The well-known rule of thumb 70-80-90 (70% of the Earth’s surface is covered by water, 80% of all people live on the coast, and 90% of international trade is transported by sea) directly favors the development of offshore infrastructures in coastal areas – including our waters. For transportation purposes, bridges, pipelines, and underwater cables are installed; for resource harvesting, oil platforms, aquaculture facilities, as well as tidal and wind energy parks are constructed. Of course, sensors and actuators can be used in a dual-use manner for the first stage of early detection within the CSW (Confined and Shallow Water) situational picture to protect critical infrastructures (KRITIS) at sea. This requires data fusion, anomaly detection, and the generation of situational awareness. Assuming that all owners and operators of infrastructures cooperate and are willing to provide their high-value maritime data for the joint situational picture, the technical challenges for implementation are largely solved. The problem for German maritime areas (TTW, < 12 NM) lies in the legal framework (EEZ regulated by the federal government, coastal areas regulated by the federal states) regarding data cooperation.
Disregarding the special case that Helgoland belongs to Germany but not to the EU (thus an export to a third country), and consequently – if we are being honest – even data transmission would require a BAFA export license involving complex applications, the ban on data retention applies in Germany. The VerkdHSpFruSpPflEG law has been invalidated.
The draft law introducing a security order for traffic data in the German Code of Criminal Procedure (20/14022) dated 03.12.2024 describes the current situation as follows:
“Provisions on so-called data retention have repeatedly been the subject of rulings by the European Court of Justice (ECJ) (...). The provisions of German law on data retention are not compatible with EU law (...). The Federal Constitutional Court (BVerfG), in its judgment of March 2, 2010 (1 BvR 256/08), already declared them null and void due to a violation of Article 10(1) of the Basic Law (GG). … Against this backdrop, it can be assumed that in practice, data retention has not been implemented in Germany for over 14 years, nor has it been used for criminal prosecution purposes….”
We all know this from driving. The automatic capture of all license plates (personal data) through optical character recognition affects the right to informational self-determination. To meet the high protection requirements for approval, even the only Section Control speed enforcement system still in operation in Germany was shut down. Although the character strings of license plates were encrypted and anonymized, and even when no speeding violations were detected between measurement points and the data was immediately deleted so that no conclusions could be drawn about the vehicle or driver, implementation in Germany is not feasible. Regardless of one’s opinion, the question arises: what is the difference with the maritime situational picture when detecting and storing objects (ships, boats, submersibles)? One might point to AIS – yes, there is also data storage. However, ships voluntarily switch on their AIS transponders in order to be detected and identified – that is the very purpose of the system. For AIS refusers, such as “shadow fleets,” this approach is insufficient; therefore, electromagnetic, optical, acoustic, and other sensor data must be applied, stored, and combined.
Why then are we recorded with our license plates in a supermarket parking lot or even with facial recognition inside the store, and why is our data stored there? Because in those cases, we have the choice not to enter the parking lot or the supermarket – it is not a public space.
For public authorities, freedom of information and data protection are in a natural state of tension. Environmental information, data usage, and freedom of information laws could now be amended or repealed during this legislative period, thereby further complicating legislative evaluation and depriving differing interests of legally secured weight. The E-Government Act (EGovG) must also be considered with §§12/12a regarding requirements for the provision of data, scope of use, and terms of use for data collection and exchange. According to §12a(6) EGovG (federal law), data retrieval must allow unrestricted reuse by anyone. On the other hand, for example, in state law such as the EGovG Schleswig-Holstein, § 8(6) explicitly regulates reuse. Accordingly, data under §1 of the Information Reuse Act of December 13, 2006 (BGBl. I p. 2913), which are part of the basic services (§8(1) EGovG SH) such as data analysis, categorization, sorting, transmission, and evaluation in specialist applications, may not be reused unless other legal provisions allow it. Violations constitute an administrative offense (§10 EGovG SH). Even the Federal Police, under the Federal Police Act (BPolG), are not permitted to carry out nationwide automatic license plate recognition under §27b without specific cause.
How then may high-value datasets, under the Data Usage Act, be treated and exchanged as traffic data (geospatial/mobility) at sea when even legal experts cannot rely on consistent case law? Who would willingly collect and share maritime data in Germany under these conditions? Are we allowed, for example, to combine “Internet of Animals” data with security-relevant data to improve a situational picture? How are copyright aspects to be assessed? How can we act in the field of KRITIS if data collection, processing, and transmission always imply a legal violation?
Technical solutions for a maritime situational picture addressing KRITIS exist, but a clear legal directive for situational picture creation is required. Political and legal – not technical – discussions and results are what can protect KRITIS. That is the main challenge for both federal and state authorities.
Author:
Dr. Ivor Nissen, Rickert