The X-Men movies feature Professor X’s Cerebro device, which amplifies the power of telepathic mutants, allowing them to find other mutants anywhere in the world. In X-Men: First Class, Professor X and Magneto collaborate with the US government to assemble a team of mutants. Although the movie is set in the early 1960s, Cerebro (nowadays called Cerebra) is also used in stories set in the modern day. What’s more, it’s used to collect information on mutants around the world. This caught the attention of Law and the Multiverse reader Mathias Ullrich, who wrote a great guest post on the subject using First Class as an example:
A data-protection consideration of Prof. Xavier’s recruiting methods according to German law
When reading the article about the responsibility of Prof. Xavier as the principal of a full time school some weeks ago, I started wondering about Prof. Xavier’s way of recruiting. As a data protection officer in Germany, my attention turns to data protection concerns.
As I’m not so familiar with the X-Men, I’ll stick to the movie X-Men: First Class. To analyze the whole process, I divide it into the different relevant steps:
1) data acquisition by telepathy
2) merging the data with another database (e.g. the CIA database) in order to get real addresses
3) offering specific services
4) deletion / blocking of the personal data
Some basics about the German data protection law: The German implementation of the European Data Protection Directive (“Directive 95/46/EC”) is one of the strictest implementations in Europe and is probably the strictest data protection law in the world. It’s called the “Bundesdatenschutzgesetz” or BDSG in short. In general it says that data processing of personal data is forbidden, unless there is an authorization of it in either the BDSG or other laws. So every data acquisition and processing needs an authorization.
Is German law applicable?
The first question we need to answer is if German law applies, when somebody in the world is acquiring customer data. The answer is quite simple: if there is an acquisition of personal data from German citizens, then German law can be used. This is similar to the discussions regarding Google Analytics or Facebook.
What kind of organization are the X-Men?
As stated in a recent blog post, Xavier’s School is a private school.
Step 1: the acquisition
When Professor Xavier searches for mutants, he is gathering data about the health status and some other information about potential students. Health status is one of the so-called “special kinds” or sensitive kinds of personal data according to §3 Abs. 9 BDSG, alongside racial and ethnic origin, political or religious belief and some more.
Acquiring and processing these kinds of personal data has some special rules. As said before, the German data protection law forbids unauthorized data processing, so we need to find permission.
From the reaction of the mutants visited by Magneto and Professor X, I assume none of them gave permission for acquiring the data. So I would also say that Professor X did not inform the people concerned about the concrete use of the data. This is mandatory. It is illegal to acquire data without the knowledge of the person concerned (§33 Abs. 1 BDSG).
Let’s go back to the acquisition. In §28 Abs. 6f and 9 BDSG we find the exceptions.
It’s possible to acquire these data without an explicit permission, if
- it is vital to the person concerned and he / she is not able to give the permission (§28 Abs 6, Nr. 1 BDSG)
- the data is has been made public by the person concerned (§28 Abs 6, Nr. 2 BDSG)
- the data is necessary for a legal transaction (§28 Abs 6, Nr. 3 BDSG)
- the data is necessary for medical research, if this research cannot be done without (§28 Abs 6, Nr. 4 BDSG)
- the data is necessary for medical care, if the acquisition is made by a doctor or somebody else with an obligationtoconfidentiality (§28 Abs 7 BDSG)
- the acquisition is made by a political, philosophic or religious organization without financial interest, but only for their members or associated people.
I do not think any of these exceptions apply. That means that the acquisition of the health status of the possible new students is illegal according to German law.
Step 2: the merging
After acquiring the data, I assume Professor X needs to get information about the new students, he wants to visit. Therefore, he merges the data with some database, according to the movie, it might be a CIA database. Here we have the exact same circumstance as in step 1. With just one exception more.
§28 Abs. 8 BDSG says, that the proceeding or transmitting sensitive data is allowed, if it is needed for defense of public safety.
Of course, thinking about maniacs who try to take over the world, the merging sounds legit, but the merging did not fight a concrete danger. It is more a “long term” investment. Unfortunately the acquisition of the data is still illegal and where did the CIA get data about European citizens? But that is another question, which will not be answered here
So, the merging might be legal, because of the exception for defense of public safety.
Quick note: §28 Abs. 8 BDSG only allows the processing or transmitting of data, not its acquisition.
Step 3: the offering
The last step is the personal visit to the possible new student in order to offer a personal service, in this case a place in Professor X’s private school.
As this is just again data processing, the same legislation applies as in step 2. So, maybe it’s legal because of the defense exception, but that need be discussed.
Step 4: blocking and / or deletion of data?
In German data protection law, no data should be stored forever. As soon as the purpose of the data has expired, the data needs to be deleted (§35 Abs. 2 BDSG) or at least blocked.
When looking at the reaction by Wolverine, visited by Magneto and Professor X, one can assume that the purpose is expired, as Wolverine seems not to be interested in the offer. As we know, since Wolverine joins the X-Men later, the data may be blocked and not deleted.
Let’s check the terms for blocking instead of deleting, which are stated in §35 Abs 3 BDSG. Blocking data is allowed,
- if there are any laws or other legal issues that prohibit the deletion
- if it can be assumed that a deletion would affect the interests of the person concerned
- if the deletion is not possible or only possible with high effort because of the special way of storing the data
Again I do not think any of the exceptions apply. The data must be deleted, not blocked, at least as far as we are talking about a real database (e.g. the CIA one). If Professor X keeps the information in his mind, this is not affected by German data protection law.
Of course, there are a lot of unanswered questions, which make a final analysis quite difficult. Is telepathy acquisition of personal data and does German law apply here at all? Where is the data stored and how?
Besides that, the conclusion is quite simple. The acquisition was not legal, so every step beyond the first one, such as the uses the data from step 1, was illegal as well. According to §43, Abs. 2 Nr. 1 this is an administrative offense, with a penalty of up to 300,000 Euro in each case.
Using §1 BDSG as an example:
- ‘§’ or Paragraf means paragraph in English, in this context it is translated to ‘section’.
- ‘Abs.’ is the abbreviation for ‘Absatz’. In this context it is ‘subsection’. In the example an ‘Absatz’ is marked by the brackets.
- The next one is Nr. (‘Nummer’), which means number. It is the next subsection, and in the example it is marked by the normal ‘1.’
- ‘Satz’ means sentence, if referring to a concrete sentence of the text, one uses ‘Satz’.