German data protection agency says visitors have no privacy rights

In an unexpectedly abrupt and improper dismissal of my complaint against Deutsche Telekom and its subsidiary T-Mobile USA, the German national data protection authority (BfDI) has informed me that, in the opinion of the BfDI, foreign visitors to Germany have no privacy rights, even when we are travelling in Germany and personal data about us is collected in Germany by German companies:

The application of the GDPR requires the data subject to be within the European Union. For non-EU citizens who do not stay or reside within a member state of the EU, the regulations of the GDPR are not applicable. Therefore I am not able to help you with your concern.

I have asked the BfDI to reconsider this improper opinion.

The opinion of the BfDI that privacy rights under European Union law (the GDPR) are limited to EU citizens and residents is, of course, similar to the position of the U.S. government that such data privacy rights as are recognized under U.S. law (which are, even for U.S. citizens, much more limited than those in the EU under the GDPR) are limited to U.S. citizens and permanent residents.

But EU and international law recognizes that privacy rights are human rights that do not depend on citizenship, nationality, or residence.

As I point out in my request to the BfDI for reconsideration, this is made clear both in the text of the GDPR and in the guidance of the European Data Protection Board (EDPB) regarding its territorial scope. According to the EDPB guidelines (English version, German version):

[G]eographical location is not important for the purposes of Article 3(1) with regard to the place in which processing is carried out, or with regard to the location of the data subjects in question.

The text of Article 3(1) does not restrict the application of the GDPR to the processing of personal data of individuals who are in the Union. The EDPB therefore considers that any personal data processing in the context of the activities of an establishment of a controller or processor in the Union would fall under the scope of the GDPR, regardless of the location or the nationality of the data subject whose personal data are being processed. This approach is supported by Recital 14 of the GDPR which states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”…

The wording of Article 3(2) refers to “personal data of data subjects who are in the Union”. The application of the targeting criterion is therefore not limited by the citizenship, residence or other type of legal status of the data subject whose personal data are being processed. Recital 14 confirms this interpretation and states that “[t]he protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.

This provision of the GDPR reflects EU primary law which also lays down a broad scope for the protection of personal data, not limited to EU citizens, with Article 8 of the Charter of Fundamental Rights providing that the right to the protection of personal data is not limited but is for “everyone”….

[T]he EDPB considers that the nationality or legal status of a data subject who is in the Union cannot limit or restrict the territorial scope of the Regulation.

The requirement that the data subject be located in the Union must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering of goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer made or monitoring undertaken.

Some readers have asked why I would expect to have any rights under German law, or why I would seek redress from the BfDI, rather than from “competent U.S. data protection/regulation authorities” (as unhelpfully suggested by the BfDI), for violations of my rights committed in both Germany and the USA by both Deutsche Telekom and T-Mobile USA (including data pertaining to my “roaming” on the Deutsche Telekom cellular network, which has been collected in Germany by Deutsche Telekom, while I was travelling in Germany, and transferred to T-Mobile USA).

As I explain in my request for reconsideration, the USA has no general data protection law or regulations and no independent data protection authority. I have given T-Mobile USA formal notice of its violation of the California Consumer Privacy Act (CCPA). But it is at the discretion of the Attorney General of California whether to take any legal action to enforce the CCPA. And the Attorney General is not required to respond to complaints or give any notice of their decisions.

I chose T-Mobile as my mobile phone carrier because I knew that it was, at that time, a wholly-owned operating division of Deutsche Telekom. I chose to give my business to a German company in order to assure a higher degree of protection for my personal data.

As a U.S. citizen, I am subject to U.S. jurisdiction wherever in the world I go. I am required to comply with U.S. law even when I am travelling outside the USA. It is a violation of U.S. law for me to buy marijuana or Cuban rum, even when I am travelling in countries where those activities are not a violation of local law. The same is true for U.S. companies and their subsidiaries worldwide. Subsidiaries controlled by U.S. companies, even when they are incorporated abroad, are required to comply with U.S. laws such as U.S. trade embargoes against Cuba, Iran, etc.

The same, I believe, applies to German citizens and to German companies, such as Deutsche Telekom, and their divisions or subsidiaries such as T-Mobile USA. I expect that a German company, like a German citizen, will comply with German law wherever in the world it does business.

The interpretation of the GDPR announced by the BfDI would give German companies a free pass to violate the privacy of foreign visitors, and allow and encourage them to set up subsidiaries in jurisdictions of convenience like the USA to carry out privacy-invasive activities.

Being able to assure U.S. customers that they will have more protection for their personal data when they deal with a German company (or its U.S. subsidiary) than if they deal with an independent U.S. company should be a competitive advantage for German and other EU companies.

Why aren’t EU companies and their U.S. subsidiaries advertising EU data protection as a selling point in the USA? Sadly, I suspect it’s because they don’t want to call attention to the fact that most of them don’t comply with the GDPR even in their home countries. Enforcement of the GDPR has been, for most companies in most EU countries, a “paper tiger”. In my experience, that’s been especially true with large, iconic national corporations, especially those in which the government has, or formerly had, an ownership stake: Lufthansa in Germany, KLM in the Netherlands, Air France in France. But companies such as Deutsche Telekom should not be deemed to large, or too important to national prestige, to be subject to sanctions when they ignore the laws of the EU and of their home countries.

Privacy is a human right, not a right of citizenship. Travellers and visitors should not be left out of privacy protection. I hope the BfDI will reconsider its hasty and improper decision to reject my complaint.

[Follow-up, 3 December 2022: German data protection authority reaffirms that visitors have no privacy rights]