German data protection authority reaffirms that visitors have no privacy rights

In response to my request for reconsideration of its initial earlier decision rejecting my complaint against Deutsche Telekom, Germany’s national data protection authority, the BfDI, has reaffirmed that it thinks foreign visitors have no rights under German and European Union privacy and data protection law — even when we are travelling in Germany and information about us is being collected in Germany by divisions and subsidiaries of a German company.

The latest message I received from the BfDI (official message in German, unofficial English translation) comes in response to my request for reconsideration of the dismissal of my complaint against Deutsche Telekom and its subsidiary T-Mobile USA for refusing to tell me what information they have collected about me — including information about me which they improperly disclosed to others in a data breach.

The latest response from the BfDI to my request for reconsideration gives a somewhat different, but equally invalid, rationale for rejecting my complaint than the initial notice I received from the BfDI.

In its latest and apparently final answer to my complaint (German, English), the BfDI makes a series of claims that are variously irrelevant, factually false, and/or contrary to German and EU law:

1. “The Federal Commissioner for Data Protection and Freedom of Information (BfDI) is only competent if the controller is located in Germany.” As a matter of law, this is just wrong. The BfDI has jurisdiction over foreign companies that target individuals for collection of personal data in Germany, on the basis of their presence in Germany — as when T-Mobile USA customers are roaming in Germany, using services provided by Deutsche Telekom and its subsidiaries in relation to which information is collected so that customers can be charged for roaming.
   
   
2. “Deutsche Telekom AG is not active in the operational customer business — not even in Germany.” This is half-true, but irrelevant. The retail mobile-phone services of Deutsche Telekom in Germany are provided by a 100%-owned subsidiary, Telekom Deutschland GmbH. But Deutsche Telekom AG, as 100% owner, is legally responsible for the actions of Telekom Deutschland GmbH. And Deutsche Telekom’s Binding Corporate Rules Privacy clearly apply to Telekom Deutschland GmbH.
   
   
3. “It is irrelevant whether an owner or other parts of T-Mobile USA are based in Germany.” The BfDI contradicts itself, and contradicts German and EU law, by claiming that the “true” controller of data about my roaming data is T-Mobile USA, but that it doesn’t matter whether T-Mobile USA or its owner are based in Germany. If the data controller is really T-Mobile USA, then “whether an owner or other parts of T-Mobile USA are based in Germany” is, in fact, decisive in determining the applicability of German law to its activities in Germany.
   
   
4. “The scope is also not opened up by the fact that you may have stayed in the EU for a short time.” The BfDI seems eager to avoid acknowledging that short-term visitors have rights. That’s understandable, and a government agency in the USA might be just as reluctant to recognize that foreign visitors have rights. But as I noted in my request for reconsideration, the guidelines (English, German) of the European Data Protection Board (EDPB) regarding the territorial scope of the EU General Data Protection Regulation (GDPR) are unambiguous: the GDPR applies equally to everyone physically present in the EU, no matter how short and transient their stay.

The BfDI has not told me whether, or if so how, I can have its (clearly erroneous) decision reviewed by a German or European court. I don’t have a lawyer in Germany and don’t speak German, which is probably why both Deutsche Telekom and the BfDI assume that they can violate my rights with impunity. I would welcome advice and legal assistance from my German friends.