Cerebro and Privacy Laws

The X-Men movies feature Professor X’s Cerebro device, which amplifies the power of telepathic mutants, allowing them to find other mutants anywhere in the world.  In X-Men: First Class, Professor X and Magneto collaborate with the US government to assemble a team of mutants.  Although the movie is set in the early 1960s, Cerebro (nowadays called Cerebra) is also used in stories set in the modern day.  What’s more, it’s used to collect information on mutants around the world.  This caught the attention of Law and the Multiverse reader Mathias Ullrich, who wrote a great guest post on the subject using First Class as an example:

A data-protection consideration of Prof. Xavier’s recruiting methods according to German law

When reading the article about the responsibility of Prof. Xavier as the principal of a full time school some weeks ago, I started wondering about Prof. Xavier’s way of recruiting. As a data protection officer in Germany, my attention turns to data protection concerns.

As I’m not so familiar with the X-Men, I’ll stick to the movie X-Men: First Class. To analyze the whole process, I divide it into the different relevant steps:

1) data acquisition by telepathy

2) merging the data with another database (e.g. the CIA database) in order to get real addresses

3) offering specific services

4) deletion / blocking of the personal data

Some basics about the German data protection law: The German implementation of the European Data Protection Directive (“Directive 95/46/EC”) is one of the strictest implementations in Europe and is probably the strictest data protection law in the world. It’s called the “Bundesdatenschutzgesetz” or BDSG in short. In general it says that data processing of personal data is forbidden, unless there is an authorization of it in either the BDSG or other laws. So every data acquisition and processing needs an authorization.

Is German law applicable?

The first question we need to answer is if German law applies, when somebody in the world is acquiring customer data. The answer is quite simple: if there is an acquisition of personal data from German citizens, then German law can be used. This is similar to the discussions regarding Google Analytics or Facebook.

What kind of organization are the X-Men?

As stated in a recent blog post, Xavier’s School is a private school.

Step 1: the acquisition

When Professor Xavier searches for mutants, he is gathering data about the health status and some other information about potential students. Health status is one of the so-called “special kinds” or sensitive kinds of personal data according to §3 Abs. 9 BDSG, alongside racial and ethnic origin, political or religious belief and some more.

Acquiring and processing these kinds of personal data has some special rules. As said before, the German data protection law forbids unauthorized data processing, so we need to find permission.

From the reaction of the mutants visited by Magneto and Professor X, I assume none of them gave permission for acquiring the data. So I would also say that Professor X did not inform the people concerned about the concrete use of the data. This is mandatory. It is illegal to acquire data without the knowledge of the person concerned (§33 Abs. 1 BDSG).

Let’s go back to the acquisition. In §28 Abs. 6f and 9 BDSG we find the exceptions.

It’s possible to acquire these data without an explicit permission, if

– it is vital to the person concerned and he / she is not able to give the permission (§28 Abs 6, Nr. 1 BDSG)

– the data is has been made public by the person concerned (§28 Abs 6, Nr. 2 BDSG)

– the data is necessary for a legal transaction (§28 Abs 6, Nr. 3 BDSG)

– the data is necessary for medical research, if this research cannot be done without (§28 Abs 6, Nr. 4 BDSG)

– the data is necessary for medical care, if the acquisition is made by a doctor or somebody else with an obligationtoconfidentiality (§28 Abs 7 BDSG)

– the acquisition is made by a political, philosophic or religious organization without financial interest, but only for their members or associated people.

I do not think any of these exceptions apply. That means that the acquisition of the health status of the possible new students is illegal according to German law.

Step 2: the merging

After acquiring the data, I assume Professor X needs to get information about the new students, he wants to visit. Therefore, he merges the data with some database, according to the movie, it might be a CIA database. Here we have the exact same circumstance as in step 1. With just one exception more.

§28 Abs. 8 BDSG says, that the proceeding or transmitting sensitive data is allowed, if it is needed for defense of public safety.

Of course, thinking about maniacs who try to take over the world, the merging sounds legit, but the merging did not fight a concrete danger. It is more a “long term” investment. Unfortunately the acquisition of the data is still illegal and where did the CIA get data about European citizens? But that is another question, which will not be answered here ;-)

So, the merging might be legal, because of the exception for defense of public safety.

Quick note: §28 Abs. 8 BDSG only allows the processing or transmitting of data, not its acquisition.

Step 3: the offering

The last step is the personal visit to the possible new student in order to offer a personal service, in this case a place in Professor X’s private school.

As this is just again data processing, the same legislation applies as in step 2. So, maybe it’s legal because of the defense exception, but that need be discussed.

Step 4: blocking and / or deletion of data?

 In German data protection law, no data should be stored forever. As soon as the purpose of the data has expired, the data needs to be deleted (§35 Abs. 2 BDSG) or at least blocked.

When looking at the reaction by Wolverine, visited by Magneto and Professor X, one can assume that the purpose is expired, as Wolverine seems not to be interested in the offer. As we know, since Wolverine joins the X-Men later, the data may be blocked and not deleted.

Let’s check the terms for blocking instead of deleting, which are stated in §35 Abs 3 BDSG. Blocking data is allowed,

– if there are any laws or other legal issues that prohibit the deletion

– if it can be assumed that a deletion would affect the interests of the person concerned

– if the deletion is not possible or only possible with high effort because of the special way of storing the data

Again I do not think any of the exceptions apply. The data must be deleted, not blocked, at least as far as we are talking about a real database (e.g. the CIA one). If Professor X keeps the information in his mind, this is not affected by German data protection law.

Conclusion

Of course, there are a lot of unanswered questions, which make a final analysis quite difficult. Is telepathy acquisition of personal data and does German law apply here at all? Where is the data stored and how?

Besides that, the conclusion is quite simple. The acquisition was not legal, so every step beyond the first one, such as the uses the data from step 1, was illegal as well. According to §43, Abs. 2 Nr. 1 this is an administrative offense, with a penalty of up to 300,000 Euro in each case.

Translation guide

 Using §1 BDSG as an example:

– ‘§’ or Paragraf means paragraph in English, in this context it is translated to ‘section’.

– ‘Abs.’ is the abbreviation for ‘Absatz’. In this context it is ‘subsection’. In the example an ‘Absatz’ is marked by the brackets.

– The next one is Nr. (‘Nummer’), which means number. It is the next subsection, and in the example it is marked by the normal ‘1.’

– ‘Satz’ means sentence, if referring to a concrete sentence of the text, one uses ‘Satz’.

 

29 Responses to Cerebro and Privacy Laws

  1. It might have been legal in the United States in 1963 but depending on how you view Cerebra it might have been made illegal by the 1967 Katz vs. United States decision. I can’t think of anywhere that U.S. law gives a greater expectation of privacy than your own mind.

  2. Is Cerebro(a) just interpreting publicly avaiable information individuals inherently broadcast or is it going beyond what people spontaneously provide?

    • The basics of it seem to be some kind of low level continuous information broadcast, or something even more passive that anybody with an appropriate sense can detect. Xavier seems to use detect mutants with Cerebro in much the same way other use their vision to see the people around them. The system seems to act more as a telescope for Xavier’s already substantial powers, but I wouldn’t say its any worse that using a telescope and looking down the street or a public park.

      • A telescope usually can’t detect whether or not someone has A.I.D.S. and also (usually) can’t penetrate walls to see them in places where they have every expectation of privacy. Xavier can use Cerebro to do both those things and also to retain the data which is another thing that a telescope (again, usually) can’t do. He does all this without anything resembling oversight or accountability.

      • Todd Gardiner

        The telescope is a metaphor, Gyre.

        Prof X. can do these things on his own. He just does not have worldwide range until he uses Cerebra/o.

      • The point is still that Cerebro is a device that allows him to easily invade another person’s privacy much the same as an electronic listening device would for an F.B.I. agent. It does not have the limitations a telescope would that would make it difficult for him to use it to invade another person’s privacy.

      • Mathias Ullrich

        Interesting question, but there is a definition of ‘public available data’ made by the ‘Bundesverfassungsgericht’ (highest court in Germany) back in 1969. It says, that public available data needs to come from a source, that ist techniclly suitable and intended to provide data to everyone (e.g. telephone directory).

  3. “The answer is quite simple: if there is an acquisition of personal data from German citizens, then German law can be used.”
    I don’t think so. A German court will have trouble obtaining personal jurisdiction over a person who has never been in Germany. A German injunction would be pretty meaningless to Prof. Xavier (who is not German, does not reside in Germany, and does not operate a business with presence in Germany), and I don’t think any kind of money judgment would be enforceable against assets not located in Germany.

    • You’re assuming that German law has the same personal jurisdiction requirement that the US does. I have no idea whether it does or not. The rest of your point (about the enforceability of the judgment) is definitely fair, though.

      It could put a damper on any plans for “Xaviers Schule für begabte Jugendliche”, though.

      • James Pollock

        “You’re assuming that German law has the same personal jurisdiction requirement that the US does.”
        Well, yeah, I am, but for good reason… the reason that the requirement for personal jurisdiction exists. What mechanism has Germany to enforce its law on people who are neither German nor in Germany? I suppose that Germany could extend its reach via treaty… as it undoubtedly has throughout the EU… but if they’re trying to reach Charles X. in New York, it isn’t the German police that are going to pinch him, and Charles’ lawyer WILL be making the argument that a requirement of personal jurisdiction still applies to Americans in America.
        (Of course, at various times in the continuity, Charles has retreated beyond even that tenuous possibility of being haled into court; I don’t think that the German courts have much sway in Lilandra’s Imperial Shi’ar court.)
        Are any of Charles’ students besides Nightcrawler German?

      • Some nations have laws that allow people to be tried even if the crimes committed were in another nation (though there are few of these). In any case Germany presumably could make an extradition request to the U.S. and unless Xavier was doing some major favors for the country the U.S. would probably be nervous enough about his powers to agree.

      • Todd Gardiner

        The telescope is a metaphor.

        Prof X. can do these things on his own. He just does not have worldwide range until he uses Cerebra/o.

  4. I believe Charles would argue that this exception applies:
    “- the acquisition is made by a political, philosophic or religious organization without financial interest, but only for their members or associated people.”
    Charles would argue that he collects information about mutants (in particular, in newly-emerged/emerging mutants) for a philosophic, philantropic purpose from which he does not make financial gain, and in fact, in which he has contributed his family fortune.

    • That is an interesting point, but I think the ” only for their members or associated people.” Would block that. Of course, Charles might argue that mutants are members of that organization by fact of being part of that sub-species. But that would likely fail as the intent of the law seems pretty clearly to refer to people who intentionally became members.

      • John McMullen

        Hmmm. In the various legal systems–not just Germany–is there a provision for identifying and providing succor to a member of a group that might be persecuted? In other words, if a person is a member of a persecuted group, such that it is not unreasonable for such a person to admit his or her membership for reasons of safety, can you take actions on their behalf? The real-world example would be any group that is targeted.

        So, in other long-winded words, could the illegality of Professor Xavier’s search techniques (that the members of the group have not publicly declared themselves to be members) be trumped by the danger that exists for the group?

        Forgive me for being an ignoramus, but there must be a hierarchy of laws, in the consideration of the Supreme Court if nowhere else. If A and B conflict, there must be principles that they use to decide which is the more useful law to uphold.

      • Forgive me for being an ignoramus, but there must be a hierarchy of laws, in the consideration of the Supreme Court if nowhere else. If A and B conflict, there must be principles that they use to decide which is the more useful law to uphold.

        No need for forgiveness; it’s a very reasonable question. I have no idea how Germany does it, but in the US there are a few general rules. First, federal laws trump state laws and the Constitution trumps both, per the Supremacy Clause. Second, newer laws tend to trump older ones. Third, more specific laws tend to trump more general laws.

        That said, courts will try to avoid holding that a newer law implicitly repealed an older law simply because they can be interpreted as conflicting. Repealing a law usually requires an explicit statement by the legislature (e.g. “The XYZ Act is hereby repealed” or “Section 2 now says thus and so”).

  5. There’s also the small matter of the CIA most likely not caring whether the merging/acquisition of the data was legal. This is an organization that, from an outsider’s perspective, mostly seems to care about the legality of what they get caught doing, rather than the legality of what they’re doing.

    After all, a significant portion of their job involves getting people to violate the laws of their home nations in order to collect intelligence for the US government.

    • Doing it in the U.S. would raise more than a few eyebrows. Even the F.B.I. doesn’t have that much authority without even a court order.

  6. John McSorley

    In danger of being silly here but could an argument be made that
    ‘the data is necessary for medical research, if this research cannot be done without’ applies?
    Bear with me here. The existence of ‘mutations’ is an emergent planetary phenomenon with potentially serious consequences. For all sorts of reasons. In order to establish this data must be collected and subjected to epidemiological analysis. This data must be collected and retained over time in order to identify many factors including but not limited to
    1) percentage prevalence in a population
    2) racial profile (globally and in certain areas)
    3) environmental correlations (how many are born near site…)
    4) mortality rates (do mutants die young or live forever)

    there are lots more. Thing is IF you think this information is worth having and IF you cannot easily get the information another way then this makes it all ok to keep this information? Up to and including retaining unique identifiers so strange mutations (ie Multiple Man(is he a mutant?) or perhaps immortal wanderers around the globe (Wolverine)) do not cause false data spikes.

    Of course you still fall foul of collecting data without consent so that argument may be moot but still wonder if people would buy it.

    • James Pollock

      You can collect epidemialogical data without using personally identifying data. Not so with Marvel mutants, as each mutation seems to be more-or-less unique (there is some duplication, but not much.) More recently, I understand they were something of an endangered species.
      (P.S. Multiple Man is a mutant, but, contrary to the movie mythology, Juggernaut isn’t.)

  7. Melanie Koleini

    When I read through the list, I immediately thought the health research exception might apply.

    I think the ” it is vital to the person concerned and he / she is not able to give the permission (§28 Abs 6, Nr. 1 BDSG)” exception might apply also.

    In addition to health research, the people themselves have a rare medical condition that their personnel doctors probably have no experience with. Even if they don’t want to join Prof X’s school, I image most of them are glad to know of at least one person in the world that may be able to help if their powers go out of control.

  8. Mathias, thank you for providing the post. It is interesting and nice to have a perspective on German Law.

  9. When was that German law passed? Is it after the time setting of the movie, if so how can it apply?

    • The law was passed after the movie is set, but the purpose of the post is to apply the law using a well-known example. There are similar modern-day examples throughout the X-Men comic books, they’re just not as well-known to any given reader of the blog.

    • At the least they could say ‘this law will prohibit you from doing this sort of thing to citizens of Germany after this law was passed’.

    • Mathias Ullrich

      BDSG was passed 1st of January, 1978. So it wouldn’t apply to the movie, but as James said, I tried to show the current state of German privacy law with the example of First Class.

  10. Wouldn’t the exception, “The data is necessary for medical care, if the acquisition is made by a doctor or somebody else with an obligation to confidentiality (§28 Abs 7 BDSG)” apply? Marvel’s character biography indicates that an MD (as a psychiatrist) is among Xavier’s qualifications, and one of his main goals in finding these mutants is to teach them how to deal with their abilities, both practically and psychologically, which I would expect would qualify. That is, his purposes for obtaining the data are, at least post-First Class, primarily therapeutic and it doesn’t seem as though he runs around divulging Cerebro/a data to anyone who isn’t an employee of the XSfGY.

    Though the First Class case is, obviously, probably illegal, as the CIA was, until such time as Xavier apparently wiped everybody’s memories of it, aware of those Xavier had tracked down, not bound by confidentiality (the right sort, anyway) and not specifically concerned with medical/psychological care of them, I suspect that most of the recruiting Xavier does for the school itself might shake out to be fairly kosher given his focus on their mental well-being and instruction on how to fit into society without accidentally blowing people up sometimes (an uncomfortably broad argument for public defense). Depending on the specific villain, even some his X-Men operations-centric data collection might qualify, given his attempts to help even those bad guys.

  11. Just as a note on translation, I copy edit a fair amount of material by authors who are not native English speakers; scientific publishing is a very international enterprise. One of the things I have learned to watch out for is that native speakers of European languages often use the word “paragraph” to mean what a native English speaker would call a “section.” I have concluded that the cognate words in some languages (such as “Paragraf,” cited in translator’s notes) are what the French call faux amis: words with the same origin but divergent meaning.

    In English, each of the blocks of text that make up this comment is called a “paragraph.” A larger unit of prose that contains two or more blocks of text can never be called a “paragraph.” This suggests that the German word “Paragraf” does not, or does not always, mean “paragraph”—that sometimes it means “section.” It’s to the translator’s credit that they chose the right English word.

  12. Pingback: Law and the multiverse.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>