obligation of secrecy as the insurer itself.4 An attempt to assign claims from a dentist’s contract contrary to section 203 StGB leads to the nullity of the assignment contract in accordance with section 134 of the German Civil Code (BGB).5 However, a person subject to professional secrecy does not then violate his obligation to maintain professional secrecy if he makes his financial, fixed asset and payroll accounting as well as the calculation of provisions, value adjustments and invoicing available on a machinable data carrier after being requested by the external audit (section 147 (6) sentence 2 of the German tax code [AO]).6
Section 203 StGB no longer applies to public-sector banks. In the opinion of the Bundesgerichtshof (Federal Supreme Court),7 for example, a savings bank is authorised to assign the loan claim because the assignment does not conflict with banking secrecy or the aforementioned criminal provision. With regard to a violation of banking secrecy, the Senate confirmed its landmark decision of 27 February 20078 that the effectiveness of the assignment of claims is not affected by a possible violation of the bank’s obligation to maintain confidentiality – as well as data protection provisions. In addition to this decision, the Senate has now decided that an assignment of a claim by a savings bank organised as a public-law institution does not constitute an – criminalized – infringement of private secrecy within the meaning of section 203 StGB.
In cases of section 203 StGB, outsourcing is therefore permissible only with the customer’s consent.9 A solution would be to consider the personnel of the subsidiary company as professional assistants within the meaning of section 203 (3) StGB.10 This presupposes that the parent company has an influence on who carried out the data processing in the concrete case and corresponding regulations in the framework agreement on the respective data processing are required here. The parent company and its subsidiary should agree that the technicians employed should be specifically named and placed under the instructions of the parent company. If such employees are functionally part of the staff of the parent company, they are to be regarded as assistants within the meaning of section 203 (3) of the StGB.11 However, this perspective might have the disadvantage that the external staff would become employees of the parent company according to the aspects of the employee leasing law.
The assignment of a medical fee claim to a commercial clearing centre violates the duty of medical confidentiality and is therefore punishable by section 203 (1) no. 1 StGB. A corresponding contract is null and void in accordance with section 134 BGB unless the patient has consented to the corresponding transfer of his or her data.12 The fact that a physician has commissioned a third party company to maintain his or her data processing system justifies a defect as to quality when the doctor’s surgery is sold and thus leads to the reversal of the entire purchase contract.13
One solution emerged in the form of order data processing. The Federal Supreme Court14 has asked the ECJ whether the transfer of traffic data from the service provider to the assignee of a payment claim for telecommunications services really violates telecommunications secrecy if the assignment for the purpose of collecting debited receivables is based on a sharp agreement on the processing of contract data apart from the general obligation on telecommunications secrecy and data protection in accordance with the applicable legal regulations. The ECJ has meanwhile considered an assignment of claims to be compatible with telecommunications secrecy.15 However, the assignee must act on instructions from and under the control of the service provider and must limit himself to the traffic data required for the collection of the claim. In particular, the contract concluded between the assignee and the service provider must contain provisions which ensure the assignee’s lawful processing of traffic data and enable the service provider to ensure that the assignee complies with these provisions at all times. It is controversial whether this jurisprudence can be transferred to other areas of the protection of secrecy, such as section 203 StGB.
II.
Restructuring ^
The Ministry of Justice has taken the lead in reforming this criminal law. They couldn’t get themselves to simply abolish the rule. Rather, the externalisation of data processing has been permitted, at the price of extending the circle of secret agents.
1.
Legislative History ^
The draft law of the Federal Government on the «Reorganisation of the protection of secrets in connection with the involvement of third parties in the exercise of professional secrets»16 was debated for the first time in the Bundestag on 27 April 2017 and subsequently referred to the relevant committees for further deliberation. While the bill as such was welcomed by all parties, there were also occasional criticisms of the planned changes.
Among other things, the original draft merely provided for the central amendments to the Penal Code and the new permission granting rules of professional conduct. Die Linken and Die Grünen (political parties) rightly pointed out that the bill was incomplete without a simultaneous adaptation of the procedural norms on the right to refuse to testify. 17 In addition, the Bundesrat (Federal Council of Germany), which commented on the draft in the run-up to the meeting, warned that the privacy concerns of the persons concerned would not be sufficiently taken into.18 In addition, it criticized the provision which provided for a punishable obligation for persons subject to confidentiality to commit the persons involved to secrecy. Since the act was designed as a premeditation act, a mere negligent breach of the duty, which is likely to be present as a rule, would remain unpunished.19 At least the opposition’s criticism was taken to heart in the committee meetings by including a simultaneous adjustment of section 53a of the German Code of Criminal Procedure (StPO) in the committee’s recommendation.20
Concerns about a new regulation in the Bundesrechtsanwaltsordnung (Federal Lawyers’ Act – BRAO) concerning the assignment of foreign service providers could not be resolved. The BRAO is to be amended with the new section 43e BRAO for the use of services.21 This is a permission granting rule of professional conduct for lawyers with the purpose of increasing the legal security of this professional group.22 The original draft provided in section 43e (4) BRAO that a lawyer may only commission a foreign service provider without the client’s consent if the protection of confidentiality in the respective country is comparable to protection in Germany. This regulation was regarded as impracticable, since it was hardly possible to study the level of protection of all countries.23 In the context of the committee consultations, therefore, an addition was made that does not require a comparable level of protection if the protection of secrets is not necessary in any case. This should serve the individual case justice and give the person with the secrecy a balance.24
2.
Internally Cooperating Persons ^
No changes were made to section 203 (1) and (2) StGB in respect of the persons with confidential information. However, efforts have been made to introduce a new regulation for the auxiliary staff.
No disclosure within the meaning of the law is present if the persons named in section 203 (1) and (2) make secrets accessible to the assistants employed by them in their profession or to the persons employed by them in preparation for the profession (section 203 (3) StGB). The law now includes by section 203 (3) StGB the assistants professionally active with secret bearers. Accordingly, there is no disclosure if the person holding the secrets makes them available to this group of people. What is striking is the fact that only professionally active assistants are addressed here. These assistants must then be permanently employed on a professional basis and must be professionally located with the person responsible for secrecy. The role of freelancers is unclear. These are not part of the employment relationship, but are also managed as external employees.
3.
Other Participating Persons ^
Secrets bearers of secrecy may disclose foreign secrets to other persons who are involved in their professional or official activities, insofar as this is necessary for the use of the activities of the other persons involved. The same shall apply to other participating persons if they make use of other persons who participate in the professional or official activities of the persons referred to in section 203 (1) and (2) StGB.
The term «sonstige mitwirkende Personen» (other contributor) is poorly chosen. Speaking of the person is to be connected with the fact that only a natural person can ever be the contact person for the threat of punishment. Thus, the regulation avoids the fact that at least in section 203 (2) StGB, legal entities are the actual agents. It is true that section 203 (4) StGB applies to the natural person as a legal entity under criminal law. The concept of the other participating person according to section 203 (3) and (4) StGB does not fit. Incidentally, it misses the point that major cloud providers such as Google are being downgraded to the role of merely a privy. The concept of the participating person therefore requires proximity to the natural person and excludes legal persons. This is also supported by the fact that the confidentiality obligations which must be imposed on the participating person must only be fulfilled in person. section 43 BRAO correctly speaks more neutrally of the service provider.
The draft law refers to the examples of cooperation in the form of paperwork, invoicing work, answering telephone calls, file archiving as well as the operation and maintenance of IT systems.27 Furthermore, reference is made to the remote maintenance and the provision of external storage media for data; multi-level contractual relationships are also possible. The employees of the contractor or subcontractor shall also be regarded as contributing persons in accordance with section 203 (3) sentence 2 StGB. However, there is no need for direct contracts between the secret carrier and the subcontractor, which means that complex constructions such as dual employment relationships are no longer necessary. The circle of other persons involved is very wide. It also includes service contracts, work contracts and business management agreements. It also covers the entire field of external data processing. An exception applies only to indirect activities in the area of secrecy.28 There is a de minimis rule according to which any activity without direct relevance for data processing is not covered by the law.29 This means that neither shredder nor cleaning staff should be included in the scope of section 203 StGB. However, even according to section 203 (1) StGB, the secret carrier may have committed a criminal offence if, for example, he or she leaves files lying around and thus accepts that the cleaning staff takes note of them. In this respect, section 203 StGB contains, according to the new definition of the term «disclose» (see II. 4.), a dangerous opening of the penalties for unintentional data security violations.
4.
Disclosure ^
However, section 203 (3) sentence 2 StGB also stipulates that secrets may be disclosed to other persons involved in their professional or official activities.
a)
Dogmatic Problems ^
The wording in section 203 (3) sentence 1 StGB («no disclosure within the meaning of this provision is given, [...]») clarifies that the internal inclusion of assistants – as before – is an exclusion from the facts. If data is passed on to the first group of persons, the facts of the «disclosure» are already not fulfilled.30 Therefore, the client’s consent is not necessary, as the data subject remains exempt from prosecution. The legal situation is different with section 203 (3) sentence 2 StGB. In the case of external service providers, it is not assumed that they are acting in a manner that is excluded from the facts, but justified instead. This is already stated in the wording of the provision: «Those referred to in section 203 (1) and (2) may disclose third-party secrets to other persons.»31 The legislative reasons also expressly state that the disclosure of a protected secret «is not unauthorized and therefore not illegal».32
A mysterious sentence can be found in the legislative reasons. This refers to the direct involvement of professional assistants in the professional activity of the person who is subject to secrecy rules. It reads: «If such a direct connection is given, the seeking of consent of the person affected remains reasonable and practicable.»33 Obviously, the draft has overlooked in its explanatory statement the fact that the disclosure of secrets to other persons involved is not covered by section 203 (3) StGB, if this is necessary for carrying out the task. Rather, the passage from the justification for the decision refers to the differentiation between facts and unlawfulness. The information in question from the explanatory statement is therefore likely to become relevant both within the framework of the objective facts of section 203 StGB and with regard to the requirements regarding the justification of the disclosure of information by the secret carrier: an effective consent of the client to the disclosure of information can only be obtained if a «cooperation» according to this definition is given. Only if the required criterion of directness, i.e. a «concrete relation» between the activity of the lawyer and the other persons to whom he or she transfers data is fulfilled, the client can be provided with a complete description of the possible (contractual) relationship between the secret carrier and the other parties involved. This complete description is needed for the client’s comprehensive information necessary for the effectiveness of his consent. This requirement is also «reasonable and practicable» for the secret carrier if such directly comprehensible (contractual) relationships exist. However, this reasoning of the justification is only valid if the person concerned has given his or her consent. The special thing about section 203 (3) StGB is, however, that a new exclusion of facts or justifying factor has been created by the inclusion of the support staff required in this respect. The justification of the law is weak and misleading in that it gives the impression that a comprehensive informing and consent of the client is required.
b)
The Concept of Disclosure ^
The concept of disclosure sounds active and encompasses all forms of communication of data. However, it may be unclear whether providing data for retrieval is also subject to the rule. The European Court of Justice has denied this for the case of European data protection law in its decision «Lindqvist».34 However, the explanatory memorandum indicates that the possibility of knowledge is sufficient.35 Nevertheless, this deliberately broad wording creates chaos for the primary secret carrier. For example, if a lawyer leaves his file carelessly in court, this would be a disclosure according to the new understanding. So it is not the purpose of the communication or the finality of the act that is at issue, but the mere possibility of taking note.36
However, this permission is only granted in a restrictive manner «insofar as this is necessary for the use of the activities of the other participating persons».37 The disclosure to this group of persons must therefore be covered by an objective criterion of necessity. It is not, however, a question of the necessity for the secret carrier, but for making use of the activities of the other persons involved. This irritates: if section 203 (3) StGB now relaxes the protection of confidentiality, this must refer to the necessity from the point of view of the secret carrier. It cannot be decisive how the other persons involved assess the necessity. By this opening section 203 (3) StGB has become almost indistinct. In the opinion of Pohle and Ghaffari, it should be decisive whether disclosure is necessary for the provision of services.38 In this respect, the focus should be on the secret carrier. However, the wording of the law does not provide this. The only decisive factor is the perspective of the contractor, who actually needs the disclosure to carry out his mandate. The wording of section 203 StGB suggests that the requirement for the use of the activity is taken into account and therefore the viewpoint of the participating person is decisive. The person participating would, in his or her understanding of the necessity, determine the scope of this provision. However, the primary secret carrier must be decisive. It must be based on his or her point of view and on the need to carry out his or her tasks
c)
A Circular Reasoning? ^
It is also astonishing that section 203 (3) and (4) StGB regulate other persons involved, even if they themselves are responsible for professional secrecy. In fact, it makes little sense to qualify tax advisors as other participating persons if they themselves are subject to professional secrecy. In this respect, a teleological reduction of the provision is appropriate in such a way that professional secrecy, for example that of tax advisers, remains unaffected and a breach of the obligation to secrecy is punishable.
5.
New Sanctions ^
Section 203 StGB also contains new criminal offences. The rule in section 203 (4) StGB is dangerous. In future, prison sentences of up to a year or fines will be imposed for anyone who unlawfully discloses a foreign secret that has become known to him or her as a participant in the exercise or on the occasion of his or her activity as a participant. Every «other participating person» has therefore now also become a secret carrier and risks a prison sentence of up to one year if the secret is violated. Section 203 (4) sentence 2 StGB extends the criminal provision in the event that a person with confidential information becomes active without a non-disclosure agreement.
a)
Obligation to Maintain Secrecy ^
It is questionable whether this obligation to maintain secrecy can only be understood formally. In this case, it would already be fulfilled if any non-disclosure agreement was in place. This viewpoint is therefore too narrow. Rather, the secret carrier must provide for and prove an efficient, comprehensive non-disclosure agreement, including agreed sanctions. It can be referred to section 11 of the German Data Protection Act (BDSG) old version and the EU General Data Protection Regulation (DSGVO). In particular, Article 28 (3) DSGVO contains minimum requirements for data processing by a processor, which is also flow into section 203 StGB. This includes, for example, deletion obligations after the end of the data processing and the agreement on the obligation to obey instructions of the person responsible. Furthermore, the question arises as to whether the participating person and the responsible party/the secret carrier must also agree on a certain level of data security in addition to the paper agreement. The contract is, as we know, patient and would otherwise permit completely unsecured processing of the data by the person involved. However, the secret carrier has no way of directly verifying compliance with data security standards. Also, section 203 StGB only refers to the formal obligation of secrecy. Thus, the data controller will not be held liable under criminal law to monitor the observance of appropriate data security standards and, if necessary, to terminate the cooperation with the participating person.
The draft of the Federal Ministry of Justice contained a clearer passage in which section 203 (4) sentence 2 StGB also sanctioned the lack of careful selection of the persons involved and the lack of supervision of their activities under criminal law.39 These two additional obligations were surprisingly already dropped in the government’s draft. The associations involved pointed out, for example, that it is very often not possible to monitor external parties, since they are providers of mass services. However, with the mere obligation to maintain secrecy, the rule is ultimately ineffective. One knows the obligation to secrecy from the old section 5 BDSG and therefore also knows that an obligation to secrecy is ultimately only a paper tiger. It is therefore questionable whether the further obligations arising from the DSGVO can be read into this regulation. However, there will be criminal sanctions to prevent the provision from being interpreted so extensively with reference to the DSGVO. The DSGVO and the StGB stand independently next to each other and sanction separately with different instruments. In the past, especially doctors often asked themselves whether a practice sale or transfer of the practice is permissible.40 This problem can now be transferred to the sale of a cloud company. If this counts to the indirect secret carrier by section 203 (4) StGB, it might be difficult to sell the cloud company without consent of the indirectly concerned person (e.g. the patient) and to transfer a data management contract.
b)
Relation to DSGVO ^
It is also unclear how an external service provider should deal with the clash of data covered by section 203 StGB and other data. The former are subject to section 203 StGB and would therefore have to be kept separately because of the special confidentiality obligations. Mixing these data with «free data» would be dangerous and would counteract the increased sensitivity associated with section 203 StGB.
There is also a dispute which effects section 203 (4) StGB n.V. has on data protection law. Section 203 StGB does not release in any way from an examination of the general data protection requirements, such as the existence of a data protection consent of the concerned persons.41 Therefore the BDSG, the DSGVO and section 203 StGB are applicable next to each other.42 In this respect, Article 28 of the DSGVO, which provides extensive obligations for order data processing, must be observed. In particular, the sample catalogue of contractual requirements needs to be carefully examined by a lawyer or a doctor.
c)
Foreign Cloud Providers ^
It is also questionable how to deal with the problem of the activities of foreign collaborators. This opens up a problem of international criminal law within the framework of section 203 StGB. Pursuant to section 5 no. 7 StGB, the German criminal law is applicable for the protection of domestic legal property, i.e. the trade and business secrets of a company located in Germany or a company domiciled in Germany. This means that companies such as Apple or Google would have to fear the scope of German criminal law. With regard to the USA, there is also a higher liability risk because there is an enormous obligation to check the transfer of data abroad, particularly for small and medium-sized companies with a secret character. It would hardly be possible for these companies to adequately assess cloud services such as Microsoft or Google. However, the legislature did not want to grant a privilege for such audit risks and relies on the full rigour of professional ethics law regarding the correct examination of the foreign legal situation.
Thus, this applies under international criminal law to foreign cloud providers, for example in the USA. Due to section 5 no7 StGB, they have to fear in future that they will inevitably fall into the criminal liability trap.
III.
The Right to Refuse to Testify ^
The amendment of section 203 StGB makes it possible for professional secrecy holders to include third parties. However, in accordance with section 203 StGB, the professional secrecy holders enjoy special protection under the StPO. This also includes, for example, the right to refuse to testify under section 53 StPO. There it is regulated that carriers of professional secrecy (the groups are specifically named in section 53 (1) nos. 1 to 5 StPO) can refuse their testimony. This is a logical consequence of section 203 StGB. Due to the involvement of third parties, so-called contributors,43 they also have professional secrets entrusted to them in the course of carrying out their work. For this reason, the amendment of section 203 StGB also entails an amendment of section 53a StPO. This regulation now relates only to the right of the contributors to refuse to testify. They should be equal to the professional secrecy holders in section 53 StGB. Section 53a of the StPO expressly states which groups of persons are included. The right to refuse to testify is associated with numerous other provisions of the StPO.
1.
Effects on Section 97 StPO ^
The prohibition of seizure from section 97 StPO is in direct connection with the right to refuse to testify from sections 53, 53a StGB: it prevents circumvention of the right to refuse to testify by excluding the items listed there from seizure.44 For this reason, the amendment of section 203 StGB also entails an amendment of section 97 StPO.45 For now, the contributors of the professional secrecy carriers from section 53 StPO should also be subject to the prohibition of seizure. If professional secrecy holders have disclosed secrets to third parties, they may not be confiscated from third parties. Section 97 (2) sentence 2 StPO becomes superfluous, since the latter already decrees that items which are in the custody of contributors of professional secrecy holders listed therein may not be confiscated.46 Furthermore, the wording of section 97 (3) and (4) will be extended to include «contributors», so that these are also subject to the prohibition of seizure from section 97 StPO. This preserves the purpose of the right to refuse to testify.
The amendment of section 97 StPO has further effects, in particular on the provisional seizure pursuant to section 108 (1) StPO.47 If the prohibition of seizure pursuant to section 97 StPO applies, no provisional seizure pursuant to section 108 (1) StPO may be carried out. The prohibition of seizure also affects section 103 StPO.48 Accordingly, no searches may take place that are exempt from seizure pursuant to sections 97, 160a StPO. Thus, the extension of section 97 StPO also has an effect on further investigation measures.
2.
Effects on Section 160a StPO ^
The amendment of sections 53, 53a StPO also influences the impact of section 160a StPO. In order to prevent circumvention of the right to refuse to testify by investigation measures, professional secrecy holders are protected by section 160a (1) and (2) StPO: investigation measures which would lead to knowledge of information obtained from persons with professional secrecy who are subject to the right to refuse to testify are therefore not permitted. In the newly amended section 53a StGB, the wording assigns contributors the same right to refuse to testify as the persons named in section 53a StGB.49 Pursuant to section 160a (3) StPO, 160a (1) and (2) are also applicable to the persons named in section 53a StGB50, so that investigative measures against contributors of professional secrecy holders are also inadmissible pursuant to section 53 StPO.
A new finding is that, following the amendment passed in the Bundestag, a separate right to refuse to testify is provided for the contributor (section 53a StPO). The exercise of this right of the other participating persons is vested in the professional secrecy holders (section 53a (1) sentence 2 StPO). Therefore, in the process case the cloud provider willhave to consult with the person responsible for keeping confidential in order to clarify the question of refusal to testify.
IV.
Changes to BRAO ^
Finally, the BRAO was amended and section 43a (2) BRAO (regulations for the assignment of auxiliary personnel) was added. According to this, the lawyer has to oblige the external auxiliary personnel to secrecy in writing and to instruct them about the legal consequences of a breach of duty. In addition, he has to ensure in a proper manner that they comply with the obligation of confidentiality which applies to the employees of the lawyer and to all other contributing persons who participate in an activity of the lawyer on a professional basis. Therefore the regulation does not apply to independent service providers; here the general regulation of section 203 StGB remains in force.
The service provider is addressed in section 43e BRAO. This stipulates in section 43e (2) that the lawyer’s service provider has to be selected carefully. Section 43e (3) BRAO prescribes a written contract with the service provider, in which the service provider is obliged to provide detailed information on the criminal consequences of a breach of duty. Furthermore, such a contract must also explicitly address the question of subcontracting. A sharply defined regulation is section 43e (4) BRAO, which stipulates that services abroad may only be used if the protection of secrets that exists there is comparable to domestic protection. This should make it difficult to transfer data to the USA. In the age of Trump, the possibility of a free exchange of data with the USA remains problematic. However, the Bundestag has already had an understanding of the situation and supplemented the regulation with a case-by-case ruling, according to which an examination of the foreign legal situation is no longer necessary if this is no longer covered by the secret. However, this regulation is wide and shapeless. In the absence of specific examination criteria, it is hardly possible to apply this «rubber clause» in practice.
Section 43e (5) BRAO requires that the use of services in relation to an individual mandate may only take place with the client’s consent. In this respect, as in the past, the strict regulations remain in direct contact with the clients, after which client data can only be transferred in accordance with a sufficiently transparent and specified consent. However, it is questionable how this regulation is compatible with section 43 (3) BRAO. For the data from a concrete mandate the old regime with the restrictive conditions for external data services remains unchanged. The only consolation is that section 43 BRAO has no direct criminal consequences.
Section 43e (2) BRAO obliges the service provider to select carefully and to terminate the cooperation without delay if the compliance with the BRAO-specific requirements for the service provider is not guaranteed. Section 43e (3) no. 2 BRAO contains in particular the requirements that the service provider must be obliged to obtain knowledge of secrets only insofar as this is necessary for the fulfilment of the contract. It is also necessary to determine whether the service provider may establish subcontracting relationships. Section 43e (6) BRAO declares the consent of the client to be ineffective as such. This has to be coupled with the waiver of section 43e (2) to (4) BRAO. Therefore, the client has to expressly waive the security regulations of the BRAO with regard to data security and confidentiality in order for his consent to be effective. This is a major obstacle for the lawyer. Thus the settlement of a concrete mandate via external service providers is likely to be very difficult. There are also concerns in the medical field. After the reorganization, doctors can commission external service providers with accounting and only have to commit them to secrecy. This is not possible for lawyers because they depend on the requirement of a concrete explicit consent and waiver by the client. This inequality of treatment is unjustifiable and demonstrates the weaknesses of the recently adopted law.
V.
Conclusion ^
In summary, the law must be understood as an important reorganization of the information law. The 20-year discussion about the scope of the old section 203 StGB for data services is now coming to a provisional end. The first step towards liberalising the externalisation of cloud services and remote data transmission has been taken. Now lawyers or doctors are apparently free to contract external providers for their data processing. However, there is a risk of trouble for the external data processors, who are now subject to a variety of data security obligations under criminal law. They have to be instructed by the customer to maintain secrecy and, accordingly, have to carefully secure the customer’s confidential data. Lawyers continue to have the problem that client data can only be processed externally with the client’s consent; in this respect, there is still a criminal liability case.
Prof. Dr. Thomas Hoeren, Professor at the Insitute for Information Law, Telecommunications Law and Media Law at the Westphalian Wilhelm University of Münster.
- 1 Thomas Fischer, in: Thomas Fischer (ed.), Strafgesetzbuch, 63. Auflage 2016, C.H.Beck, München, § 203 para. 3; Matthias Weidemann, in: Bernd von Heintschel-Heinegg (ed.), Beck’scher Online-Kommentar StGB, August 2017, § 203 para. 7.
- 2 OLG Bamberg [Higher Regional Court Bamberg], 10 April 2013, MMR 2013, p. 744.; LG Schweinfurt [Regional Court Schweinfurt], 4 December 2017.
- 3 According to Hamburgischer Datenschutzbeauftragter, 11. Tätigkeitsbericht 1992, p. 24; Bayerischer Landesbeauftragter für den Datenschutz, 14. Tätigkeitsbericht 1992, p. 10; Hessischer Datenschutzbeauftragter, 20. Tätigkeitsbericht 1991, p. 78; Eugen Ehmann, Strafbare Fernwartung in der Arztpraxis, Computer und Recht (CR) 1991, p. 293; Anke Zimmer-Hartmann/Marcus Helfrich, Datenschutzrechtliche Pflichten des Anwalts, Computer und Recht (CR) 1993, p. 104; on the consequences of the high level of data protection for a ban on the use of evidence Bundesverfassungsgericht (BVerfG) [Federal Constitutional Court] Apr. 12, 2005; cf. regarding remote maintenance Thomas Grützner/Alexander Jakob, Fernwartung, in: Thomas Grützner/Alexander Jakob (eds.), Compliance von A–Z, 2. Auflage 2015, C.H.Beck, München.
- 4 Bundesgerichtshof (BGH) [Federal Court of Justice], 10 February 2010.
- 5 OLG Braunschweig [Higher Regional Court Braunschweig], 13 September 2012; AG Hamburg [Local Court Hamburg], 9 July 2013; AG Mannheim [Local Court Mannheim], Zeitschrift für Datenschutz (ZD) 2012, p. 42.
- 6 Bundesfinanzhof (BFH) [Federal Fiscal Court], ZD 2015, p. 494; BFH [Federal Fiscal Court], 28 October 2009; Fischer (note 1), marginal no. 21.
- 7 BGH [Federal Court of Justice], 27 October 2009; OLG Schleswig [Higher Regional Court Schleswig]: According to this article, the inclusion of savings banks in § 203 StGB is to contradict the principle of the constitutional ban on arbitrariness.
- 8 BGH [Federal Court of Justice], 27 February 2007.
- 9 In the case of Health Service doctors, the prohibition of external data processing applies even if patients formally consent to the transfer of data; Bundessozialgericht (BSG) [Federal Social Court], 10 December 2008, MultiMedia und Recht (MMR) 2009, p. 434.
- 10 In this sense, for example Michael Heghmanns/Holger Niehaus, Datenschutz und strafrechtliche Risiken beim Outsourcing durch private Versicherungen, Zeitschrift für Wirtschafts- und Steuerstrafrecht (wistra) 2008, p. 161.
- 11 Same opinion Ehmann (note 3), p. 293.
- 12 LG Mannheim [District Court Mannheim], ZD 2015, p. 183.
- 13 LG Flensburg [District Court Mannheim], 5 July 2013.
- 14 BGH [Federal Court of Justice], ZD 2012, p. 229.
- 15 EuGH [European Court of Justice], ZD 2013, p. 77; similar and following the EuGH: BGH [Federal Court of Justice], MMR 2013, p. 471, ZD 2013, p. 229.
- 16 Regierungsentwurf [Cabinet Draft], Bundestags-Drucksache [BT] 18/11936, available at: http://dip21.bundestag.de/dip21/btd/18/119/1811936.pdf (all websites last visited on 18 april 2018).
- 17 Regierungsentwurf [Cabinet Draft], Bundestag Plenarprotokoll [BT] 18/231, p. 23406, available at: http://dip21.bundestag.de/dip21/btp/18/18231.pdf.
- 18 The Cabinet Draft (note 16), p. 43.
- 19 The Cabinet Draft (note 16), p. 43.
- 20 Regierungsentwurf [Cabinet Draft], Bundestags-Drucksache [BT] 18/12940, p. 2, available at: http://dipbt.bundestag.de/doc/btd/18/129/1812940.pdf; see to the pre-drafts too: Michael Grupp, Reform von Strafgesetzbuch und BRAO: Outsourcing in Kanzleien wird möglich, Anwaltsblatt 2017, p. 816 and Sonja Fechtner/Stefan Haßdenteufel, Die Novelle des § 203 StGB und weiterer berufsrechtlicher Normen, CR 2017, p. 355.
- 21 The Cabinet Draft (note 16), pp. 8.
- 22 The Cabinet Draft (note 16), p. 3.
- 23 The Cabinet Draft (note 16), p. 8.
- 24 The Cabinet Draft (note 16), p. 8, 13.
- 25 Regierungsentwurf [Cabinet Draft], Bundestags-Plenarprotokoll [BTP] 18/243, p. 25097, available at: http://dipbt.bundestag.de/doc/btp/18/18243.pdf.
- 26 Draft of the agenda for the 960th session of the Federal Council on 22 September 2017, TOP 9, Regierungsentwurf [Cabinet Draft], Bundesrats-Drucksache [BR] 608/17 available at: http://www.bundesrat.de/SharedDocs/TO/960/tagesordnung-960.hdtm?nn=4352766.
- 27 The Cabinet Draft (note 16), p. 23.
- 28 The Cabinet Draft (note 16), p. 22.
- 29 The Cabinet Draft (note 16), p. 22.
- 30 Also: § 203 para. 3 sentence 1 StGB-E: «(3) There is no disclosure within the meaning of this provision if the persons referred to in paragraphs 1 and 2 make secrets available to their professional assistants or to persons preparing them for the profession. […]», the Cabinet Draft (note 16), p. 7.
- 31 § 203 para. 3 sentence 2 StGB-E: «[…] The persons referred to in paragraphs 1 and 2 may disclose foreign secrets to other persons who participate in their professional or professional activity, as far as this is necessary for the use of the activities of the other cooperating persons; […]», the Cabinet Draft (note 16), p. 7; the last half sentence of § 203 para. 3 sentence 2 StGB-E then refers to the passing on by other contributors to further persons.
- 32 The Cabinet Draft (note 16), p. 22; compare the Cabinet Draft (note 20), p. 12: «However, not every indirect, but also only an immediate participation in the occupational activity of the professional secretary may justify the right to refuse to testify in section 53a StPO-E.»
- 33 The Cabinet Draft (note 16), p. 22.
- 34 EuGH [European Court of Justice], MMR 2004, p. 95 with notes from Alexander Roßnagel.
- 35 The Cabinet Draft (note 16), pp. 18, 28.
- 36 Fischer (note 1), marginal no. 30a.
- 37 The Cabinet Draft (note 16), p. 23.
- 38 Jan Pohle/Sheila Ghaffari, Die Neufassung des § 203 StGB – der Befreiungsschlag für IT-Outsourcing am Beispiel der Versicherungswirtschaft?!, CR 2017, pp. 489, 492.
- 39 Ministerial draft of the Federal Ministry of Justice (BMJV) on a law on the revision of the protection of secrets in the participation of third parties in the professional practice of persons subject to the obligation of confidentiality, p. 4, available at: https://www.bmjv.de/SharedDocs/Gesetzgebungsverfahren/Dokumente/RefE_Neuregelung_Schutzes_von_Geheimnissen_bei_Mitwirkung_Dritter_an_der_Berufsausuebung_schweigepflichtiger_Personen.pdf;jsessionid=447C60D520C38D626CFE3F270104B426.1_cid324?__Blob=publicationFile&v=1.
- 40 Bundesgerichtshof (BGH) [Federal Court of Justice], 11 December 1991, BGHZ 166, pp. 268.
- 41 Other Opinion, Georg Wronka, Datenschutzrechtliche Aspekte des «neuen» § 203 StGB, RDV 2017, pp. 129, 131.
- 42 Pohle/Ghaffari (note 38), pp. 489, 494.
- 43 The Cabinet Draft (note 20), p. 8
- 44 Bertram Schmitt, in: Lutz Meyer-Goßner/Bertram Schmitt (eds.), StPO, 59. Auflage 2016, C.H.Beck, München, § 97 marginal no. 1; Michael Lemke, in: Michael Lemke/Karl P. Julius/Christoph Krehl/Hans J. Kurth/Erardo C. Rautenberg/Dieter Temming (eds.), Heidelberger Kommentar zur StPO, 3. Auflage 2001, C. F. Müller, Heidelberg, § 97 marginal no. 1.
- 45 The Cabinet Draft (note 20), p. 8
- 46 The Cabinet Draft (note 20), p. 9
- 47 Schmitt (note 44), § 108 marginal no. 4.
- 48 Schmitt (note 44), § 97 marginal no. 1; § 103 marginal no. 7.
- 49 The Cabinet Draft (note 20), p. 3.
- 50 Schmitt (note 44), § 160a marginal no. 14.