Regulating governmental data mining in the United States and Germany: constitutional courts, the state, and new technology.

• Author: Schwartz, Paul M.

INTRODUCTION I. DATA MINING AND RASTERFAHNDUNG (DATA SCREENING) A. Data Mining in the United States B. Data Screening in Germany C. The Statutory Regulation of Data Screening II. THE FEDERAL CONSTITUTIONAL COURT'S DATA SCREENING OPINION A. Background of the Case B. The "Concrete Danger" Requirement 1. The Right to Informational Self-Determination 2. Proportionality Review and the Failure of the Lower Courts C. The Dissent III. NEW TECHNOLOGY AND A TALE OF TWO CONSTITUTIONAL COURTS A. New Technology and the "New Constitutionalism" of Europe B. Two Approaches to Informational Privacy CONCLUSION INTRODUCTION

For the anthropologist Clifford Geertz, law is "part of a distinct manner of imagining the real." (1) In Local Knowledge, he argues that, at a fundamental level, legal systems create a way of envisioning the world and then develop different kinds of "techniques"--whether through legal institutions, methods, or doctrines--that make this vision the correct one. (2) The consequence is, of course, that the law in different countries will "see" different things. This point proves applicable to the study of comparative privacy law. Building on Geertz's insight, this Article searches for distinct as well as shared aspects of one area of law in two countries. It seeks to determine whether German and American lawyers, judges, and policymakers are seeing the same or different things when regulating one form of technology--namely, data mining.

As a further matter, current privacy scholarship has a great need for targeted studies that look at specific areas of information use in different countries. After a first generation of broader comparative studies, today's privacy scholarship needs more targeted analysis of specific areas of data use. As Spiros Simitis has argued, "[e]ffectiveness of data protection law crucially depends on the ability to react in a fashion that focuses on concrete situations of processing, and the ones that are especially important from the perspective of the affected party." (3) In such a fashion, this Article will look at how the legal systems of Germany and the United States respond to the use of data mining by the government for law enforcement and national security purposes.

As an initial matter, it is important to establish certain basic terminology. Americans commonly refer to "data mining"; in Germany, the standard reference is to "Rasterfahndung," which literally means "a screening search." (4) In this Article, I use data mining as the general term of art and to refer to the practice in the United States. In discussing German law, I refer to this practice as "data screening." This term is a closer translation of the German concept, and its use will permit a reader to know at a glance that a reference is to Germany. Another benefit of this approach is that it avoids an assumption that American and German jurists are using the same mental map when they speak of "data mining" or "data screening," respectively.

Although this Article employs these two terms, a computer remains a computer, whether in the United States or Germany, and the underlying technology in both countries is the same. One can, therefore, provide a unitary definition of data mining as a series of techniques for extracting knowledge from large stores of digital data. Alternative terms for this technique include "knowledge mining from data, knowledge extraction, data/pattern analysis, data archaeology, and data dredging." (5) Another definition views data mining simply as involving "a diverse set of tools for mathematical modeling." (6)

Part I of this Article explores the basic regulation of this technique in Germany and the United States. It finds a long engagement with data screening in Germany, one that dates back to the battle against the Red Army Faction in the 1970s. German law also regulates this practice in both federal and state statutes. In contrast, decisions of the U.S. Supreme Court from the 1970s have created a constitutional jurisprudence that frees the use of this process from the strictures of constitutional law. At the statutory and administrative level, moreover, there is scant regulation of this practice. Part II then examines the German Federal Constitutional Court's Data Screening decision of 2006. (7) In this decision, the German court read strict constitutional requirements into any use of data screening for so-called "preventive purposes." Finally, Part III contrasts the German and American legal approaches to this new technology for law enforcement and intelligence agencies. This Article draws comparative lessons about the differences between the U.S. Supreme Court's hands-off approach, and the "new constitutionalism" of Germany, which features a constitutional law court that concentrates solely on interpreting and developing a constitution. This Article further highlights two contrasting approaches, at the substantive level, to a constitutional law of information privacy.

1. DATA MINING AND RASTERFAHNDUNG (DATA SCREENING)

   This Part will explore the basics of German and American regulation of the state's data mining for law enforcement and intelligence purposes. In the United States, the practices of data mining are largely unregulated with the main focus placed on the initial collection of information and not on the processes to which it is subsequently put. In contrast, data screening is closely regulated in Germany. It is also organized along a distinction concerning whether this technique is used to investigate past crimes or to carry out a preventive response to potential crimes.

   1. Data Mining in the United States

      In the United States, legal policymakers draw a distinction between "subject-based" and "pattern-based" data mining, (8) In subject-based searches, law enforcement officers or intelligence agents use data mining to gather information about subjects that they already suspect of possible wrongdoing or that are otherwise of interest. (9) The National Research Council's blue ribbon report, Protecting Individual Privacy in the Struggle Against Terrorists, places subject-based data mining "[o]n the more routine end of the spectrum." (10) It observes that this technique involves "the searching of large databases for characteristics that have been associated with individuals of interest, that is, people who are worthy of further investigation." (11) As a specific example, in subject-based data mining, officials seek data about "people who own cars with license plates that are discovered at the scene of a terrorist act or whose fingerprints match those of people known to be involved in terrorist activity." (12) This technique automates activities that a detective or intelligence analyst might otherwise have carried out manually when drawing on analog data. (13) Yet this technique also broadens and expands these activities by allowing officials to make use of the extensive databases of our Information Age. (14)

      With pattern-based data mining, in contrast, the government investigator develops a model of assumptions about the activities and characteristics of culpable individuals or the indicators of criminal or terrorist plans. (15) The investigator then uses computer software to search databases containing transactional and personal information for "hits" or matches. (16) The search looks for a correspondence between a model of criminal or terrorist plans and the patterns created by data left by potentially culpable individuals. (17) This approach identifies the guilty by their data trails. Particularly important in pattern-based data mining is a mechanism for feedback so that learning over time is possible. (18) In particular, there is a need to test the assumptions upon which the pattern-based analysis rests. (19)

      In the United States, constitutional law and criminal procedure leave data mining, whether subject-based or pattern-based, largely unregulated. Statutory law does place some limits on the government's initial ability to collect information. (20) There is, however, an exception to this rule of nonregulation, which concerns a small subcategory of data mining, one largely shrouded in secrecy. In the Foreign Intelligence Surveillance Act of 1978 (FISA) Amendments Act of 2008, Congress created procedures for the National Security Agency's (NSA) surveillance of certain phone calls with a nexus to the United States. (21) At the same time, this statute does not regulate data mining per se. (22)

      We begin, however, not with the exception, but with the rule. In American law, the Fourth Amendment is the critical constitutional provision regarding data mining. The Fourth Amendment establishes the right of the people to be secure from "unreasonable searches and seizures" in their "papers, and effects." (23) It also prohibits the issuing of search warrants for reasons less than "probable cause." (24) By the 1970s, the Supreme Court had developed the essential Fourth Amendment case law, and its opinions in United States v. Miller and Smith v. Maryland remain the leading cases in this area. (25) Due to the Supreme Court's interpretation of the reach of the Fourth Amendment, data mining is left free of constitutional restrictions. (26) The first restriction, from the Miller opinion, finds that the Fourth Amendment is inapplicable to stored data in the control of third parties. (27) The second restriction, from Smith v. Maryland, finds that the Amendment is inapplicable to any aspect of telecommunications that is not the "content" of a telephone conversation. (28)

      In Miller, the Supreme Court declared that no "legitimate 'expectation of privacy"' existed in documents that an individual stored with a third party. (29) Miller concerned bank records, and the Court found that a "depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government." (30) In Smith v. Maryland, the Supreme Court developed a "content" versus...